[go: up one dir, main page]

WO2008131650A1 - Dhcp snooping method and device thereof - Google Patents

Dhcp snooping method and device thereof Download PDF

Info

Publication number
WO2008131650A1
WO2008131650A1 PCT/CN2008/070011 CN2008070011W WO2008131650A1 WO 2008131650 A1 WO2008131650 A1 WO 2008131650A1 CN 2008070011 W CN2008070011 W CN 2008070011W WO 2008131650 A1 WO2008131650 A1 WO 2008131650A1
Authority
WO
WIPO (PCT)
Prior art keywords
dhcp
binding table
user
blacklist
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/070011
Other languages
French (fr)
Chinese (zh)
Inventor
Xuefei Tan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008131650A1 publication Critical patent/WO2008131650A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the present invention relates to the field of communication network technologies, and in particular, to a DHCP listening method and device thereof. Background technique
  • DHCP Dynamic Host Configuration Protocol
  • the current common method is to enable DHCP Snooping on the access device's network device, such as the gateway switch.
  • DHCP snooping establishes a DHCP binding table by listening to DHCP messages.
  • the DHCP binding table entries include: Internet Protocol (IP) address, Media Access Control (MAC) address, inbound port number, and Virtual LAN (VLAN) number.
  • IP Internet Protocol
  • MAC Media Access Control
  • VLAN Virtual LAN
  • ARP address resolution protocol
  • the schematic diagram of the basic scheme is shown in Figure 1.
  • the MAC address and IP address of User B are: B, 10.1.1.2;
  • the MAC address and IP address of User C are: C, 10.1.1.3; MAC address and IP of network device A
  • the address is: A, 10.1.1.1.
  • DHCP binding table shown in Table 1 below is established by analyzing all DHCP messages in the application process by analyzing the monitored DHCP messages.
  • the gateway switch detects the ARP packet.
  • the information carried in the ARP packet is used to find the DHCP binding table, where the ARP packet is sent.
  • the information carried in the file includes the source MAC address, the source IP address (or the IP address declared in the ARP payload), and the ingress port information.
  • the gateway switch is based on the MAC address and the IP address is 10.1.1.1. If the inbound port number is E2 and the VLAN ID is 3, look for the DHCP binding table and find that it cannot hit the DHCP binding table.
  • the gateway switch discards the ARP packet. Therefore, the spoofed ARP packet cannot reach any other user including user B, thereby suppressing user C's attack behavior.
  • the DHCP binding table will be correctly hit at the gateway switch to access the external network normally.
  • the user can access the Internet after the user successfully requests the IP address through DHCP. It depends on whether the user packet can hit a DHCP binding table of the gateway switch (that is, it can be extracted from the user packet). The related information is the same as the one in the DHCP binding table on the gateway switch. If no DHCP binding table entry matches the related information extracted in the user packet, the user packet will be lost. abandoned.
  • the corresponding DHCP binding table should exist on the gateway switch, but the DHCP binding table or some of the entries are It may be abnormally lost, such as:
  • a gateway needs to access a large number of users, and the space for storing the DHCP binding table is limited, it is necessary to age the DHCP binding table that has not been hit for a long time (to invalidate the DHCP binding table), or The DHCP binding table of the new user cannot be created normally due to insufficient space;
  • the DHCP snooping-enabled network device is restarted.
  • the original DHCP binding table loses some entries during the save recovery process.
  • the DHCP snooping-enabled network device may also lose the DHCP binding table due to its internal communication.
  • the user who has obtained the address through DHCP before the device is enabled will have no corresponding DHCP binding table on the network device.
  • the user can also be understood as the DHCP binding table of the user. Abnormally lost.
  • the switch sends any packet, and can only wait for the address that has been applied for by DHCP to expire or manually release the address, and then initiate the DHCP address application again. After successfully applying for the address, the user can access the Internet.
  • the packet of user B does not have a corresponding DHCP binding table on the gateway switch, causing the gateway switch to look for DHCP binding. If the table fails, all the packets sent by user B except the DHCP first address request message are discarded. At this time, if User B needs to continue to access the Internet, there are only two ways:
  • the technical problem to be solved by the present invention is to provide a DHCP listening method and device.
  • the DHCP binding table is abnormally lost, the Internet access function is quickly restored when the user barely perceives.
  • the present invention provides a DHCP snooping method, including: receiving a user packet and determining whether it hits the first DHCP binding table, and when the determining result is that the user packet misses the first A DHCP binding table is sent to the user to trigger the user to re-initiate the DHCP request for the first address request.
  • the present invention provides a DHCP listening device, which is configured to listen to user messages received by a network device, and includes:
  • a binding table storage unit configured to store a DHCP binding table
  • a hitting determining unit configured to search the DHCP binding table according to the information in the user packet, and determine whether the user packet hits the first DHCP binding table
  • the anti-confirmation unit is configured to: when the judgment result of the hit determination unit is that the user packet misses the first DHCP binding table, send a DHCP to the user to trigger the user to re-initiate the first address request Message.
  • the implementation of the present invention has the following beneficial effects:
  • the DHCP snooping method and the device thereof may be configured to send a DHCPNAK packet to the user after the received user packet fails to hit the DHCP binding table, so that the user initiates the first address after receiving the DHCPNAK packet. Apply, and then re-establish the DHCP binding table, and continue to access the Internet if the user does not know.
  • FIG. 1 is a schematic diagram of application of a DHCP snooping method in the prior art
  • Embodiment 1 of a DHCP snooping method according to the present invention
  • Embodiment 3 is a schematic flowchart of Embodiment 3 of a DHCP listening method in the present invention
  • FIG. 4 is a schematic flow chart of an embodiment of S3003 in FIG. 3;
  • FIG. 5 is a schematic diagram of the functional module of the first embodiment of the DHCP listening device of the present invention
  • FIG. 6 is a schematic diagram of the functional module of the second embodiment of the DHCP monitoring device of the present invention
  • FIG. 7 is a schematic diagram of the third embodiment of the DHCP monitoring device of the present invention. Schematic diagram of module composition. detailed description
  • FIG. 2 shows a flow of Embodiment 1 of the DHCP snooping method of the present invention, and the embodiment includes the following steps:
  • S2001 Receive a user packet and determine whether it hits the DHCP binding table. If the determination result is yes, the user packet is forwarded according to the prior art; otherwise, S2002 is performed;
  • S2002 Send a DHCP message to the user to trigger the user to re-initiate the first address request, where the DHCP message may be a DHCPNAK message, but is not limited thereto.
  • the packet when the user packet cannot hit the DHCP binding table, the packet is not directly discarded as in the prior art.
  • the access device the network switch in the figure
  • the user message is redirected to the DHCP snooping unit, and the DHCP snooping unit sends a DHCPNAK message to the user B.
  • the DHCPNAK message is used to enable the access device to notify the user B that the IP address is unavailable.
  • the first address request is re-initiated, and then the access device discards the user packet that misses the DHCP binding table. Then, after receiving the DHCPNAK packet, the user B will automatically re-initiate the first-time address request according to the DHCP protocol.
  • the DHCP snooping unit re-establishes the corresponding user by listening to the DHCP message exchanged during the first-time address application.
  • B's DHCP binding table user B can go online as usual after successfully applying for an address. The entire process does not require manual operation by the user.
  • the DHCP binding table can be re-established without the user's perception, and the user can quickly access the Internet as usual.
  • the gateway switch mentioned here and below is only a special case, and the access device may include all network devices that support DHCP snooping.
  • the present invention further provides another embodiment of the DHCP snooping method, and the embodiment (Embodiment 2) is different from the previous embodiment in that the method further includes the following steps: from the miss DHCP binding table In the user packet, the inbound port information, the VLAN information, the source MAC address, and the source IP address are extracted to create a DHCP blacklist binding table.
  • the reason why it is called the DHCP blacklist binding table is because the user packet is only an attack packet sent by the hacker. The DHCP binding table corresponding to the hacker is not lost.
  • a corresponding DHCP blacklist binding table in order to facilitate tracking the attack behavior of the hacker, a corresponding DHCP blacklist binding table.
  • the DHCP binding table entry of the prior art includes four fields: a MAC address, an IP address, a port number, and a VLAN number, as shown in Table 1.
  • two fields are added to the DHCP binding table (described below in the first DHCP binding table) in the first embodiment: Binding table type
  • the field and hit frequency fields form a new DHCP binding table (described below in the second DHCP binding table).
  • the second binding table is shown in Table 2 below.
  • the binding table type field (the BLK field in the following Table 2) is used to identify whether the second DHCP binding table entry is the first DHCP binding table entry, or the DHCP blacklist binding table table mentioned in the present invention.
  • the entry (the BLK field is true to indicate that the second DHCP binding table entry is a DHCP blacklist binding table entry);
  • the hit frequency field (the RATE field in Table 2 below) is used when the second DHCP binding table entry is
  • the frequency information of the DHCP blacklist binding table entry being hit by the user 4 is recorded. (Of course, the frequency of the first DHCP binding table entry being hit by the user packet may also be recorded. information).
