CN117675751A - Automatic binding method and system for IP and MAC of government enterprise gateway-based downlink terminal - Google Patents
Automatic binding method and system for IP and MAC of government enterprise gateway-based downlink terminal Download PDFInfo
- Publication number
- CN117675751A CN117675751A CN202311612556.1A CN202311612556A CN117675751A CN 117675751 A CN117675751 A CN 117675751A CN 202311612556 A CN202311612556 A CN 202311612556A CN 117675751 A CN117675751 A CN 117675751A
- Authority
- CN
- China
- Prior art keywords
- binding
- address
- mac
- terminal
- equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 42
- 238000013507 mapping Methods 0.000 claims abstract description 33
- 230000004044 response Effects 0.000 claims description 52
- 238000001514 detection method Methods 0.000 claims description 31
- 230000002159 abnormal effect Effects 0.000 claims description 21
- 238000004590 computer program Methods 0.000 claims description 13
- 238000007689 inspection Methods 0.000 claims description 9
- 238000012550 audit Methods 0.000 claims description 7
- 238000012552 review Methods 0.000 claims description 7
- 238000003860 storage Methods 0.000 claims description 7
- 238000007726 management method Methods 0.000 claims description 5
- 238000004458 analytical method Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 9
- 230000006870 function Effects 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000012216 screening Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000006399 behavior Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000005242 forging Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an automatic binding method and system for IP and MAC of a government enterprise gateway-based downlink terminal, comprising the following steps: acquiring and analyzing the terminal equipment online message to acquire the MAC address and the IP address in the terminal equipment online message; checking in a device binding table whether there is already a parsed MAC address; if the MAC address exists and the resolved IP address is different from the IP address corresponding to the MAC address in the equipment binding table, writing the resolved MAC address and the resolved IP address into the equipment checking table, automatically checking the binding relation, judging whether the resolved MAC address and the resolved IP address are normal binding relation or not, and if so, writing the resolved MAC address and the resolved IP address into the equipment binding table; if the mapping relation exists, writing the mapping relation between the resolved IP address and the MAC address into a device binding table, and writing the mapping relation into a downlink terminal device binding relation table. The invention can realize the automatic binding and automatic examination of the IP and MAC of the government enterprise gateway downlink terminal.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an automatic binding method and system for an Internet Protocol (IP) and a Media Access Control (MAC) of an enterprise gateway-based downlink terminal.
Background
All small, medium and large government and enterprise departments are basically the best solutions for broadband access by using the optical access government and enterprise gateway equipment, and ensuring the security and stability of the access gateway is particularly important. A common security protection is against DOS attacks. DOS (Denial of Service ) attack: also called flood attack, a network attack technique, which aims to deplete the network or system resources of a target device, temporarily interrupt or stop the service, resulting in the behavior that a legitimate user cannot access normal network services.
ARP (Address Resolution Protocol ): a protocol for resolving IP addresses into MAC addresses. In a lan, when a host or other three-layer network device has data to send to another host or three-layer network device, it is necessary to know the network layer address (i.e., IP address) of the other party. But only IP addresses are insufficient, because the IP message must be encapsulated into frames for transmission over the physical network, the sender also needs to know the physical address (i.e., MAC address) of the receiver, which requires a protocol for obtaining the physical address through the IP address to complete the mapping from the IP address to the MAC address. The address resolution protocol ARP may implement resolving an IP address into a MAC address.
One common DoS attack mode is ARP attack, which realizes ARP spoofing by forging an IP address and an MAC address, and can generate a large amount of ARP traffic in a network to block the network, so that an attacker can change the IP-MAC entry in the ARP cache of the target host as long as the attacker continuously sends out a forged ARP response packet, thereby causing network interruption or man-in-the-middle attack. Some existing solutions bind normal device IP and corresponding MAC address in the lan, so that other attackers cannot modify their ARP entry in an attack manner. Listing all the IP and MAC received by the gateway on a management platform of the gateway, and manually binding, or directly acquiring the IP and MAC of the user equipment and manually inputting and binding; the manual binding method can certainly cause a large amount of repeated simple contents for management staff; if the binding address is wrong, the rebinding needs to be checked, and the binding efficiency is low.