  • S3001 After forming the second DHCP binding table, receiving a subsequent user packet and determining whether it hits the second DHCP binding table. If the determination result is yes, executing S3002, otherwise, following the DHCP server to the The user sends a DHCPNAK packet.
  • step S3002 Determine whether the second DHCP binding table entry of the subsequent user packet is the DHCP blacklist binding table entry. If the determination result is yes, go to step S3003. Otherwise, forward the device according to the prior art. Subsequent user messages;
  • S3003 Process the subsequent user message according to a predetermined configuration policy. Specifically, when the received subsequent user message cannot hit the second DHCP binding table, in the embodiment, as in the embodiment, the DHCP server sends a DHCPNAK message to the user, triggering the user to re-initiate. The first address is applied, and the corresponding DHCP binding table is re-established. When the received subsequent user packet hits the second DHCP binding table, the subsequent user message is not directly used in the prior art as in the first embodiment. And forwarding, according to the binding table type field in the second DHCP binding table, further determining whether the second DHCP binding table entry that the subsequent user packet hits is a DHCP blacklist binding table entry.
  • the first DHCP binding table entry is hit, it indicates that the user packet is not a spoofing attack packet, and is forwarded according to the prior art; if the hit is the DHCP blacklist binding table provided by the present invention.
  • the entry indicates that the subsequent user packet may be an attack packet, and the subsequent user packet may be processed according to the predetermined configuration policy, including the record that the corresponding entry of the DHCP blacklist binding table is hit by the user packet.
  • the frequency information that is, how many times it was hit within a predetermined time period (the predetermined time period can be configured according to actual conditions).
  • the device can process the user packet according to the type of the entry in the DHCP binding table that is hit by the user packet, and enhance the device's ability to identify the attack packet.
  • the predetermined configuration policy may be: if the rate at which the user sends the user packet exceeds a preset rate limit value, the packet is discarded; if not, the user is discarded.
  • the rate of the user packet can be calculated by the frequency information recorded in the hit frequency field of the DHCP blacklist binding table entry. For example, the recorded frequency information is the corresponding entry of the DHCP blacklist binding table.
  • the frequency information recorded in the hit frequency field of the corresponding DHCP blacklist binding table entry is 0.03/s, and the corresponding user packet transmission rate can be obtained (that is, the user report
  • the sending frequency of the text, according to the RATE field expression in the second HDCP table, the sending rate value of the user packet may be taken as 0.03/s.
  • FIG. 4 a flowchart of an implementation manner of S3003 is as shown in FIG. 4, and includes the following steps:
  • S4001 Record, according to the hit situation of the subsequent user packet, the frequency information that the corresponding entry of the DHCP blacklist binding table is hit by the user packet;
  • S4002 Calculate a sending rate of the user packet according to the frequency information, and compare a size relationship between the sending rate and a preset rate limiting value. If the sending rate is greater than the rate limiting value, discard the Describe the subsequent user message, otherwise, execute S4003;
  • S4003 Sending a DHCPNAK packet to the user according to the DHCP server;
  • the present invention further provides an embodiment of a DHCP listening device, and a schematic diagram of a functional module of the DHCP listening device embodiment 1 is shown in FIG. 5.
  • the DHCP monitoring device is configured to listen to user packets received by the network device, and includes a binding table storage unit 4, a hit determination unit 8, and an anti-confirmation unit 1.
  • the binding table storage unit 4 is configured to store a DHCP binding table.
  • the hit determination unit 8 is configured to search the DHCP binding table stored in the binding table storage unit according to the information in the user packet received by the network device, and determine whether the user packet hits the DHCP binding table, and When the judgment result is yes, the network device is instructed to forward the user message.
  • the anti-confirmation unit 1 is configured to send, to the user, a DHCP message for triggering the user to re-initiate the first-time address application when the result of the determination by the hit determination unit is that the user message misses the DHCP binding table.
  • the anti-confirmation unit 1 may send a DHCPNAK message to the user according to the DHCP server, and notify the user of the IP address. The address is no longer available. Please re-initiate the first-time address request. After receiving the DHCPNAK message, the user initiates the first-time address request.
  • the DHCP listening device listens to the DHCP message sent in the first-time address application process and re-establishes the corresponding DHCP binding. table. User application After the address is successful, you can go online as usual.
  • the DHCP binding table when the DHCP binding table is lost, the DHCP binding table can be automatically re-established without the user being aware of, so that the user can access the Internet as usual.
  • the schematic diagram of the function module of the second embodiment of the DHCP monitoring device of the present invention is as shown in FIG. 6.
  • the difference from the first embodiment is that the blacklist binding table unit 2 is further included, and the judgment result of the hit determination unit 8 is
  • the user packet does not match the DHCP binding table of the first embodiment (described below in the first DHCP binding table), that is, when the received user packet cannot hit the first DHCP binding table, the user is extracted.
  • the reason for the DHCP blacklist binding table is that the user packet is only an attack packet sent by the hacker.
  • the DHCP binding table corresponding to the hacker is not lost.
  • the blacklist binding is used to facilitate tracking of the hacker's attack behavior.
  • Table 2 establishes the corresponding DHCP blacklist binding table.
  • two fields are added to the DHCP binding table in the first embodiment (described below in the first DHCP binding table): a binding table type field and a hit frequency field.
  • a new DHCP binding table is formed (described below in the second DHCP binding table), and the second binding table is as shown in Table 2 above.
  • the binding table type field (the BLK field in Table 2 above) is used to identify whether the second DHCP binding table entry is the first DHCP binding table entry, or the DHCP blacklist binding table table mentioned in the present invention. item
  • the BLK field is true to indicate that the second DHCP binding table entry is a DHCP blacklist binding table entry
  • the hit frequency field (the RATE field in Table 2 above) is used when the second DHCP binding table entry is DHCP.
  • the frequency information of the DHCP packet blacklist binding table entry being hit by the user packet is recorded (of course, the frequency information of the first DHCP binding table entry being hit by the user packet may also be recorded) .
  • the behavior information of the attacker can be effectively tracked according to the recorded frequency information and the like, so that the network management can perform analysis.
  • FIG. 7 is a schematic diagram showing the structure of a function of the improved DHCP listening device, that is, the function module of the third embodiment.
  • the method further includes a type determining unit 5, a first processing unit 6, and a second Processing unit 7.
  • the type judging unit 5 is configured to: when the judgment result of the hit judging unit 8 is that the subsequent user packet received by the network device hits the second DHCP binding table, that is, when the received subsequent user packet hits When the second DHCP binding table is described, the binding table type field is read, and it is determined whether the second DHCP binding table entry that the subsequent user packet hits is a DHCP blacklist binding table entry.
  • First processing order The element 6 receives the determination result of the type judging unit 5, and when the judgment result of the type judging unit 5 is that the second DHCP binding table entry that the subsequent user packet hits is a DHCP blacklist binding table entry, And processing the subsequent user message according to a predetermined configuration policy.
  • the second processing unit 7 receives the determination result of the type judging unit 5, and the second DHCP binding table entry hit by the subsequent user is not the DHCP blacklist binding table when the type judging unit 5 determines.
  • the network device is triggered to forward the user packet according to the prior art.
  • the first processing unit 6 further includes a recording unit 61, a rate calculating unit 62, and a comparing unit 63.
  • the recording unit 61 is configured to record frequency information that the DHCP blacklist binding table corresponding entry is hit according to the hit situation of the subsequent user message.
  • the rate calculation unit 62 is configured to calculate a transmission rate of the user packet according to the frequency information recorded by the recording unit 61.
  • the recorded frequency information is the user of the DHCP blacklist binding table corresponding to the entry within 2 minutes.
  • the corresponding user packet transmission rate is 0.03/s.
  • the comparing unit 63 is configured to trigger the de-acknowledgment unit 1 to send a DHCP message to the user to trigger the user to re-initiate the first-time address request, otherwise the network device is triggered. The subsequent user message is discarded.
  • the behavior information of the attacker can be tracked, and the attack recognition capability of the device can be enhanced, thereby effectively preventing the denial of service attack by the malicious user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A DHCP snooping method is disclosed, which can transmit the DHCP message for triggering the users to reinitiate the first address application to the users, and makes the users initiate the first address application after receiving the DHCPNAK message when the received users message can not hit the DHCP binding list due to the abnormal loss of the DHCP binding list. With the solution, the DHCP binding list can be rebuilt without being aware of the users, therefore realizing accessing network as usual. A DHCP snooping device is also disclosed.

Description

一种 DHCP监听方法及其装置 技术领域  DHCP monitoring method and device thereof

本发明涉及通信网络技术领域,具体地涉及一种 DHCP监听方法及其装置。 背景技术  The present invention relates to the field of communication network technologies, and in particular, to a DHCP listening method and device thereof. Background technique

随着网络规模的扩大和网络复杂度的提高, 动态主机配置协议(Dynamic Host Configuration Protocol, DHCP )得到了广泛的应用。 但 DHCP在应用的过 程中遇到很多安全方面的问题, 为解决这些问题, 目前通用的办法是在接入用 户的网络设备处, 如网关交换机上使能 DHCP Snooping ( DHCP监听)功能。  With the expansion of the network scale and the increase of network complexity, the Dynamic Host Configuration Protocol (DHCP) has been widely used. However, DHCP encounters many security problems in the application process. To solve these problems, the current common method is to enable DHCP Snooping on the access device's network device, such as the gateway switch.

DHCP Snooping通过监听 DHCP报文, 建立 DHCP绑定表, 该 DHCP绑定 表的表项包括: 因特网协议(Internet Protocol, IP )地址、 介质访问控制(Media Access Control, MAC )地址、 入端口号和虚拟局域网 ( Virtual LAN, VLAN ) 号。 在转发报文时, 利用 DHCP 绑定表对地址解析协议(Address Resolution Protocol, ARP )报文、 IP报文进行检查, 从而解决上述的欺骗攻击安全问题。 其基本方案示意图如图 1所示, 用户 B的 MAC地址及 IP地址为: B, 10.1.1.2; 用户 C的 MAC地址及 IP地址为: C, 10.1.1.3; 网络设备 A的 MAC地址及 IP 地址为: A, 10.1.1.1。 在接入用户的网关交换机上使能 DHCP Snooping功能, 则无论是正常用户如用户 B还是其它可能有攻击行为的用户如用户 C, 首先必 须进行 DHCP首次地址申请, 网关交换机监听用户 B、 用户 C在申请过程中的 所有 DHCP报文, 通过分析监听的 DHCP报文, 建立如下表 1所示的 DHCP绑 定表。  DHCP snooping establishes a DHCP binding table by listening to DHCP messages. The DHCP binding table entries include: Internet Protocol (IP) address, Media Access Control (MAC) address, inbound port number, and Virtual LAN (VLAN) number. When forwarding a packet, the DHCP binding table is used to check the address resolution protocol (ARP) packet and the IP packet to solve the above-mentioned spoofing attack security problem. The schematic diagram of the basic scheme is shown in Figure 1. The MAC address and IP address of User B are: B, 10.1.1.2; The MAC address and IP address of User C are: C, 10.1.1.3; MAC address and IP of network device A The address is: A, 10.1.1.1. If DHCP snooping is enabled on the gateway switch of the access user, the normal user, such as user B or other users who may have attack behavior, such as user C, must first apply for DHCP first address. The gateway switch listens to user B and user C. The DHCP binding table shown in Table 1 below is established by analyzing all DHCP messages in the application process by analyzing the monitored DHCP messages.

Figure imgf000003_0001
Figure imgf000003_0001

表 1  Table 1

当攻击者发起欺骗攻击时, 比如用户 C发起一个免费 ARP报文给 B, 用于 欺骗用户 B: IP地址为 10.1.1.1 网关的 MAC为 C, 网关交换机将对此 ARP报 文进行检测, 根据本 ARP报文携带的信息去查找 DHCP绑定表, 其中, ARP报 文携带的信息包括其源 MAC地址, 源 IP地址(或 ARP净荷中声明的 IP地址) 以及入端口信息, 在本例中, 网关交换机即根据 MAC 地址为 C、 IP 地址为 10.1.1.1、 入端口号为 E2、 VLAN号为 3 , 去查找 DHCP绑定表, 发现其无法命 中 DHCP绑定表(在 DHCP绑定表中无 MAC地址为 C、 IP地址为 10.1.1.1、 入 端口号为 E2、 VLAN号为 3的表项), 则网关交换机会把该 ARP报文丟弃。 所 以, 此欺骗 ARP报文将无法到达其它任何用户包括用户 B, 从而制止了用户 C 的攻击行为。 When the attacker initiates a spoofing attack, for example, the user C initiates a gratuitous ARP packet to the user B. The IP address of the gateway is 10.1.1.1. The MAC address of the gateway is C. The gateway switch detects the ARP packet. The information carried in the ARP packet is used to find the DHCP binding table, where the ARP packet is sent. The information carried in the file includes the source MAC address, the source IP address (or the IP address declared in the ARP payload), and the ingress port information. In this example, the gateway switch is based on the MAC address and the IP address is 10.1.1.1. If the inbound port number is E2 and the VLAN ID is 3, look for the DHCP binding table and find that it cannot hit the DHCP binding table. (The MAC address is C in the DHCP binding table, the IP address is 10.1.1.1, and the inbound port number is E2, the entry with the VLAN number is 3. The gateway switch discards the ARP packet. Therefore, the spoofed ARP packet cannot reach any other user including user B, thereby suppressing user C's attack behavior.

而对于正常用户, 比如用户 B,使用网络则没有任何问题, 因为其发送的所 有才艮文, 都将遵循其 DHCP地址申请时的信息, 即 MAC地址为 B , 源 IP地址 为 10丄 1.2 , 正常情况下, 将能在网关交换机处正确命中 DHCP绑定表, 从而正 常访问外部网络。 釆用 DHCP Snooping方案,一旦用户通过 DHCP动态申请 IP地址成功以后, 能否上网, 完全取决于用户报文能否命中网关交换机的某一 DHCP绑定表(即, 从该用户报文中提取出的相关信息与网关交换机上的某一 DHCP绑定表的表项 完全一致),如果没有任何一个 DHCP绑定表表项与用户报文中提取出的相关信 息匹配, 该用户报文将被丟弃。  For normal users, such as user B, there is no problem in using the network, because all the messages sent by them will follow the information when the DHCP address is applied, that is, the MAC address is B and the source IP address is 10丄1.2. Under normal circumstances, the DHCP binding table will be correctly hit at the gateway switch to access the external network normally. After the DHCP snooping scheme is used, the user can access the Internet after the user successfully requests the IP address through DHCP. It depends on whether the user packet can hit a DHCP binding table of the gateway switch (that is, it can be extracted from the user packet). The related information is the same as the one in the DHCP binding table on the gateway switch. If no DHCP binding table entry matches the related information extracted in the user packet, the user packet will be lost. abandoned.

按照正常情况, 只要用户还能使用这个地址(比如申请的地址在租期内), 那么与之对应的 DHCP绑定表就应该存在于网关交换机上, 然而 DHCP绑定表 或其中部分表项是有可能非正常丟失的, 比如:  According to the normal situation, as long as the user can still use this address (for example, the applied address is within the lease period), the corresponding DHCP binding table should exist on the gateway switch, but the DHCP binding table or some of the entries are It may be abnormally lost, such as:

1、 由于一个网关上要接入大量的用户, 而用于存放 DHCP绑定表的空间有 限, 因此, 需要将长期没有命中的 DHCP绑定表老化掉(使该 DHCP绑定表无 效), 或新用户的 DHCP绑定表因为空间不够的原因无法正常创建;  1. Because a gateway needs to access a large number of users, and the space for storing the DHCP binding table is limited, it is necessary to age the DHCP binding table that has not been hit for a long time (to invalidate the DHCP binding table), or The DHCP binding table of the new user cannot be created normally due to insufficient space;

2、 由于使能 DHCP Snooping功能的网络设备重启,原 DHCP绑定表在保存 恢复过程中丟失部分表项;  2. The DHCP snooping-enabled network device is restarted. The original DHCP binding table loses some entries during the save recovery process.

3、使能 DHCP Snooping功能的网络设备由于自身内部通信原因, 也可能造 成 DHCP绑定表丟失;  3. The DHCP snooping-enabled network device may also lose the DHCP binding table due to its internal communication.

4、 网络设备一旦使能 DHCP Snooping功能, 那么在使能前已经通过 DHCP 获得地址的用户将在该网络设备上没有对应的 DHCP绑定表, 此时也可以理解 为该用户的 DHCP绑定表异常丟失。  4. After the DHCP snooping function is enabled on the network device, the user who has obtained the address through DHCP before the device is enabled will have no corresponding DHCP binding table on the network device. In this case, the user can also be understood as the DHCP binding table of the user. Abnormally lost.

一旦某 DHCP绑定表或其中部分表项丟失, 与之对应的用户将无法通过网 关交换机发送任何报文, 只能等待通过 DHCP申请的地址过期或者手工进行地 址释放, 并再次发起 DHCP地址申请并在成功申请地址后, 该用户才能上网。 Once a DHCP binding table or some of its entries are lost, the corresponding user will not be able to pass the network. The switch sends any packet, and can only wait for the address that has been applied for by DHCP to expire or manually release the address, and then initiate the DHCP address application again. After successfully applying for the address, the user can access the Internet.

如图 1所示, ^^如由于某种原因, 针对用户 B的 DHCP绑定表丟失了, 用 户 B的报文由于在网关交换机上没有对应的 DHCP绑定表, 从而导致网关交换 机查找 DHCP绑定表失败而丟弃用户 B发出的除 DHCP首次地址申请报文以外 的所有报文。 此时, 如果用户 B需要继续上网, 则只能有两种办法:  As shown in Figure 1, if the DHCP binding table for user B is lost for some reason, the packet of user B does not have a corresponding DHCP binding table on the gateway switch, causing the gateway switch to look for DHCP binding. If the table fails, all the packets sent by user B except the DHCP first address request message are discarded. At this time, if User B needs to continue to access the Internet, there are only two ways:

1、 手工触发网卡重新进行 DHCP首次地址申请, 即先释放现有地址, 然后 再进行首次地址申请。 通过首次地址申请, 用户 B重新获得新的地址, 同时在 网关交换机上建立起对应的 DHCP绑定表。  1. Manually trigger the NIC to re-apply the DHCP first address request, that is, release the existing address first, and then apply for the first address. Through the first address application, user B regains the new address and establishes a corresponding DHCP binding table on the gateway switch.