Disclosure of Invention
The technical problem to be solved by the invention is that a large number of terminal devices (such as PC devices, routers and the like) are accessed under the government enterprise gateway, and the terminal devices acquire addresses through a Dynamic Host Configuration Protocol (DHCP), and the addresses are statically configured. If the manual binding mode is used for binding the IP and the MAC, a large amount of repeated simple contents can be caused by the manager; if the binding address is wrong, the rebinding needs to be checked, and the binding efficiency is low.
The invention aims to provide an automatic binding method and system based on the IP and MAC of the government enterprise gateway downlink terminal, which can automatically inspect and bind the IP and the MAC of the government enterprise gateway downlink terminal equipment, exclude attack equipment by combining automatic screening, active detection, judgment through the difference value of ARP request response time and the like, automatically update binding equipment, have high automatic binding efficiency and can automatically inspect the correctness of binding relation.
The invention is realized by the following technical scheme:
in a first aspect, the present invention provides an automatic binding method for an IP and MAC based on an enterprise gateway downlink terminal, the method comprising:
acquiring a terminal equipment online message, and analyzing the terminal equipment online message to acquire an MAC address and an IP address in the terminal equipment online message;
checking whether the parsed MAC address exists in the device binding table according to the MAC address and the IP address;
if the resolved MAC address exists and the IP address is different from the IP address corresponding to the MAC address in the equipment binding table, writing the resolved MAC address and the IP address into the equipment checking table, automatically checking the binding relation, judging whether the resolved MAC address and the resolved IP address are normal binding relation, and if so, writing the resolved MAC address and the resolved IP address into the equipment binding table;
if the resolved MAC address does not exist, writing the mapping relation between the resolved IP address and the MAC address into a device binding table, and writing the mapping relation into a downlink terminal device binding relation table.
Further, the device binding table is an IP address and MAC address mapping relationship table of the terminal device that has passed the examination.
Further, the device audit table is a mapping relationship table of the IP address and the MAC address of the suspicious terminal device.
Further, the binding relationship automatic review includes: the government enterprise gateway actively detects and automatically examines;
the automatic inspection of the government enterprise gateway is to judge whether the inspected terminal equipment is normal or abnormal by judging whether the terminal equipment responds to the ARP detection message actively sent by the government enterprise gateway within a preset time period.
Further, the government enterprise gateway actively detects and automatically reviews, including:
acquiring an IP address of a terminal device recorded in a device binding table and/or a device checking table, actively transmitting an ARP detection message, and starting a timer with preset duration after transmitting the ARP detection message;
if the response of the terminal equipment is not received after the preset time length is exceeded, the terminal equipment is sent again, if the response is not received until the preset times of sending, the terminal equipment is considered as abnormal terminal equipment, the terminal equipment is directly deleted from the equipment binding table and/or the equipment checking table, and the MAC address analyzed by the ARP detection message is forbidden to be on line again;
and if the response of the terminal equipment is not received beyond the preset time, the terminal equipment is considered to be normal terminal equipment.
Further, the binding relationship automatic review further includes: the government enterprise gateway further automatically inspects;
further automatic auditing by the government enterprise gateway is to judge whether the auditing terminal equipment is normal or abnormal by comparing the difference value of ARP request response time.
Further, the government enterprise gateway further automatically reviews, including:
if the government enterprise gateway receives continuous terminal equipment response, the government enterprise gateway actively detects and automatically inspects the terminal equipment response, and the government enterprise gateway continuously records the response time of the government enterprise gateway for sending ARP detection requests for a plurality of times; each response time is the ARP detection response time received by the government enterprise gateway minus the ARP detection request time sent by the government enterprise gateway;
comparing the multiple response times, and if the difference value between the multiple response times is smaller than a first preset value, considering the terminal equipment as normal terminal equipment; if the difference value between the response times is larger than a second preset value, the terminal equipment is considered to be abnormal terminal equipment, the abnormal terminal equipment is deleted from the equipment binding table and/or the equipment checking table, and the analyzed MAC address is forbidden to be online again.