2、 等目前申请的地址过期后再上网, 此时由于地址过期, DHCP客户端软 件将检测到该事件, 然后自动进行首次地址申请。 通过首次地址申请, 用户 B 重新获得新的地址, 同时在网关交换机上建立起对应的绑定表。  2. Wait until the current application address expires and then go online. At this time, the DHCP client software will detect the event because the address expires, and then automatically apply for the first address. Through the first address application, user B regains the new address and establishes a corresponding binding table on the gateway switch.

上述现有技术的两种方法都会使用户长时间中断上网, 并丟失报文。 发明内容  Both of the above prior art methods cause the user to interrupt the Internet for a long time and lose the message. Summary of the invention

本发明所要解决的技术问题在于, 提供一种 DHCP 监听方法及装置, 当 DHCP绑定表非正常丟失时, 在用户几乎不感知的情况下, 快速恢复上网功能。  The technical problem to be solved by the present invention is to provide a DHCP listening method and device. When the DHCP binding table is abnormally lost, the Internet access function is quickly restored when the user barely perceives.

为了解决上述技术问题, 本发明提出了一种 DHCP监听方法, 包括: 接收 用户报文并判断其是否命中第一 DHCP绑定表, 当所述判断结果为所述用户报 文未命中所述第一 DHCP绑定表时, 向所述用户发送用于触发该用户重新发起 首次地址申请的 DHCP报文。  In order to solve the above technical problem, the present invention provides a DHCP snooping method, including: receiving a user packet and determining whether it hits the first DHCP binding table, and when the determining result is that the user packet misses the first A DHCP binding table is sent to the user to trigger the user to re-initiate the DHCP request for the first address request.

相应地, 本发明提供一种 DHCP监听装置, 用于监听网络设备收到的用户 报文, 包括:  Correspondingly, the present invention provides a DHCP listening device, which is configured to listen to user messages received by a network device, and includes:

绑定表存储单元, 用于存储 DHCP绑定表;  a binding table storage unit, configured to store a DHCP binding table;

命中判断单元, 用于根据所述用户报文中的信息查找所述 DHCP绑定表, 判断所述用户报文是否命中第一 DHCP绑定表;  a hitting determining unit, configured to search the DHCP binding table according to the information in the user packet, and determine whether the user packet hits the first DHCP binding table;

反确认单元, 用于当所述命中判断单元的判断结果为所述用户报文未命中 所述第一 DHCP绑定表时, 向所述用户发送用于触发该用户重新发起首次地址 申请的 DHCP报文。  The anti-confirmation unit is configured to: when the judgment result of the hit determination unit is that the user packet misses the first DHCP binding table, send a DHCP to the user to trigger the user to re-initiate the first address request Message.

实施本发明, 具有如下有益效果: 所述 DHCP监听方法及其装置, 可以实现通过当收到的用户报文不能命中 DHCP绑定表时仿照 DHCP服务器向该用户发送 DHCPNAK报文, 使该用户在 收到 DHCPNAK报文后发起首次地址申请, 从而重新建立起 DHCP绑定表, 在 用户感知不到的情况下保持继续上网。 附图说明 The implementation of the present invention has the following beneficial effects: The DHCP snooping method and the device thereof may be configured to send a DHCPNAK packet to the user after the received user packet fails to hit the DHCP binding table, so that the user initiates the first address after receiving the DHCPNAK packet. Apply, and then re-establish the DHCP binding table, and continue to access the Internet if the user does not know. DRAWINGS

图 1是现有技术中 DHCP监听方法的应用示意图;  1 is a schematic diagram of application of a DHCP snooping method in the prior art;

图 2是本发明中 DHCP监听方法实施例一的流程示意图;  2 is a schematic flowchart of Embodiment 1 of a DHCP snooping method according to the present invention;

图 3是本发明中 DHCP监听方法实施例三的流程示意图;  3 is a schematic flowchart of Embodiment 3 of a DHCP listening method in the present invention;

图 4是图 3中 S3003的一实施方式的流程示意图;  4 is a schematic flow chart of an embodiment of S3003 in FIG. 3;

图 5是本发明中 DHCP监听装置实施例一的功能模块组成示意图; 图 6是本发明中 DHCP监听装置实施例二的功能模块组成示意图; 图 7是本发明中 DHCP监听装置实施例三的功能模块组成示意图。 具体实施方式  5 is a schematic diagram of the functional module of the first embodiment of the DHCP listening device of the present invention; FIG. 6 is a schematic diagram of the functional module of the second embodiment of the DHCP monitoring device of the present invention; FIG. 7 is a schematic diagram of the third embodiment of the DHCP monitoring device of the present invention. Schematic diagram of module composition. detailed description

下面结合附图对本发明作进一步详细清楚的说明。  The present invention will be further described in detail with reference to the accompanying drawings.

图 2示出了本发明 DHCP监听方法实施例一的流程, 该实施例包括以下步 骤:  FIG. 2 shows a flow of Embodiment 1 of the DHCP snooping method of the present invention, and the embodiment includes the following steps:

S2001 :接收用户报文并判断其是否命中 DHCP绑定表,如果判断结果为是, 则按照现有技术转发所述用户报文, 否则, 执行 S2002; S2001: Receive a user packet and determine whether it hits the DHCP binding table. If the determination result is yes, the user packet is forwarded according to the prior art; otherwise, S2002 is performed;

S2002:向所述用户发送用于触发该用户重新发起首次地址申请的 DHCP才艮 文, 该 DHCP报文在具体实现时可以是 DHCPNAK报文, 但不仅限于此。 在该实施例中, 当用户报文不能命中 DHCP绑定表时, 不再像现有技术那 样直接丟弃该报文。 例如, 如图 1 中所示的接入设备(图中为网络交换机) 收 到的用户 B的报文,由于入端口使能了 DHCP Snooping功能,接入设备的 DHCP Snooping单元从该用户报文中提取源 MAC以及源 IP地址等信息, 加上入端口 信息 (即端口号)和 VLAN号, 去查找接入设备上的 DHCP绑定表, 如果查找 不到对应的 DHCP绑定表(即对应用户 B的 DHCP绑定表非正常丟失)或查找 不到 DHCP绑定表中对应的表项, 这时, 接入设备不是直接丟弃该用户报文, 而是将该用户报文重定向至 DHCP Snooping单元, 由 DHCP Snooping单元向用 户 B发送 DHCPNAK报文, 该 DHCPNAK报文用于使接入设备仿照 DHCP服 务器告诉用户 B其 IP地址已经不可用, 需要重新发起首次地址申请, 然后接入 设备才丟弃未命中 DHCP绑定表的该用户报文。 那么, 当用户 B接收到所述 DHCPNAK报文后, 按照 DHCP协议规程, 用户 B将自动重新发起首次地址申 请, DHCP Snooping单元通过监听首次地址申请过程中交互的 DHCP报文, 重 新建立起对应用户 B的 DHCP绑定表, 则用户 B在成功申请地址后就可以照常 上网了。 整个过程无需用户手动操作, 可以在用户不感知的情况下重新建立起 DHCP绑定表, 快速地使用户照常上网。 这里及下文所提到的网关交换机只是一个特例, 所述接入设备可包括所有 支持 DHCP Snooping功能的网络设备。 本发明还提供 DHCP监听方法的另一实施例, 该实施例 (实施例二) 与上 一实施例的不同之处在于, 在该方法中还包括下列步骤: 从所述未命中 DHCP 绑定表的用户报文中提取入端口信息、 VLAN信息及其源 MAC、 源 IP地址信 息创建 DHCP黑名单绑定表。 之所以叫做 DHCP黑名单绑定表, 是因为该用户 报文只是黑客发送的攻击报文, 黑客对应的 DHCP绑定表并没有丟失, 这时, 为便于跟踪黑客的攻击行为, 建立起对应的 DHCP黑名单绑定表。 现有技术的 DHCP绑定表表项包括有 4个字段: MAC地址、 IP地址、 端口号及 VLAN号, 如表 1所示。 在本实施例中, 为更好地实现 DHCP黑名单绑定表, 对实施例一 中的 DHCP绑定表(以下以第一 DHCP绑定表说明 ) 内容增加了 2个字段: 绑 定表类型字段和命中频率字段,形成一个新的 DHCP绑定表(以下以第二 DHCP 绑定表说明), 第二绑定表如下表 2所示。 其中, 绑定表类型字段(如下表 2中 BLK字段 )用于标识该第二 DHCP绑定表表项是第一 DHCP绑定表表项, 还是 本发明提到的 DHCP黑名单绑定表表项( BLK字段为真表示该第二 DHCP绑定 表表项为 DHCP黑名单绑定表表项); 命中频率字段(如下表 2中 RATE字段) 用于当第二 DHCP绑定表表项为 DHCP黑名单绑定表表项时, 记录该 DHCP黑 名单绑定表表项被用户 4艮文命中的频率信息 (当然同时也可以记录第一 DHCP 绑定表表项被用户报文命中的频率信息)。 S2002: Send a DHCP message to the user to trigger the user to re-initiate the first address request, where the DHCP message may be a DHCPNAK message, but is not limited thereto. In this embodiment, when the user packet cannot hit the DHCP binding table, the packet is not directly discarded as in the prior art. For example, as shown in Figure 1, the access device (the network switch in the figure) receives the packet from user B. Because the DHCP snooping function is enabled on the ingress port, the DHCP snooping unit of the access device receives the user packet. Extract the information such as the source MAC address and the source IP address, and add the inbound port information (that is, the port number) and the VLAN number to find the DHCP binding table on the access device. If no corresponding DHCP binding table is found, If the DHCP binding table of user B is abnormally lost, or the corresponding entry in the DHCP binding table is not found, the access device does not directly discard the user packet. The user message is redirected to the DHCP snooping unit, and the DHCP snooping unit sends a DHCPNAK message to the user B. The DHCPNAK message is used to enable the access device to notify the user B that the IP address is unavailable. The first address request is re-initiated, and then the access device discards the user packet that misses the DHCP binding table. Then, after receiving the DHCPNAK packet, the user B will automatically re-initiate the first-time address request according to the DHCP protocol. The DHCP snooping unit re-establishes the corresponding user by listening to the DHCP message exchanged during the first-time address application. B's DHCP binding table, user B can go online as usual after successfully applying for an address. The entire process does not require manual operation by the user. The DHCP binding table can be re-established without the user's perception, and the user can quickly access the Internet as usual. The gateway switch mentioned here and below is only a special case, and the access device may include all network devices that support DHCP snooping. The present invention further provides another embodiment of the DHCP snooping method, and the embodiment (Embodiment 2) is different from the previous embodiment in that the method further includes the following steps: from the miss DHCP binding table In the user packet, the inbound port information, the VLAN information, the source MAC address, and the source IP address are extracted to create a DHCP blacklist binding table. The reason why it is called the DHCP blacklist binding table is because the user packet is only an attack packet sent by the hacker. The DHCP binding table corresponding to the hacker is not lost. In this case, in order to facilitate tracking the attack behavior of the hacker, a corresponding DHCP blacklist binding table. The DHCP binding table entry of the prior art includes four fields: a MAC address, an IP address, a port number, and a VLAN number, as shown in Table 1. In this embodiment, in order to better implement the DHCP blacklist binding table, two fields are added to the DHCP binding table (described below in the first DHCP binding table) in the first embodiment: Binding table type The field and hit frequency fields form a new DHCP binding table (described below in the second DHCP binding table). The second binding table is shown in Table 2 below. The binding table type field (the BLK field in the following Table 2) is used to identify whether the second DHCP binding table entry is the first DHCP binding table entry, or the DHCP blacklist binding table table mentioned in the present invention. The entry (the BLK field is true to indicate that the second DHCP binding table entry is a DHCP blacklist binding table entry); the hit frequency field (the RATE field in Table 2 below) is used when the second DHCP binding table entry is When the DHCP blacklist binding table entry is recorded, the frequency information of the DHCP blacklist binding table entry being hit by the user 4 is recorded. (Of course, the frequency of the first DHCP binding table entry being hit by the user packet may also be recorded. information).