In a second aspect, the invention further provides an automatic binding system based on the IP and the MAC of the government enterprise gateway downlink terminal, and the system uses the automatic binding method based on the IP and the MAC of the government enterprise gateway downlink terminal; the system comprises:
the automatic binding module is used for automatically managing the binding relation between the IP and the MAC of the terminal equipment;
the binding relation automatic checking module is used for carrying out automatic correctness checking management on the IP and MAC mapping relation of the government enterprise gateway downlink terminal equipment;
the automatic binding module comprises an acquisition unit, an analysis unit and a first judgment unit;
the acquisition unit is used for acquiring the online message of the terminal equipment;
the analyzing unit is used for analyzing the terminal equipment online message to obtain the MAC address and the IP address in the terminal equipment online message;
a first judging unit for checking whether the parsed MAC address exists in the device binding table according to the MAC address and the IP address; if the resolved MAC address exists and the IP address is different from the IP address corresponding to the MAC address in the equipment binding table, writing the resolved MAC address and the IP address into the equipment checking table, automatically checking the binding relation, judging whether the resolved MAC address and the resolved IP address are normal binding relation, and if so, writing the resolved MAC address and the resolved IP address into the equipment binding table; if the resolved MAC address does not exist, writing the mapping relation between the resolved IP address and the MAC address into a device binding table, and writing the mapping relation into a downlink terminal device binding relation table.
Further, the device binding table is an IP address and MAC address mapping relation table of the terminal device which passes inspection;
the device audit table is a mapping relation table of the IP address and the MAC address of the suspicious terminal device.
In a third aspect, the present invention further provides a computer readable storage medium, where a computer program is stored, where the computer program when executed by a processor implements the above method for automatically binding an IP and a MAC based on a gateway downlinking terminal of an enterprise and government.
Compared with the prior art, the invention has the following advantages and beneficial effects:
1. the method and the system for automatically binding the IP and the MAC of the government enterprise gateway downlink terminal can automatically inspect and bind the IP and the MAC of the government enterprise gateway downlink terminal equipment, exclude attack equipment by combining the modes of automatic screening, active detection, judgment through the difference value of ARP request response time and the like, automatically update binding equipment, have high automatic binding efficiency and can automatically inspect the correctness of the binding relation.
2. The invention is based on the automatic binding method and system of the gateway downstream terminal IP and MAC of the government enterprise, realize a judge method for judging whether the terminal equipment examined is the normal equipment through the difference comparison of ARP request response time, if the terminal equipment is online for the first time, will call the judge interface that the automatic examination module of binding relation provides in the automatic binding module of downstream terminal equipment IP address and MAC address automatically; if it is a terminal device already in the device binding table, the binding relationship automatic auditing module is required to periodically make a decision whether or not it is abnormal.
Drawings
The accompanying drawings, which are included to provide a further understanding of embodiments of the invention and are incorporated in and constitute a part of this application, illustrate embodiments of the invention. In the drawings:
FIG. 1 is a schematic diagram of a hardware environment and a network environment in which the present invention operates;
FIG. 2 is an automatic binding flow chart of the automatic binding method of the IP and MAC of the lower link terminal of the government enterprise gateway;
FIG. 3 is a flow chart of automatic examination of binding relation based on an automatic binding method of an IP and MAC of a government enterprise gateway downlink terminal;
FIG. 4 is a block diagram of an automatic binding system of IP and MAC based on a government enterprise gateway downlink terminal;
figure 5 is a block diagram of an auto binding module according to the present invention.
Detailed Description
For the purpose of making apparent the objects, technical solutions and advantages of the present invention, the present invention will be further described in detail with reference to the following examples and the accompanying drawings, wherein the exemplary embodiments of the present invention and the descriptions thereof are for illustrating the present invention only and are not to be construed as limiting the present invention.
A large number of terminal devices (such as PC devices, routers, etc.) are accessed under the enterprise gateway, which are provided with addresses obtained by the dynamic host configuration protocol DHCP, and addresses are provided by static configuration. If the manual binding mode is used for binding the IP and the MAC, a large amount of repeated simple contents can be caused by the manager; if the binding address is wrong, the rebinding needs to be checked, and the binding efficiency is low.
Aiming at the problems, the invention designs the method and the system for automatically binding the IP and the MAC of the government enterprise gateway downlink terminal equipment based on the government enterprise gateway downlink terminal equipment, which can automatically inspect and bind the IP and the MAC of the government enterprise gateway downlink terminal equipment, exclude attack equipment by combining the modes of automatic screening, active detection, judgment through the difference of ARP request response time and the like, automatically update binding equipment, have high automatic binding efficiency and can automatically inspect the correctness of the binding relation.
The hardware environment and the network environment of the method of the invention corresponding to the software operation are shown in figure 1, a plurality of terminal devices are accessed to the LAN side of the government enterprise gateway, and the network is accessed to the Internet through the government enterprise gateway.
Example 1
As shown in fig. 2, the method for automatically binding the IP and MAC of the lower link terminal of the government enterprise gateway comprises the following steps:
acquiring a terminal equipment online message, and analyzing the terminal equipment online message to acquire an MAC address and an IP address in the terminal equipment online message;
checking whether the parsed MAC address exists in the device binding table according to the MAC address and the IP address;
if the resolved MAC address exists and the IP address is different from the IP address corresponding to the MAC address in the equipment binding table, writing the resolved MAC address and the IP address into the equipment checking table, automatically checking the binding relation, judging whether the resolved MAC address and the resolved IP address are normal binding relation, and if so, writing the resolved MAC address and the resolved IP address into the equipment binding table;
if the resolved MAC address does not exist, writing the mapping relation between the resolved IP address and the MAC address into a device binding table, and writing the mapping relation into a downlink terminal device binding relation table.
The device binding table is a mapping relation table of IP addresses and MAC addresses of the terminal devices which pass inspection. The device audit table is a mapping relation table of the IP address and the MAC address of the suspicious terminal device.
After the government enterprise gateway receives an ARP message, the government enterprise gateway checks the MAC address and the IP address carried by the ARP message in the equipment binding table, and if the MAC address already exists in the equipment binding table and the IP address is inconsistent with the IP address corresponding to the MAC address in the equipment binding table, the MAC address and the IP address carried by the ARP message are put into the equipment checking table. If the MAC address does not exist in the equipment binding table, writing the mapping relation between the IP address and the MAC address into the equipment binding table, and writing the mapping relation into a binding relation table of the downlink terminal equipment. And then updating the linked list according to the examination result of the automatic examination of the binding relationship, and updating the binding relationship table of the downlink terminal equipment.
As a further implementation, the present invention realizes a determination method for determining whether or not an inspected terminal device is a normal device by difference comparison of ARP request response times. If the terminal equipment is online for the first time, the method is automatically invoked in the automatic binding of the IP address and the MAC address of the downlink terminal equipment; if it is a terminal device already in the device binding table, the determination method is required to periodically make a determination as to whether or not it is abnormal. The following describes the determination method in detail:
specifically, the binding relationship automatic review includes: the government enterprise gateway actively detects automatic examination and the government enterprise gateway further automatically examines.
Firstly, the government enterprise gateway actively detects and automatically inspects whether the terminal equipment inspected is normal or abnormal by judging whether an ARP detection message actively sent by the government enterprise gateway responds within a preset time length; comprising the following steps:
acquiring an IP address of a terminal device recorded in a device binding table and/or a device checking table, actively transmitting an ARP detection message, and starting a timer with preset duration after transmitting the ARP detection message;
if the response of the terminal equipment is not received after the preset time length is exceeded, the terminal equipment is sent again, if the response is not received until the preset times of sending, the terminal equipment is considered as abnormal terminal equipment, the terminal equipment is directly deleted from the equipment binding table and/or the equipment checking table, and the MAC address analyzed by the ARP detection message is forbidden to be on line again;
and if the response of the terminal equipment is not received beyond the preset time, the terminal equipment is considered to be normal terminal equipment.
Secondly, the government enterprise gateway further automatically inspects whether the inspected terminal equipment is normal or abnormal through the difference comparison of ARP request response time; comprising the following steps:
if the government enterprise gateway receives continuous terminal equipment response, the government enterprise gateway actively detects and automatically inspects the terminal equipment response, and the government enterprise gateway continuously records the response time of the government enterprise gateway for sending ARP detection requests for a plurality of times; each response time is the ARP detection response time received by the government enterprise gateway minus the ARP detection request time sent by the government enterprise gateway;
comparing the multiple response times, and if the difference value between the multiple response times is smaller than a first preset value, considering the terminal equipment as normal terminal equipment; if the difference value between the response times is larger than a second preset value, the terminal equipment is considered to be abnormal terminal equipment, the abnormal terminal equipment is deleted from the equipment binding table and/or the equipment checking table, and the analyzed MAC address is forbidden to be online again.