MAC地址 IP地址 入端口号 VLAN号 BLK RATE B 10.1.1.2 E2 1 YES 1/s MAC address IP address into port number VLAN number BLK RATE B 10.1.1.2 E2 1 YES 1/s

C 10.1.1.3 E2 3 NO 100/s 表 2 在形成所述第二 DHCP绑定表后, 可得到本发明的 DHCP监听方法另一实 施例 (即实施例三), 其流程图如图 3所示, 包括以下步骤: C 10.1.1.3 E2 3 NO 100/s Table 2 After forming the second DHCP binding table, another embodiment (ie, the third embodiment) of the DHCP listening method of the present invention is obtained, and the flowchart thereof is as shown in FIG. Show, including the following steps:

S3001 : 在形成所述第二 DHCP绑定表后,接收后续用户报文并判断其是否 命中所述第二 DHCP绑定表,如果判断结果为是,执行 S3002,否则,仿照 DHCP 服务器向所述用户发送 DHCPNAK报文; S3001: After forming the second DHCP binding table, receiving a subsequent user packet and determining whether it hits the second DHCP binding table. If the determination result is yes, executing S3002, otherwise, following the DHCP server to the The user sends a DHCPNAK packet.

S3002: 判断所述后续用户报文命中的第二 DHCP 绑定表表项是否为所述 DHCP黑名单绑定表表项, 如果判断结果为是, 执行步骤 S3003 , 否则, 按照现 有技术转发所述后续用户报文;  S3002: Determine whether the second DHCP binding table entry of the subsequent user packet is the DHCP blacklist binding table entry. If the determination result is yes, go to step S3003. Otherwise, forward the device according to the prior art. Subsequent user messages;

S3003: 按照预定的配置策略处理所述后续用户报文。 具体地, 当收到的后续用户报文不能命中所述第二 DHCP绑定表时, 在本 实施例中和实施例——样, 仿照 DHCP服务器向该用户发送 DHCPNAK报文, 触发用户重新发起首次地址申请, 并且重新建立对应的 DHCP绑定表; 当收到 的后续用户报文命中了第二 DHCP绑定表, 这时, 不是像实施例一那样直接将 后续用户报文按现有技术转发, 而是要根据第二 DHCP绑定表中的绑定表类型 字段进一步判断所述后续用户报文命中的第二 DHCP绑定表表项是否为 DHCP 黑名单绑定表表项。 如果被命中的是所述第一 DHCP绑定表表项, 则说明该用 户报文不是欺骗攻击报文, 则按现有技术转发; 如果被命中的是本发明提供的 DHCP黑名单绑定表表项,则说明该后续用户报文有可能是攻击报文,则可按照 预定的配置策略对该后续用户报文进行处理, 包括记录该 DHCP黑名单绑定表 对应表项被用户报文命中的频率信息, 即在预定时间段内被命中了多少次(该 预定时段可根据实际情况进行配置)。 通过本实施例, 可以实现根据被用户报文 命中的 DHCP绑定表中表项的类型对用户报文进行处理, 增强了设备对攻击报 文的识别能力。 作为一种实施方式, 所述预定的配置策略可以为: 如果用户发送用户报文 的速率超过了预设的某一限速值, 则丟弃该报文; 如果没有超过, 则向该用户 发送 DHCPNAK报文。 用户报文的发送速率可以由 DHCP黑名单绑定表表项的 命中频率字段中所记录的频率信息计算得出,如,所记录的频率信息为该 DHCP 黑名单绑定表对应表项 2分钟内被用户报文命中了 4次, 则对应的 DHCP黑名 单绑定表表项的命中频率字段所记录的频率信息为 0.03/s ,可以得到对应的用户 报文的发送速率(也即用户报文的发送频率), 按第二 HDCP表中 RATE字段表 达方式, 该用户报文的发送速率值可取为 0.03/s。 S3003: Process the subsequent user message according to a predetermined configuration policy. Specifically, when the received subsequent user message cannot hit the second DHCP binding table, in the embodiment, as in the embodiment, the DHCP server sends a DHCPNAK message to the user, triggering the user to re-initiate. The first address is applied, and the corresponding DHCP binding table is re-established. When the received subsequent user packet hits the second DHCP binding table, the subsequent user message is not directly used in the prior art as in the first embodiment. And forwarding, according to the binding table type field in the second DHCP binding table, further determining whether the second DHCP binding table entry that the subsequent user packet hits is a DHCP blacklist binding table entry. If the first DHCP binding table entry is hit, it indicates that the user packet is not a spoofing attack packet, and is forwarded according to the prior art; if the hit is the DHCP blacklist binding table provided by the present invention. The entry indicates that the subsequent user packet may be an attack packet, and the subsequent user packet may be processed according to the predetermined configuration policy, including the record that the corresponding entry of the DHCP blacklist binding table is hit by the user packet. The frequency information, that is, how many times it was hit within a predetermined time period (the predetermined time period can be configured according to actual conditions). The device can process the user packet according to the type of the entry in the DHCP binding table that is hit by the user packet, and enhance the device's ability to identify the attack packet. As an implementation manner, the predetermined configuration policy may be: if the rate at which the user sends the user packet exceeds a preset rate limit value, the packet is discarded; if not, the user is discarded. Send a DHCPNAK packet. The rate of the user packet can be calculated by the frequency information recorded in the hit frequency field of the DHCP blacklist binding table entry. For example, the recorded frequency information is the corresponding entry of the DHCP blacklist binding table. If the internal user packet is hit 4 times, the frequency information recorded in the hit frequency field of the corresponding DHCP blacklist binding table entry is 0.03/s, and the corresponding user packet transmission rate can be obtained (that is, the user report The sending frequency of the text, according to the RATE field expression in the second HDCP table, the sending rate value of the user packet may be taken as 0.03/s.