The specific implementation method comprises the following steps:
as shown in fig. 3, the IP address of the terminal device recorded in the device binding table or the device checking table is obtained, and the government enterprise gateway actively transmits the ARP detection message, and starts a 1 second timer after transmitting the ARP detection message; if the response of the terminal equipment is not received after the timeout, the method is further carried out twice, if the response is not received after the timeout is carried out three times, the method is considered as abnormal equipment, the abnormal equipment is directly deleted from an equipment binding table or an equipment checking table, and the MAC address analyzed by the ARP detection message is forbidden to be on line again.
If the government enterprise gateway receives continuous equipment response, active detection is affected in the situation, and the government enterprise gateway can record the time T1 of sending an ARP detection request by the gateway and the received ARP detection response time T2, wherein the first response time TA=T2-T1; second response time tb=t4-T3; third response time tc=t6-T5; by comparing the time difference values of TA, TB and TC, the three response times of normal equipment are basically consistent, and the difference value between the three response times is generally less than ten milliseconds; if a large deviation occurs in these three times, such as greater than a few hundred milliseconds, then an abnormal device is identified and deleted from the device binding or device audit table and the MAC is prohibited from coming online again.
Example 2
As shown in fig. 4, the difference between the present embodiment and embodiment 1 is that the present embodiment provides an automatic binding system based on the government and enterprise gateway downlink terminal IP and MAC, and the system uses the automatic binding method based on the government and enterprise gateway downlink terminal IP and MAC of embodiment 1; the system comprises an automatic binding module and a binding relation automatic examination module;
the automatic binding module is used for automatically managing the binding relationship between the IP and the MAC of the enterprise gateway downlink terminal equipment;
the binding relation automatic checking module is used for carrying out automatic correctness checking management on the IP and MAC mapping relation of the government enterprise gateway downlink terminal equipment;
specifically, as shown in fig. 5, the automatic binding module includes an acquisition unit, an analysis unit, and a first judgment unit;
the acquisition unit is used for acquiring the online message of the terminal equipment;
the analyzing unit is used for analyzing the terminal equipment online message to obtain the MAC address and the IP address in the terminal equipment online message;
a first judging unit for checking whether the parsed MAC address exists in the device binding table according to the MAC address and the IP address; if the resolved MAC address exists and the IP address is different from the IP address corresponding to the MAC address in the equipment binding table, writing the resolved MAC address and the IP address into the equipment checking table, automatically checking the binding relation, judging whether the resolved MAC address and the resolved IP address are normal binding relation, and if so, writing the resolved MAC address and the resolved IP address into the equipment binding table; if the resolved MAC address does not exist, writing the mapping relation between the resolved IP address and the MAC address into a device binding table, and writing the mapping relation into a downlink terminal device binding relation table.
The device binding table is a mapping relation table of IP addresses and MAC addresses of the terminal devices which pass inspection;
the device audit table is a mapping relation table of the IP address and the MAC address of the suspicious terminal device.
Specifically, the binding relationship automatic inspection module comprises an automatic inspection unit actively detected by the government enterprise gateway and a further automatic inspection unit by the government enterprise gateway.
The invention realizes a judging method for judging whether the inspected terminal equipment is normal equipment or not through the difference comparison of ARP request response time. If the terminal equipment is on line for the first time, automatically calling a judging interface provided by the module (binding relation automatic checking module) in an automatic binding module of an IP address and an MAC address of the downlink terminal equipment; if it is a terminal device already in the device binding table, the present module (binding relationship automatic review module) is required to periodically make a decision whether or not it is abnormal.
The execution process of each module and unit is performed according to the steps of the flow of the method for automatically binding the IP and the MAC based on the government enterprise gateway downlink terminal in embodiment 1, and the detailed description is omitted in this embodiment.