对应上述配置策略, S3003的一种实施方式流程图如图 4所示, 包括以下步 骤:  Corresponding to the foregoing configuration policy, a flowchart of an implementation manner of S3003 is as shown in FIG. 4, and includes the following steps:

S4001 : 根据所述后续用户报文的命中情况, 记录所述 DHCP黑名单绑定表 对应表项被用户报文命中的频率信息; S4001: Record, according to the hit situation of the subsequent user packet, the frequency information that the corresponding entry of the DHCP blacklist binding table is hit by the user packet;

S4002: 根据所述频率信息计算所述用户报文的发送速率, 并比较该发送速 率与预先设定的限速值的大小关系, 如果所述发送速率大于所述限速值, 则丟 弃所述后续用户报文, 否则, 执行 S4003;  S4002: Calculate a sending rate of the user packet according to the frequency information, and compare a size relationship between the sending rate and a preset rate limiting value. If the sending rate is greater than the rate limiting value, discard the Describe the subsequent user message, otherwise, execute S4003;

S4003: 仿照 DHCP服务器向所述用户发送 DHCPNAK报文;  S4003: Sending a DHCPNAK packet to the user according to the DHCP server;

通过上述配置策略, 可以有效防止恶意用户的拒绝服务攻击。  Through the above configuration policy, a denial of service attack by a malicious user can be effectively prevented.

相应地, 本发明还提供 DHCP监听装置的实施例, DHCP监听装置实施例 一的功能模块组成示意图如图 5所示。 该 DHCP监听装置用于监听网络设备收 到的用户报文, 包括有绑定表存储单元 4、 命中判断单元 8及反确认单元 1。  Correspondingly, the present invention further provides an embodiment of a DHCP listening device, and a schematic diagram of a functional module of the DHCP listening device embodiment 1 is shown in FIG. 5. The DHCP monitoring device is configured to listen to user packets received by the network device, and includes a binding table storage unit 4, a hit determination unit 8, and an anti-confirmation unit 1.

绑定表存储单元 4用于存储 DHCP绑定表。  The binding table storage unit 4 is configured to store a DHCP binding table.

命中判断单元 8用于根据所述网络设备接收的用户报文中的信息查找存储 于所述绑定表存储单元中的 DHCP绑定表, 判断所述用户报文是否命中 DHCP 绑定表, 并在判断结果为是时命令所述网络设备转发所述用户报文。  The hit determination unit 8 is configured to search the DHCP binding table stored in the binding table storage unit according to the information in the user packet received by the network device, and determine whether the user packet hits the DHCP binding table, and When the judgment result is yes, the network device is instructed to forward the user message.

反确认单元 1 用于当所述命中判断单元的判断结果为所述用户报文未命中 DHCP 绑定表时, 向所述用户发送用于触发该用户重新发起首次地址申请的 DHCP报文。 当收到的用户报文不能命中 DHCP绑定表时 (如: 对应的 DHCP 绑定表丟失的情况), 反确认单元 1 可仿照 DHCP 服务器向所述用户发送 DHCPNAK ^艮文,告诉用户该 IP地址已不可以使用,请重新发起首次地址申请, 用户收到该 DHCPNAK ^艮文后发起首次地址申请, DHCP监听装置监听首次地 址申请流程中往来的 DHCP报文, 重新建立起对应的 DHCP绑定表。 用户申请 地址成功后即可照常上网。 The anti-confirmation unit 1 is configured to send, to the user, a DHCP message for triggering the user to re-initiate the first-time address application when the result of the determination by the hit determination unit is that the user message misses the DHCP binding table. When the received user packet cannot hit the DHCP binding table (for example, if the corresponding DHCP binding table is lost), the anti-confirmation unit 1 may send a DHCPNAK message to the user according to the DHCP server, and notify the user of the IP address. The address is no longer available. Please re-initiate the first-time address request. After receiving the DHCPNAK message, the user initiates the first-time address request. The DHCP listening device listens to the DHCP message sent in the first-time address application process and re-establishes the corresponding DHCP binding. table. User application After the address is successful, you can go online as usual.

通过本实施例, 当 DHCP绑定表丟失时, 可以在用户不觉察的情况下自动 重新建立起 DHCP绑定表, 使用户照常上网。  In this embodiment, when the DHCP binding table is lost, the DHCP binding table can be automatically re-established without the user being aware of, so that the user can access the Internet as usual.

本发明 DHCP监听装置实施例二的功能模块组成示意图如图 6所示, 它与 实施例一的不同在于还包括有黑名单绑定表单元 2,用于当命中判断单元 8的判 断结果为所述用户报文未命中上述实施例一的 DHCP绑定表(以下以第一 DHCP 绑定表说明) 时, 即当收到的用户报文不能命中第一 DHCP绑定表时, 提取所 述用户报文的入端口信息及其源 MAC、 源 IP地址信息创建 DHCP黑名单绑定 表。 之所以叫做 DHCP黑名单绑定表, 是因为该用户报文只是黑客发送的攻击 报文, 黑客对应的 DHCP绑定表并没有丟失, 这时, 为便于跟踪黑客的攻击行 为, 黑名单绑定表单元 2 建立起对应的 DHCP 黑名单绑定表。 为更好地实现 DHCP黑名单绑定表, 对实施例一中的 DHCP绑定表(以下以第一 DHCP绑定 表说明) 内容增加了 2个字段: 绑定表类型字段和命中频率字段, 形成一个新 的 DHCP绑定表(以下以第二 DHCP绑定表说明), 第二绑定表如上表 2所示。 其中, 绑定表类型字段(如上表 2中 BLK字段)用于标识该第二 DHCP绑定表 表项是第一 DHCP绑定表表项, 还是本发明提到的 DHCP 黑名单绑定表表项 The schematic diagram of the function module of the second embodiment of the DHCP monitoring device of the present invention is as shown in FIG. 6. The difference from the first embodiment is that the blacklist binding table unit 2 is further included, and the judgment result of the hit determination unit 8 is When the user packet does not match the DHCP binding table of the first embodiment (described below in the first DHCP binding table), that is, when the received user packet cannot hit the first DHCP binding table, the user is extracted. Create a DHCP blacklist binding table for the inbound port information of the packet and its source MAC address and source IP address. The reason for the DHCP blacklist binding table is that the user packet is only an attack packet sent by the hacker. The DHCP binding table corresponding to the hacker is not lost. In this case, the blacklist binding is used to facilitate tracking of the hacker's attack behavior. Table 2 establishes the corresponding DHCP blacklist binding table. To implement the DHCP blacklist binding table, two fields are added to the DHCP binding table in the first embodiment (described below in the first DHCP binding table): a binding table type field and a hit frequency field. A new DHCP binding table is formed (described below in the second DHCP binding table), and the second binding table is as shown in Table 2 above. The binding table type field (the BLK field in Table 2 above) is used to identify whether the second DHCP binding table entry is the first DHCP binding table entry, or the DHCP blacklist binding table table mentioned in the present invention. item

( BLK字段为真表示该第二 DHCP绑定表表项为 DHCP黑名单绑定表表项); 命中频率字段(如上表 2中 RATE字段)用于当第二 DHCP绑定表表项为 DHCP 黑名单绑定表表项时, 记录该 DHCP黑名单绑定表表项被用户报文命中的频率 信息(当然同时也可以记录第一 DHCP绑定表表项被用户报文命中的频率信息)。 (The BLK field is true to indicate that the second DHCP binding table entry is a DHCP blacklist binding table entry); the hit frequency field (the RATE field in Table 2 above) is used when the second DHCP binding table entry is DHCP. When the blacklist is bound to a table entry, the frequency information of the DHCP packet blacklist binding table entry being hit by the user packet is recorded (of course, the frequency information of the first DHCP binding table entry being hit by the user packet may also be recorded) .

通过本实施例, 除了可以达到和实施例一相同的功能外, 还可以根据所述 记录的频率信息等, 有效跟踪攻击者的行为信息, 便于网管进行分析。  In this embodiment, in addition to the same functions as those in the first embodiment, the behavior information of the attacker can be effectively tracked according to the recorded frequency information and the like, so that the network management can perform analysis.

在实施例二的基础上还可以对 DHCP监听装置作进一步的改进, 以充分利 用黑名单绑定表单元 2的功能。 图 7示出了改进后的 DHCP监听装置, 即实施 例三的功能模块组成示意图, 除包括实施例二的所有功能单元外, 它还包括有 类型判断单元 5、 第一处理单元 6、 第二处理单元 7。  On the basis of the second embodiment, the DHCP snooping device can be further improved to fully utilize the function of the blacklist binding table unit 2. FIG. 7 is a schematic diagram showing the structure of a function of the improved DHCP listening device, that is, the function module of the third embodiment. In addition to all the functional units of the second embodiment, the method further includes a type determining unit 5, a first processing unit 6, and a second Processing unit 7.

类型判断单元 5用于当所述命中判断单元 8的判断结果为所述网络设备收 到的后续用户报文命中所述第二 DHCP绑定表时, 即当收到的后续用户报文命 中所述第二 DHCP绑定表时, 读取所述绑定表类型字段, 判断所述后续用户报 文命中的第二 DHCP绑定表表项是否为 DHCP黑名单绑定表表项。 第一处理单 元 6接收所述类型判断单元 5的判断结果, 当所述类型判断单元 5的判断结果 为所述后续用户报文命中的第二 DHCP绑定表表项为 DHCP黑名单绑定表表项 时, 按照预定的配置策略处理所述后续用户报文。 第二处理单元 7接收所述类 型判断单元 5的判断结果, 当所述类型判断单元 5的判断结果所述后续用户才艮 文命中的第二 DHCP绑定表表项不是 DHCP黑名单绑定表表项时, 触发所述网 络设备将用户报文按照现有技术转发。 The type judging unit 5 is configured to: when the judgment result of the hit judging unit 8 is that the subsequent user packet received by the network device hits the second DHCP binding table, that is, when the received subsequent user packet hits When the second DHCP binding table is described, the binding table type field is read, and it is determined whether the second DHCP binding table entry that the subsequent user packet hits is a DHCP blacklist binding table entry. First processing order The element 6 receives the determination result of the type judging unit 5, and when the judgment result of the type judging unit 5 is that the second DHCP binding table entry that the subsequent user packet hits is a DHCP blacklist binding table entry, And processing the subsequent user message according to a predetermined configuration policy. The second processing unit 7 receives the determination result of the type judging unit 5, and the second DHCP binding table entry hit by the subsequent user is not the DHCP blacklist binding table when the type judging unit 5 determines. When the entry is triggered, the network device is triggered to forward the user packet according to the prior art.

作为一种实施方式, 第一处理单元 6进一步包括有记录单元 61、 速率计算 单元 62及比较单元 63。 记录单元 61用于根据所述后续用户报文的命中情况, 记录所述 DHCP黑名单绑定表对应表项被命中的频率信息。速率计算单元 62用 于根据所述记录单元 61记录的频率信息,计算所述用户报文的发送速率,例如, 所记录的频率信息为该 DHCP黑名单绑定表对应表项 2分钟内被用户报文命中 了 4次, 则可以得到对应的用户报文的发送速率为 0.03/s。 比较单元 63用于比 的发送速率小于所述限速值时, 触发所述反确认单元 1 向所述用户发送用于触 发该用户重新发起首次地址申请的 DHCP报文, 否则触发所述网络设备丟弃所 述后续用户报文。  As an embodiment, the first processing unit 6 further includes a recording unit 61, a rate calculating unit 62, and a comparing unit 63. The recording unit 61 is configured to record frequency information that the DHCP blacklist binding table corresponding entry is hit according to the hit situation of the subsequent user message. The rate calculation unit 62 is configured to calculate a transmission rate of the user packet according to the frequency information recorded by the recording unit 61. For example, the recorded frequency information is the user of the DHCP blacklist binding table corresponding to the entry within 2 minutes. When the packet is hit 4 times, the corresponding user packet transmission rate is 0.03/s. The comparing unit 63 is configured to trigger the de-acknowledgment unit 1 to send a DHCP message to the user to trigger the user to re-initiate the first-time address request, otherwise the network device is triggered. The subsequent user message is discarded.

通过本实施例, 可以跟踪攻击者的行为信息, 并增强设备的攻击识别能力, 有效防止恶意用户的拒绝服务攻击。  With this embodiment, the behavior information of the attacker can be tracked, and the attack recognition capability of the device can be enhanced, thereby effectively preventing the denial of service attack by the malicious user.

以上所揭露的仅为本发明的较佳实施例, 当然不能以此来限定本发明之权利 范围, 因此依本发明权利要求所作的等同变化, 仍属本发明所涵盖的范围。  The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, and the equivalent changes made by the claims of the present invention are still within the scope of the present invention.

Claims

权 利 要 求 Rights request 1、 一种 DHCP监听方法, 其特征在于, 包括: A DHCP snooping method, comprising: 接收用户报文并判断其是否命中第一 DHCP绑定表,  Receiving a user packet and determining whether it hits the first DHCP binding table, 当所述判断结果为所述用户报文未命中所述第一 DHCP绑定表时, 向所述 用户发送用于触发该用户重新发起首次地址申请的 DHCP报文。  When the result of the determination is that the user packet misses the first DHCP binding table, the DHCP message sent by the user to trigger the user to re-initiate the first address request is sent to the user. 2、 根据权利要求 1所述的 DHCP监听方法, 其特征在于, 该方法还包括: 当所述判断结果为所述用户报文未命中所述第一 DHCP绑定表时, 提取所 述用户报文的入端口信息及其源 MAC、 源 IP地址信息创建 DHCP黑名单绑定 表, 并形成包括该 DHCP黑名单绑定表表项及所述第一 DHCP绑定表表项的第 二 DHCP绑定表。 The DHCP snooping method according to claim 1, wherein the method further comprises: extracting the user report when the judgment result is that the user packet misses the first DHCP binding table A DHCP blacklist binding table is created, and the second DHCP binding is performed, including the DHCP blacklist binding table entry and the first DHCP binding table entry, and the source MAC address and the source IP address information. Set the table. 3、 根据权利要求 2所述的 DHCP监听方法, 其特征在于, 所述第二 DHCP 绑定表中包括指示对应表项是否为 DHCP黑名单绑定表表项的第一指示信息, 所述当所述判断结果为所述用户报文未命中所述 DHCP绑定表时, 提取所述用 户报文的入端口信息及其源 MAC、 源 IP地址信息创建 DHCP黑名单绑定表, 并形成包括该 DHCP 黑名单绑定表表项及所述第一 DHCP 绑定表表项的第二 DHCP绑定表之后还包括: The DHCP snooping method according to claim 2, wherein the second DHCP binding table includes first indication information indicating whether the corresponding entry is a DHCP blacklist binding table entry, If the result of the determination is that the user packet does not match the DHCP binding table, the inbound port information of the user packet, the source MAC address, and the source IP address information are extracted, and a DHCP blacklist binding table is created, and the The DHCP blacklist binding table entry and the second DHCP binding table of the first DHCP binding table entry further include: 接收后续用户报文并判断其是否命中所述第二 DHCP绑定表, 如果判断结 果为是, 则执行下一步, 否则, 向所述用户发送用于触发该用户重新发起首次 地址申请的 DHCP报文;  Receiving a subsequent user message and determining whether it hits the second DHCP binding table. If the determination result is yes, performing the next step. Otherwise, sending a DHCP message to the user to trigger the user to re-initiate the first address application. Text 根据所述第一指示信息, 判断所述后续用户报文命中的第二 DHCP绑定表 表项是否为所述 DHCP黑名单绑定表表项, 如果判断结果为是, 则执行下一步, 否则, 转发所述后续用户 4艮文;  Determining, according to the first indication information, whether the second DHCP binding table entry of the subsequent user packet is the DHCP blacklist binding table entry, and if the determination result is yes, performing the next step, otherwise Forwarding the subsequent user 4 text; 按照预定的配置策略处理所述后续用户报文。  The subsequent user message is processed according to a predetermined configuration policy. 4、 根据权利要求 3所述的 DHCP监听方法, 其特征在于, 所述第二 DHCP 绑定表包括指示对应表项被用户报文命中的频率的第二指示信息, 所述按照预 定的配置策略处理所述后续用户报文包括: 根据所述后续用户报文的命中情况, 记录所述 DHCP黑名单绑定表对应表 项被命中的频率信息; The DHCP snooping method according to claim 3, wherein the second DHCP binding table includes second indication information indicating a frequency at which the corresponding entry is hit by the user packet, the predetermined configuration policy. Processing the subsequent user message includes: Recording frequency information that the DHCP blacklist binding table corresponding entry is hit according to the hit situation of the subsequent user packet; 根据所述频率信息, 获得对应的所述用户报文的发送速率, 并比较该用户 报文的发送速率与预先设定的限速值的大小关系, 如果所述用户报文的发送速 率大于所述限速值, 则丟弃所述后续用户报文, 否则, 执行下一步;  Obtaining, according to the frequency information, a sending rate of the corresponding user packet, and comparing a relationship between a sending rate of the user packet and a preset rate limiting value, if the sending rate of the user packet is greater than If the rate limit value is used, the subsequent user message is discarded, otherwise, the next step is performed; 向所述用户发送用于触发该用户重新发起首次地址申请的 DHCP报文。  Sending a DHCP message to the user for triggering the user to re-initiate the first address request. 5、 如权利要求 1至 4中任一项所述的 DHCP监听方法, 其特征在于, 所述 DHCP报文为仿照 DHCP服务器向所述用户发送的 DHCPNAK报文。 The DHCP snooping method according to any one of claims 1 to 4, wherein the DHCP message is a DHCP NAK message sent by the DHCP server to the user. 6、一种 DHCP监听装置,用于监听网络设备收到的用户报文,其特征在于, 包括有: A DHCP listening device, configured to listen to user packets received by a network device, and is characterized by: 绑定表存储单元, 用于存储 DHCP绑定表;  a binding table storage unit, configured to store a DHCP binding table; 命中判断单元, 用于根据所述用户报文中的信息查找所述 DHCP绑定表, 判断所述用户报文是否命中第一 DHCP绑定表;  a hitting determining unit, configured to search the DHCP binding table according to the information in the user packet, and determine whether the user packet hits the first DHCP binding table; 反确认单元, 用于当所述命中判断单元的判断结果为所述用户报文未命中 所述第一 DHCP绑定表时, 向所述用户发送用于触发该用户重新发起首次地址 申请的 DHCP 4艮文。  The anti-confirmation unit is configured to: when the judgment result of the hit determination unit is that the user packet misses the first DHCP binding table, send a DHCP to the user to trigger the user to re-initiate the first address request 4 艮文. 7、根据权利要求 6所述的 DHCP监听装置, 其特征在于, 该 DHCP监听装 置还包括有: The DHCP monitoring device according to claim 6, wherein the DHCP monitoring device further comprises: 黑名单绑定表创建单元, 用于当所述命中判断单元的判断结果为所述用户 报文未命中所述第一 DHCP绑定表时,提取所述报文的入端口信息及其源 MAC、 源 IP地址信息创建 DHCP黑名单绑定表,并触发形成包括该 DHCP黑名单绑定 表表项及所述第一 DHCP 绑定表表项的、 存储于所述绑定表存储单元的第二 DHCP绑定表。  a blacklist binding table creating unit, configured to: when the result of the determination by the hitting determining unit is that the user packet misses the first DHCP binding table, extract the ingress port information of the packet and the source MAC address thereof And creating a DHCP blacklist binding table by using the source IP address information, and triggering forming, by using the DHCP blacklist binding table entry and the first DHCP binding table entry, the first stored in the binding table storage unit. Two DHCP binding tables. 8、 根据权利要求 7所述的 DHCP监听装置, 其特征在于, 所述第二 DHCP 绑定表中包括指示对应表项是否为 DHCP黑名单绑定表表项的第一指示信息, 该 DHCP监听装置还包括有: 类型判断单元, 用于当所述命中判断单元的判断结果为所述网络设备收到 的后续用户报文命中第二 DHCP绑定表时, 根据所述第一指示信息, 判断所述 后续用户报文命中的第二 DHCP绑定表表项是否为所述 DHCP黑名单绑定表表 项; The DHCP snooping device according to claim 7, wherein the second DHCP binding table includes first indication information indicating whether the corresponding entry is a DHCP blacklist binding table entry, and the DHCP snooping The device also includes: a type judging unit, configured to: when the judgment result of the hit judging unit is that the subsequent user packet received by the network device hits the second DHCP binding table, determine, according to the first indication information, the subsequent user report Whether the second DHCP binding table entry of the file is the DHCP blacklist binding table entry; 第一处理单元, 用于当所述类型判断单元的判断结果为所述后续用户报文 命中的第二 DHCP绑定表表项为所述 DHCP黑名单绑定表表项时, 按照预定的 配置策略处理所述后续用户报文;  a first processing unit, configured to: when the second DHCP binding table entry of the type of the determining unit is that the second DHCP binding table entry of the subsequent user packet is the DHCP blacklist binding table entry, according to the predetermined configuration The policy processes the subsequent user message; 第二处理单元, 用于当所述类型判断单元的判断结果为所述后续用户报文 命中的第二 DHCP绑定表表项不是所述 DHCP黑名单绑定表表项时, 触发所述 网络设备将该用户报文转发。  a second processing unit, configured to trigger the network when the second DHCP binding table entry of the subsequent user packet is not the DHCP blacklist binding table entry The device forwards the user packet. 9、 根据权利要求 8所述的 DHCP监听装置, 其特征在于, 所述第二 DHCP 绑定表包括指示对应表项被用户报文命中的频率的第二指示信息, 所述第一处 理单元包括有: The DHCP snooping device according to claim 8, wherein the second DHCP binding table includes second indication information indicating a frequency at which the corresponding entry is hit by the user packet, and the first processing unit includes Have: 记录单元, 根据所述后续用户报文的命中情况, 记录所述 DHCP黑名单绑 定表对应表项被命中的频率信息;  The recording unit records the frequency information that the corresponding entry of the DHCP blacklist binding table is hit according to the hit situation of the subsequent user packet; 用户报文发送频率获得单元, 用于根据所述记录的频率信息, 得到对应的 所述用户报文的发送速率; 关系, 当所述用户报文的发送速率小于所述限速值时, 触发所述反确认单元向 所述用户发送用于触发该用户重新发起首次地址申请的 DHCP 4艮文, 否则触发 所述网络设备丟弃所述后续用户报文。  a user message sending frequency obtaining unit, configured to obtain a corresponding sending rate of the user message according to the recorded frequency information; and, when the sending rate of the user packet is less than the speed limit value, triggering The anti-acknowledgment unit sends a DHCP message to the user to trigger the user to re-initiate the first-time address request, otherwise the network device is triggered to discard the subsequent user message. 10、 根据权利要求 6至 9中任一项所述的 DHCP监听装置, 其特征在于, 所述 DHCP报文为仿照 DHCP服务器向所述用户发送的 DHCPNAK报文。 The DHCP snooping device according to any one of claims 6 to 9, wherein the DHCP message is a DHCP NAK message sent by the DHCP server to the user.
PCT/CN2008/070011 2007-04-25 2008-01-03 Dhcp snooping method and device thereof Ceased WO2008131650A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710027710.3 2007-04-25
CNB2007100277103A CN100499528C (en) 2007-04-25 2007-04-25 DHCP monitoring method and apparatus thereof