Meanwhile, the invention also provides a computer readable storage medium, wherein the computer readable storage medium stores a computer program, and the computer program realizes the automatic binding method based on the IP and the MAC of the government enterprise gateway downlink terminal when being executed by a processor.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (10)
1. The method for automatically binding the IP and the MAC of the government enterprise gateway-based downlink terminal is characterized by comprising the following steps:
acquiring a terminal equipment online message, and analyzing the terminal equipment online message to acquire an MAC address and an IP address in the terminal equipment online message;
checking whether the parsed MAC address exists in the equipment binding table according to the MAC address and the IP address;
if the resolved MAC address exists and the IP address is different from the IP address corresponding to the MAC address in the equipment binding table, writing the resolved MAC address and IP address into the equipment checking table, automatically checking the binding relation, judging whether the resolved MAC address and IP address are normal binding relation or not, if so, writing the resolved MAC address and IP address into the equipment binding table;
if the resolved MAC address does not exist, writing the resolved mapping relation between the IP address and the MAC address into a device binding table, and writing the mapping relation into a downlink terminal device binding relation table.
2. The method for automatically binding the IP and MAC of the lower bound terminal based on the government enterprise gateway according to claim 1, wherein the device binding table is a mapping table of IP addresses and MAC addresses of terminal devices that have passed inspection.
3. The method for automatically binding the IP and MAC based on the lower bound terminal of the government enterprise gateway according to claim 1, wherein the device audit table is a mapping relationship table of the IP address and the MAC address of the suspicious terminal device.
4. The method for automatically binding the IP and MAC based on the lower bound terminal of the government enterprise gateway according to claim 1, wherein the automatically examining the binding relationship includes: the government enterprise gateway actively detects and automatically examines;
and the automatic detection and examination of the government and enterprise gateway is carried out actively by judging whether the terminal equipment under examination is normal or abnormal by judging whether the terminal equipment has response to the ARP detection message actively sent by the government and enterprise gateway within a preset time length.
5. The method for automatically binding the IP and the MAC based on the government and enterprise gateway downlink terminal according to claim 4, wherein the government and enterprise gateway actively detects and automatically reviews the IP and the MAC based on the government and enterprise gateway downlink terminal comprises the following steps:
acquiring the IP address of the terminal equipment in the equipment binding table and/or the equipment checking table, actively transmitting an ARP detection message, and starting a timer with preset duration after transmitting the ARP detection message;
if the response of the terminal equipment is not received after the preset time length is exceeded, the terminal equipment is sent again, if the response is not received until the preset times of sending, the terminal equipment is considered to be abnormal terminal equipment, the terminal equipment is directly deleted from the equipment binding table and/or the equipment checking table, and the MAC address analyzed by the ARP detection message is forbidden to be on line again;
and if the response of the terminal equipment is not received beyond the preset time, the terminal equipment is considered to be normal terminal equipment.
6. The method for automatically binding the IP and MAC based on the lower bound terminal of the government enterprise gateway according to claim 4, wherein the automatically examining the binding relationship further comprises: the government enterprise gateway further automatically inspects;
the government enterprise gateway further automatically inspects and judges whether the inspected terminal equipment is normal or abnormal through the difference comparison of ARP request response time.
7. The method for automatically binding the IP and MAC based on the lower link terminal of the government enterprise gateway as claimed in claim 6, wherein the government enterprise gateway further automatically inspects, comprising:
if the government enterprise gateway receives continuous terminal equipment response, the government enterprise gateway continuously records multiple response times of sending ARP detection requests; each response time is the ARP detection response time received by the government enterprise gateway minus the ARP detection request time sent by the government enterprise gateway;
comparing the multiple response times, and if the difference value between the multiple response times is smaller than a first preset value, considering the terminal equipment as normal terminal equipment; if the difference value between the response times is larger than a second preset value, the terminal equipment is considered to be abnormal terminal equipment, the abnormal terminal equipment is deleted from the equipment binding table and/or the equipment checking table, and the analyzed MAC address is forbidden to be online again.