Publications (1)

Publication Number Publication Date
WO2008131650A1 true WO2008131650A1 (en) 2008-11-06

Family

ID=38889879

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070011 Ceased WO2008131650A1 (en) 2007-04-25 2008-01-03 Dhcp snooping method and device thereof

Country Status (2)

Country Link
CN (1) CN100499528C (en)
WO (1) WO2008131650A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677508A (en) * 2019-09-06 2020-01-10 四川天邑康和通信股份有限公司 White box engineering IP network optimization
US20240430227A1 (en) * 2022-03-04 2024-12-26 Cisco Technology, Inc. Synchronizing dynamic host configuration protocol snoop information

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100563149C (en) * 2007-04-25 2009-11-25 华为技术有限公司 A kind of DHCP listening method and device thereof
CN100499528C (en) * 2007-04-25 2009-06-10 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN101431428B (en) * 2007-11-09 2011-07-27 中国电信股份有限公司 Security monitoring service recovery method and system
CN104683500B (en) * 2015-03-25 2017-12-15 新华三技术有限公司 A kind of safe list item generation method and device
CN105991791A (en) * 2015-05-12 2016-10-05 杭州迪普科技有限公司 Message forwarding method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1450766A (en) * 2002-04-10 2003-10-22 深圳市中兴通讯股份有限公司 User management method based on dynamic mainframe configuration procotol
CN1458760A (en) * 2002-05-15 2003-11-26 华为技术有限公司 Safe access method for borad band network
CN1549546A (en) * 2003-05-09 2004-11-24 中兴通讯股份有限公司 Device and method for realizing dynamic IP address acquisition by PPPOE users using DHCP protocol
CN1571350A (en) * 2003-07-11 2005-01-26 华为技术有限公司 A method for triggering user terminal online via data message
CN101039176A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN101039223A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1450766A (en) * 2002-04-10 2003-10-22 深圳市中兴通讯股份有限公司 User management method based on dynamic mainframe configuration procotol
CN1458760A (en) * 2002-05-15 2003-11-26 华为技术有限公司 Safe access method for borad band network
CN1549546A (en) * 2003-05-09 2004-11-24 中兴通讯股份有限公司 Device and method for realizing dynamic IP address acquisition by PPPOE users using DHCP protocol
CN1571350A (en) * 2003-07-11 2005-01-26 华为技术有限公司 A method for triggering user terminal online via data message
CN101039176A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN101039223A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110677508A (en) * 2019-09-06 2020-01-10 四川天邑康和通信股份有限公司 White box engineering IP network optimization
US20240430227A1 (en) * 2022-03-04 2024-12-26 Cisco Technology, Inc. Synchronizing dynamic host configuration protocol snoop information

Also Published As

Publication number Publication date
CN100499528C (en) 2009-06-10
CN101039223A (en) 2007-09-19

Similar Documents

Publication Publication Date Title
CN100586106C (en) Message processing method, system and device
WO2008131658A1 (en) Method and device for dhcp snooping
CN102111394B (en) Network attack protection method, equipment and system
CN101483515A (en) DHCP attack guarding method and customer terminal equipment
WO2021008028A1 (en) Network attack source tracing and protection method, electronic device and computer storage medium
CN101115063B (en) Method for prevent MAC address/IP address spuriousness of broadband access equipment
WO2014040292A1 (en) Protection method and device against attacks
WO2008131667A1 (en) Method, device for identifying service flows and method, system for protecting against a denial of service attack
WO2008131650A1 (en) Dhcp snooping method and device thereof
WO2017088326A1 (en) Tcp connection processing method, device and system
WO2014101634A1 (en) Attack defense method and device
CN101674309B (en) Method and device for Ethernet access
WO2011140795A1 (en) Method and switching device for preventing media access control address spoofing attack
CN101296182A (en) A data transmission control method and a data transmission control device
CN106487807A (en) A kind of means of defence of domain name mapping and device
CN108270722A (en) A kind of attack detection method and device
CN104883360A (en) ARP spoofing fine-grained detecting method and system
CN101383818B (en) Processing method and device for access network
US20070220256A1 (en) Electronic mechanical device
CN106878326A (en) IPv6 Neighbor Cache Protection Method and Device Based on Reverse Detection
CN106603501A (en) Method, system and firewall device for preventing hijacking of domain name
CN106101088B (en) The method of cleaning equipment, detection device, routing device and prevention DNS attack
CN109327465B (en) Method for safely resisting network hijacking
WO2010048808A1 (en) A method, system and gateway for preventing the network attack
CN110198290B (en) Information processing method, equipment, device and storage medium

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08700038

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08700038

Country of ref document: EP

Kind code of ref document: A1