8. The utility model provides an automatic binding system of terminal IP and MAC is connected down to gateway based on government enterprise, its characterized in that, this system includes:
the automatic binding module is used for automatically managing the binding relation between the IP and the MAC of the terminal equipment;
the binding relation automatic checking module is used for carrying out automatic correctness checking management on the IP and MAC mapping relation of the government enterprise gateway downlink terminal equipment;
the automatic binding module comprises an acquisition unit, an analysis unit and a first judgment unit;
the acquisition unit is used for acquiring the online message of the terminal equipment;
the analyzing unit is used for analyzing the terminal equipment online message to obtain the MAC address and the IP address in the terminal equipment online message;
the first judging unit is configured to check, in the device binding table, whether the parsed MAC address already exists according to the MAC address and the IP address; if the analyzed MAC address exists and the IP address is different from the IP address corresponding to the MAC address in the equipment binding table, writing the analyzed MAC address and IP address into an equipment checking table; if the resolved MAC address does not exist, writing the resolved mapping relation between the IP address and the MAC address into a device binding table, and writing the mapping relation into a downlink terminal device binding relation table.
9. The automatic binding system based on the IP and the MAC of the government enterprise gateway downlink terminal according to claim 8, wherein the device binding table is an IP address and MAC address mapping relation table of terminal devices which pass inspection;
the device audit list is a mapping relation list of IP addresses and MAC addresses of suspicious terminal devices.
10. A computer readable storage medium storing a computer program, wherein the computer program when executed by a processor implements the method for automatically binding an IP and MAC based government enterprise gateway downlinking terminal according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311612556.1A CN117675751A (en) | 2023-11-27 | 2023-11-27 | Automatic binding method and system for IP and MAC of government enterprise gateway-based downlink terminal |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311612556.1A CN117675751A (en) | 2023-11-27 | 2023-11-27 | Automatic binding method and system for IP and MAC of government enterprise gateway-based downlink terminal |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117675751A true CN117675751A (en) | 2024-03-08 |
Family
ID=90072606
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311612556.1A Pending CN117675751A (en) | 2023-11-27 | 2023-11-27 | Automatic binding method and system for IP and MAC of government enterprise gateway-based downlink terminal |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117675751A (en) |
-
2023
- 2023-11-27 CN CN202311612556.1A patent/CN117675751A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082436B1 (en) | System and method for offloading packet processing and static analysis operations | |
| US10122746B1 (en) | Correlation and consolidation of analytic data for holistic view of malware attack | |
| US10200384B1 (en) | Distributed systems and methods for automatically detecting unknown bots and botnets | |
| US8375120B2 (en) | Domain name system security network | |
| JP4373779B2 (en) | Stateful distributed event processing and adaptive maintenance | |
| US8997231B2 (en) | Preventive intrusion device and method for mobile devices | |
| US20200045073A1 (en) | Test system and method for identifying security vulnerabilities of a device under test | |
| US9215209B2 (en) | Source request monitoring | |
| CN102884764B (en) | Message receiving method, deep packet inspection device, and system | |
| US12248563B1 (en) | System and method for cybersecurity analyzer update and concurrent management system | |
| KR20060013491A (en) | Attack signature generation method, signature generation application application method, computer readable recording medium and attack signature generation device | |
| JP2009504104A (en) | System and method for realizing adaptive security by dynamically learning network environment | |
| CN105306445A (en) | System and method for detecting vulnerability of server | |
| CN110740144B (en) | Method, device, equipment and storage medium for determining attack target | |
| KR100772177B1 (en) | Method and apparatus for generating intrusion detection event for security function test | |
| US8001243B2 (en) | Distributed denial of service deterrence using outbound packet rewriting | |
| CN117675751A (en) | Automatic binding method and system for IP and MAC of government enterprise gateway-based downlink terminal | |
| CN114465795B (en) | A method and system for interfering with network scanners | |
| CN107241297A (en) | Communicate hold-up interception method and device, server | |
| CN106789979B (en) | Method and device for diagnosing effectiveness of active domain name in IDC machine room | |
| US11683337B2 (en) | Harvesting fully qualified domain names from malicious data packets | |
| US10015179B2 (en) | Interrogating malware | |
| US11451584B2 (en) | Detecting a remote exploitation attack | |
| CN112422501A (en) | Forward and reverse tunnel protection method, device, equipment and storage medium | |
| CN107786496A (en) | Early warning method and device for local area network ARP entry spoofing attack |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |