[go: up one dir, main page]

WO2008131658A1 - Method and device for dhcp snooping - Google Patents

Method and device for dhcp snooping Download PDF

Info

Publication number
WO2008131658A1
WO2008131658A1 PCT/CN2008/070314 CN2008070314W WO2008131658A1 WO 2008131658 A1 WO2008131658 A1 WO 2008131658A1 CN 2008070314 W CN2008070314 W CN 2008070314W WO 2008131658 A1 WO2008131658 A1 WO 2008131658A1
Authority
WO
WIPO (PCT)
Prior art keywords
dhcp
binding table
user
packet
blacklist
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/070314
Other languages
French (fr)
Chinese (zh)
Inventor
Xuefei Tan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008131658A1 publication Critical patent/WO2008131658A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the present invention relates to the field of communication network technologies, and in particular, to a DHCP listening method and device thereof. Background technique
  • DHCP Dynamic Host Configuration Protocol
  • IP/MAC spoofing attack The attacker sends a packet with its own media access control (MAC, Media Access Control) and victim Internet Protocol (IP, Internet Protocol) to the gateway router, including IP packet and address resolution protocol. (ARP, Address Resolution Protocol), etc., let the gateway router learn the binding relationship between the victim IP and its own MAC address, and all subsequent packets arriving at the victim will be forwarded to the attacker.
  • MAC media access control
  • IP Internet Protocol
  • ARP Address Resolution Protocol
  • Man-in-the-middle attack The attacker sends a packet with its own MAC address and gateway IP address (including IP and ARP packets, often ARP packets) to the victim, so that the victim learns the wrong ARP. All packets that must be sent outside the gateway are sent to the attacker. The attacker can analyze the packet and steal the information. Then, you can choose to discard or forward it to the gateway.
  • gateway IP address including IP and ARP packets, often ARP packets
  • the current common method is to enable the DHCP snooping function on the network device of the access user, such as the gateway switch.
  • DHCP snooping listens to DHCP packets and establishes a DHCP binding table.
  • the entries in the binding table include: IP address, MAC address, inbound port number, and virtual local area network (VLAN).
  • ARP address resolution protocol
  • the DHCP binding table is used to check the address resolution protocol (ARP) packet and the IP packet to solve the above-mentioned spoofing attack security problem.
  • ARP address resolution protocol
  • the basic scheme is shown in Figure 1.
  • the MAC address and IP address of User B are: B, 10.1.1.2;
  • the MAC address and IP address of User C are: C, 10.1.1.3; MAC address and IP address of network device A For: A, 10.1.1.1.
  • DHCP switch binding table created by the gateway switch to listen to DHCP packets sent by user B and user C during the application process is shown in Table 1.
  • the gateway switch searches for the DHCP binding table according to the MAC address being C, the IP address is 10.1.1.1, the ingress port number is E2, and the VLAN number is 3.
  • the gateway switch discards the ARP packet. Therefore, spoofing ARP packets will not reach any other users, including user B, thus preventing user C's attack behavior.
  • the DHCP snooping solution solves the DHCP security problem. However, the attacker packets are simply discarded. This solution cannot be used to learn any information about the attacker. Summary of the invention
  • the technical problem to be solved by the embodiments of the present invention is to provide a DHCP listening method, which records and records the attack behavior when an attack is received.
  • the embodiment of the present invention provides a DHCP listening method, including: receiving a user packet and determining whether it hits the first DHCP binding table, and if the determination result is yes, forwarding the user packet, Otherwise, proceed to the next step;
  • Extracting inbound port information, virtual local area network information, source MAC address, and source IP address of the user packet Creating a DHCP blacklist binding table, and forming a second DHCP binding table including the DHCP blacklist binding table entry and the first DHCP binding table entry;
  • the embodiment of the present invention provides a DHCP listening device, which is configured to listen to user packets received by a network device, including:
  • a binding table storage unit configured to store a DHCP binding table
  • a hit determination unit configured to search, according to information in the user packet received by the network device, a DHCP binding table stored in the binding table storage unit, to determine whether the user packet hits the first DHCP binding table And instructing the network device to forward the user message when the determination result is yes;
  • the DHCP blacklist binding table unit is configured to: when the judgment result of the hit determination unit is negative, extract the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the packet to create a DHCP blacklist.
  • the binding table is formed, and the second DHCP binding table including the DHCP blacklist binding table entry and the first DHCP binding table entry is formed in the binding table storage unit.
  • the DHCP snooping method and the device thereof are provided by the embodiment of the present invention.
  • the DHCP blacklist binding table is established, and the DHCP blacklist binding table is recorded.
  • the frequency information is used to track the attacker's purpose, so as to obtain the attacker's attack behavior information, which is convenient for the network management to analyze to obtain the necessary anti-attack measures.
  • FIG. 1 is a schematic diagram of application of a DHCP snooping method in the prior art
  • Embodiment 1 of a DHCP snooping method according to the present invention
  • Embodiment 3 is a schematic flowchart of Embodiment 3 of a DHCP listening method in the present invention
  • FIG. 4 is a schematic flow chart of an embodiment of S3003 in FIG. 3;
  • FIG. 5 is a schematic diagram of the functional module of the first embodiment of the DHCP listening device of the present invention
  • FIG. 6 is a schematic diagram of the functional module of the second embodiment of the DHCP monitoring device of the present invention
  • FIG. 7 is a schematic diagram of the third embodiment of the DHCP monitoring device of the present invention. Schematic diagram of module composition. detailed description
  • FIG. 2 is a schematic flowchart diagram of Embodiment 1 of a DHCP snooping method according to the present invention.
  • the embodiment includes the following steps:
  • S2001 Receive a user packet and determine whether it hits the first DHCP binding table. If the judgment result is yes, the user packet is forwarded. Otherwise, S2002 is performed.
  • S2002 Extracting the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the information to create a DHCP blacklist binding table, and forming the DHCP blacklist binding table entry and the first The second DHCP binding table of the DHCP binding table entry.
  • the packet When the received user packet cannot be hit by the first DHCP binding table, the packet may be an attack packet sent by the attacker. In this embodiment of the present invention, the packet is no longer used. Simply discarding, but extracting related information from the packet to establish a DHCP blacklist binding table, and forming a second DHCP including the DHCP blacklist binding table entry and the first DHCP binding table entry. Bind the table to track subsequent attacks and then discard the user message. When the subsequent received user packet hits the DHCP blacklist binding table, the frequency information of the DHCP blacklist binding table is recorded. That is, the DHCP blacklist binding table is hit several times within a certain period of time. . For example, the access device (the network switch in the figure) shown in FIG.
  • the DHCP listening unit of the access device extracts the packet.
  • Information such as the source MAC address and the source IP address, plus the inbound port information (that is, the port number) and the VLAN number, to find the first DHCP binding table. If no corresponding first DHCP binding table is found, that is, there is no DHCP binding.
  • the content of the table entry is consistent with the related information extracted from the message of user C. It is very likely that user C sends an attack message.
  • the access device does not directly discard the packet, but establishes a DHCP blacklist binding according to the source MAC address, the source IP address, the ingress port, and the VLAN information extracted from the packet.
  • Field Binding table type and hit frequency.
  • the second DHCP binding table is shown in Table 2 below.
  • the binding table type field (the BLK field in the following Table 2) is used to identify whether the second DHCP binding table entry is the first DHCP binding table or the DHCP blacklist binding table entry (the BLK field is true). Indicates that The second DHCP binding table entry is a DHCP blacklist binding table entry.
  • the hit frequency field (the RATE field in Table 2) is used to record the frequency information of the DHCP blacklist binding table entry being hit by the user packet when the second DHCP binding table entry is a DHCP blacklist binding table entry. (of course, it is also possible to record the frequency information of the first DHCP binding table entry being hit by the user packet). .
  • the binding table type field determines that the hit is a DHCP blacklist.
  • the binding table records the frequency information of the DHCP blacklist binding table entry being hit by the user packet in the hit frequency field.
  • the attacker's attack behavior information is obtained, which facilitates the network management to analyze and take further measures.
  • the packet cannot hit the second packet.
  • DHCP binding table In a practical application, if a DHCP binding table is abnormally lost, the packet sent by the corresponding user cannot access the corresponding second DHCP binding table on the access device, but the user at this time A packet cannot be regarded as an attack packet, but must be taken differently from the attack packet.
  • the present invention provides another embodiment of the DHCP snooping method.
  • the step S2002 further includes the step of: sending a DHCPNAK message to the user according to the DHCP server. That is, when the received user packet cannot be hit by the second DHCP binding table, the DHCP blacklist binding table is used to track the user according to the procedure of the first embodiment, and the DHCP server is sent to the user. DHCPNAK packet. After receiving the DHCPNAK packet, the user automatically re-initiates the first-time address request according to the DHCP protocol.
  • the DHCP snooping unit re-establishes the DHCP binding table of the corresponding user by listening to the DHCP message in the first-time address application process. Then the user can go online as usual after applying for the address. The user does not need to manually operate the whole process, and the DHCP binding table can be re-established without the user's awareness, so that the user can access the Internet as usual. In this embodiment, when the DHCP binding table corresponding to the user is abnormally lost, the corresponding DHCP binding table may be re-established without the user being aware of, so that the user accesses the Internet as usual.
  • FIG. 3 shows a third embodiment of the DHCP listening method according to the embodiment of the present invention, which includes the following steps:
  • S3001 After forming the second DHCP binding table, receiving a subsequent user packet and determining whether it hits the second DHCP binding table. If the determination result is yes, executing S3002, if the determination result is no, the DHCP server is modeled. Send a DHCPNAK message to the user.
  • S3002 Determine whether the second DHCP binding table entry of the subsequent user packet is a DHCP blacklist binding table. If the determination result is yes, execute S3003. Otherwise, forward the user packet according to the prior art.
  • S3003 Process the subsequent user message according to a predetermined configuration policy.
  • the DHCP server sends a DHCPNAK packet to the user, so that the user initiates the first address application, thereby re- Establish a corresponding DHCP binding table.
  • the binding table entry is a DHCP blacklist binding table entry, that is, determining whether the user packet hits the normal first DHCP binding table entry or the DHCP blacklist according to the binding table type field in the binding table. Bind table entries.
  • the packet is forwarded according to the prior art.
  • the binding binding table type is a DHCP blacklist binding table entry
  • the packet may be an attack packet, and the subsequent user packet may be processed according to a predetermined configuration policy, including recording the DHCP.
  • the blacklist binding table corresponds to the frequency information that the entry is hit by the user packet, that is, how many times it is hit within a predetermined time period (the predetermined time period can be configured according to actual conditions).
  • the packet is processed according to the type of the DHCP binding table entry that is hit, which enhances the device's ability to identify the attack packet.
  • the predetermined configuration policy may be: if the rate at which the user sends the user packet exceeds a preset speed limit value, the packet is discarded, and if not, the user is discarded.
  • the rate of sending user packets can be set by the DHCP blacklist binding table entry.
  • the frequency information recorded in the hit frequency field is calculated. For example, the recorded frequency information is
  • the frequency information recorded in the hit frequency field of the corresponding DHCP blacklist binding table entry is 0.03/s, which can be obtained.
  • the sending rate of the user packet is expressed in the RATE field in the second HDCP table. The sending rate of the user packet can be taken as 0.03/s.
  • FIG. 4 a flowchart of an implementation manner of S3003 is as shown in FIG. 4, and includes the following steps:
  • S4001 Record, according to the hit situation of the subsequent user packet, the frequency information that the corresponding entry of the DHCP blacklist binding table is hit by the user packet;
  • S4002 Calculate a sending rate of the user packet according to the frequency information, and compare the calculated sending rate with a rate limit value. If the sending rate is greater than the rate limit value, discard the User message, otherwise, execute S4003.
  • the frequency information is the frequency information of the DHCP blacklist binding table entry recorded in S2003, and the frequency information is converted into the sending rate of the user packet according to the foregoing method.
  • the speed limit value can be preset as needed.
  • S4003 Sends a DHCPNAK packet to the user in the same manner as the DHCP server.
  • the present invention further provides an embodiment of a DHCP listening device, and a schematic diagram of a functional module of the DHCP listening device is shown in FIG. 5.
  • the DHCP snooping device embodiment is configured to listen to user packets received by the network device, including a binding table storage unit 3, a hit determining unit 8, and a DHCP blacklist binding table unit 1.
  • the binding table storage unit 3 is configured to store a DHCP binding table.
  • the hit determination unit 8 is configured to search the DHCP binding table stored in the binding table storage unit 3 according to the information in the user packet received by the network device, and determine whether the user packet hits the DHCP binding table. And, when the judgment result is yes, instructing the network device to forward the user message;
  • the DHCP blacklist binding table unit 1 is configured to: when the judgment result of the hit determination unit 8 is negative, extract the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the user packet to create a DHCP black.
  • the list binding table stores the DHCP blacklist binding table in the binding table storage unit 3. That is, when the received user packet does not match the DHCP binding table entry, the inbound port information of the packet and its source MAC address and source IP address information are extracted to create a DHCP blacklist binding table. Called DHCP
  • the blacklist binding table is because the user packet is only an attack packet sent by the hacker.
  • the DHCP binding table corresponding to the hacker is not lost. In this case, it is convenient to track the hacker's attack behavior.
  • the DHCP blacklist binding table unit 1 establishes a corresponding DHCP blacklist binding table.
  • the binding table storage unit 3 further includes a binding table type storage unit 31, configured to store whether the type of the DHCP binding table is a DHCP blacklist binding table. Instructions. Specifically, two fields are added to the normal DHCP binding table (described below in the first DHCP binding table): a binding table type field and a hit frequency field, forming a new DHCP binding table (hereinafter referred to as The second binding table is as shown in Table 2.
  • the binding table type field (the BLK field in Table 2 above) is used to identify whether the second DHCP binding table entry is the first DHCP binding table entry, or the DHCP blacklist binding table table mentioned in the present invention. item
  • the BLK field is true to indicate that the second DHCP binding table entry is a DHCP blacklist binding table entry
  • the hit frequency field (the RATE field in Table 2 above) is used when the second DHCP binding table entry is DHCP.
  • the frequency information of the DHCP packet blacklist binding table entry being hit by the user packet is recorded (of course, the frequency information of the first DHCP binding table entry being hit by the user packet may also be recorded) .
  • the behavior information of the attacker can be effectively tracked, which facilitates the network management to analyze.
  • the access device and the network device actually include all network devices that support DHCP snooping.
  • the gateway switch mentioned above is only a special case of the network device, and is not limited thereto.
  • FIG. 6 A schematic diagram of a functional module of the second embodiment of the DHCP monitoring device of the present invention is shown in FIG. 6. It is different from the first embodiment in that it further includes a DHCP anti-confirmation unit 4 for determining that the result of the hit determination unit 8 is If the user packet does not match the DHCP binding table entry, the DHCP server sends a DHCPNAK packet to the user, telling the user that the IP address is no longer available, and instructing the user to re-initiate the first address request. After receiving the DHCPNAK packet, the user initiates the first address request, and the DHCP snooping device monitors the DHCP packet sent in the first address application process and re-establishes the corresponding DHCP binding table. After the user successfully addresses the address, they can go online as usual.
  • a DHCP anti-confirmation unit 4 for determining that the result of the hit determination unit 8 is If the user packet does not match the DHCP binding table entry, the DH
  • FIG. 7 is a schematic diagram showing the structure of a function of the improved DHCP listening device, that is, the function module of the third embodiment.
  • the method further includes a type determining unit 5, a first processing unit 6, and a second Processing unit 7.
  • the type judging unit 5 is configured to: when the judgment result of the hit judging unit 8 is that the subsequent user packet received by the network device hits the second DHCP binding table, that is, when the received subsequent user packet hits
  • the second DHCP binding table entry is determined according to the type field of the DHCP binding table, and the second DHCP binding table entry that is determined by the subsequent user packet is a DHCP blacklist binding table entry, that is, It is judged whether it is a DHCP blacklist binding table or a normal DHCP binding table, and the judgment result is sent to the first processing unit 6.
  • the first processing unit 6 receives the determination result of the type judging unit 5, and the second DHCP binding table entry that is the result of the type judging unit 5 is the DHCP blacklist binding table. Processing the subsequent user message according to a predetermined configuration policy;
  • the second processing unit receives the determination result of the type judging unit 5, and when the judgment result of the type judging unit 5 is that the second DHCP binding table entry of the subsequent user packet is not a DHCP blacklist as an implementation
  • the first processing unit 6 further includes a recording unit 61, a rate calculating unit 62, and a comparing unit 63.
  • the recording unit 61 is configured to record the frequency information that the DHCP blacklist binding table corresponding entry is hit according to the hit situation of the subsequent user packet; the rate calculating unit 62 is configured to use the frequency information recorded by the recording unit 61. Calculating the transmission rate of the user. For example, if the frequency information recorded by the recording unit 61 is hit by the user packet 4 times within 2 minutes of the blacklist binding table entry, the sending rate of the corresponding user packet can be calculated as 30s/time.
  • the comparison unit 63 compares the relationship between the sending rate of the user packet and the preset speed limit value. When the sending rate of the user packet is less than the speed limit value, the anti-confirming unit 4 is triggered. The user sends a DHCP message for triggering the user to re-initiate the first-time address request, otherwise the network device is triggered to discard the subsequent user message.
  • the predetermined configuration policy that is stored in the first processing unit 6 may be: if the rate at which the user sends the packet exceeds a preset rate limit, the packet is discarded, if not exceeded.
  • the DHCP anti-acknowledgment unit 4 sends a DHCPNAK message to the user, instructing the user to initiate First address application.
  • the behavior information of the attacker can be tracked, and the attack recognition capability of the device can be enhanced, thereby effectively preventing the denial of service attack by the malicious user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method for DHCP snooping is provided. In order to track the attacks of attackers, a DHCP blacklist binding table is built when received user data packets can't hit the DHCP binding table. The frequency information of hitting the DHCP blacklist table is recorded. A device is also provided. Thus the attack action of attackers is tracked and some essential information is acquired. It helps the network manager to analyze the information.

Description

一种 DHCP监听方法及其装置 技术领域  DHCP monitoring method and device thereof

本发明涉及通信网络技术领域,具体地涉及一种 DHCP监听方法及其装置。 背景技术  The present invention relates to the field of communication network technologies, and in particular, to a DHCP listening method and device thereof. Background technique

随着网络规模的扩大和网络复杂度的提高, 动态主机配置协议(Dynamic Host Configuration Protocol, DHCP )得到了广泛的应用。 但 DHCP在应用的过 程中遇到很多安全方面的问题, 攻击者利用 DHCP进行攻击的主要手段包括以 下两个:  With the expansion of the network scale and the increase of network complexity, the Dynamic Host Configuration Protocol (DHCP) has been widely used. However, DHCP encounters many security problems during the application process. The main means for an attacker to use DHCP to attack include the following two:

1 ) IP/MAC欺骗攻击: 攻击者向网关路由器发送带有自己介质访问控制 ( MAC , Media Access Control )和受害者因特网协议( IP , Internet Protocol )的 报文, 包括 IP报文和地址解析协议(ARP, Address Resolution Protocol ) 报文 等, 让网关路由器学习到受害者 IP和自己的 MAC地址绑定关系, 则后续所有 到达受害者的报文都将转发到攻击者那里。  1) IP/MAC spoofing attack: The attacker sends a packet with its own media access control (MAC, Media Access Control) and victim Internet Protocol (IP, Internet Protocol) to the gateway router, including IP packet and address resolution protocol. (ARP, Address Resolution Protocol), etc., let the gateway router learn the binding relationship between the victim IP and its own MAC address, and all subsequent packets arriving at the victim will be forwarded to the attacker.

2 ) 中间人攻击: 攻击者向受害者发送带有自己的 MAC地址和网关 IP地 址的报文(包括 IP和 ARP报文, 往往是 ARP报文), 让受害者学习到错误的 ARP, 则后续所有须发送到网关外部的报文都将发送给攻击者, 此时攻击者可 以对报文进行分析窃取信息, 然后可以选择丟弃还是再转发给网关。  2) Man-in-the-middle attack: The attacker sends a packet with its own MAC address and gateway IP address (including IP and ARP packets, often ARP packets) to the victim, so that the victim learns the wrong ARP. All packets that must be sent outside the gateway are sent to the attacker. The attacker can analyze the packet and steal the information. Then, you can choose to discard or forward it to the gateway.

为解决这些问题, 目前通用的办法是在接入用户的网络设备处, 如网关交 换机上使能 DHCP监听(Snooping )功能。  To solve these problems, the current common method is to enable the DHCP snooping function on the network device of the access user, such as the gateway switch.

DHCP Snooping通过监听 DHCP报文, 建立 DHCP绑定表, 该绑定表的表 项包括: IP地址、 MAC地址、入端口号和虚拟局域网( VLAN, Virtual Local Area Network )号。在转发报文时,利用 DHCP绑定表对地址解析协议( ARP, Address Resolution Protocol )报文、 IP报文进行检查, 从而解决上述的欺骗攻击安全问 题。 其基本方案如图 1所示, 用户 B的 MAC地址及 IP地址为: B, 10.1.1.2; 用户 C的 MAC地址及 IP地址为: C, 10.1.1.3; 网络设备 A的 MAC地址及 IP 地址为: A, 10.1.1.1。 在接入用户的网关交换机上使能 DHCP Snooping功能, 则无论是正常用户如用户 B还是其它可能有攻击行为的用户如用户 C, 首先必 须进行 DHCP首次地址申请。 网关交换机监听用户 B、 用户 C在申请过程中的所有 DHCP报文, 通过 析监听的 DHCP报文, 建立的 DHCP绑定表如表 1所示。 DHCP snooping listens to DHCP packets and establishes a DHCP binding table. The entries in the binding table include: IP address, MAC address, inbound port number, and virtual local area network (VLAN). When forwarding a packet, the DHCP binding table is used to check the address resolution protocol (ARP) packet and the IP packet to solve the above-mentioned spoofing attack security problem. The basic scheme is shown in Figure 1. The MAC address and IP address of User B are: B, 10.1.1.2; The MAC address and IP address of User C are: C, 10.1.1.3; MAC address and IP address of network device A For: A, 10.1.1.1. If DHCP snooping is enabled on the gateway switch of the access user, the normal user, such as user B or other users who may have attack behavior, such as user C, must first apply for DHCP first address. The DHCP switch binding table created by the gateway switch to listen to DHCP packets sent by user B and user C during the application process is shown in Table 1.

表 1  Table 1

Figure imgf000004_0001
Figure imgf000004_0001

当攻击者发起欺骗攻击时, 比如用户 C发起一个免费 ARP报文给 B, 用于 欺骗用户 B: IP地址为 10.1.1.1网关的 MAC为 C, 在网关交换机处将对此 ARP 报文进行检测, 用本 ARP报文携带的信息查找 DHCP绑定表, 其中, ARP报文 携带的信息包括其源 MAC地址, 源 IP地址 (或 ARP净荷中声明的 IP地址) 以及入端口信息, 在本发明实施例中, 网关交换机根据 MAC地址为 C、 IP地址 为 10.1.1.1、 入端口号为 E2、 VLAN号为 3 , 去查找 DHCP绑定表, 发现其无法 命中 DHCP绑定表(在 DHCP绑定表中无 MAC地址为 C、 IP地址为 10.1.1.1、 入端口号为 E2、 VLAN号为 3的表项), 则网关交换机会把该 ARP报文丟弃。 所以, 欺骗 ARP报文将无法到达其它任何用户包括用户 B, 从而制止了用户 C 的攻击行为。  When the attacker initiates a spoofing attack, for example, user C initiates a gratuitous ARP packet to B, which is used to spoof user B: The MAC address of the gateway whose IP address is 10.1.1.1 is C, and the ARP packet is detected at the gateway switch. The information carried in the ARP packet is used to search for the DHCP binding table. The information carried in the ARP packet includes the source MAC address, the source IP address (or the IP address declared in the ARP payload), and the inbound port information. In the embodiment of the present invention, the gateway switch searches for the DHCP binding table according to the MAC address being C, the IP address is 10.1.1.1, the ingress port number is E2, and the VLAN number is 3. If there is no entry with a MAC address of C, an IP address of 10.1.1.1, and an inbound port number of E2 and a VLAN number of 3, the gateway switch discards the ARP packet. Therefore, spoofing ARP packets will not reach any other users, including user B, thus preventing user C's attack behavior.

而对于正常用户, 比如用户 B, 使用网络则没有任何问题, 因为其发送的所 有才艮文, 都将遵循其 DHCP地址申请时的信息, 即 MAC地址为 B, 源 IP地址 为 10.1.1.2, 正常情况下, 将能在网关交换机处正确命中 DHCP绑定表, 从而正 常访问外部网络。  For a normal user, such as user B, there is no problem in using the network, because all the messages sent by it will follow the information when the DHCP address is applied, that is, the MAC address is B, and the source IP address is 10.1.1.2. Under normal circumstances, the DHCP binding table will be correctly hit at the gateway switch to access the external network normally.

DHCP Snooping方案解决了 DHCP的安全问题, 但该方案对攻击者报文仅 是简单丟弃, 通过该方案无法了解关于攻击者的任何信息。 发明内容  The DHCP snooping solution solves the DHCP security problem. However, the attacker packets are simply discarded. This solution cannot be used to learn any information about the attacker. Summary of the invention

本发明实施例所要解决的技术问题在于, 提供一种 DHCP监听方法, 当受 到攻击时, 跟踪记录该攻击行为。  The technical problem to be solved by the embodiments of the present invention is to provide a DHCP listening method, which records and records the attack behavior when an attack is received.

为了解决上述技术问题, 本发明实施例提出了一种 DHCP监听方法, 包括: 接收用户报文并判断其是否命中第一 DHCP绑定表, 如果判断结果为是, 则转发所述用户报文, 否则, 执行下一步;  In order to solve the above technical problem, the embodiment of the present invention provides a DHCP listening method, including: receiving a user packet and determining whether it hits the first DHCP binding table, and if the determination result is yes, forwarding the user packet, Otherwise, proceed to the next step;

提取所述用户报文的入端口信息、虚拟局域网信息及其源 MAC、源 IP地址 信息创建 DHCP黑名单绑定表, 并形成包括该 DHCP黑名单绑定表表项及所述 第一 DHCP绑定表表项的第二 DHCP绑定表; Extracting inbound port information, virtual local area network information, source MAC address, and source IP address of the user packet Creating a DHCP blacklist binding table, and forming a second DHCP binding table including the DHCP blacklist binding table entry and the first DHCP binding table entry;

记录后续收到的用户报文命中所述 DHCP黑名单绑定表的频率信息。  Record the frequency information of the subsequent received user packets hitting the DHCP blacklist binding table.

相应地, 本发明实施例提供一种 DHCP监听装置, 用于监听网络设备收到 的用户报文, 包括有:  Correspondingly, the embodiment of the present invention provides a DHCP listening device, which is configured to listen to user packets received by a network device, including:

绑定表存储单元, 用于存储 DHCP绑定表;  a binding table storage unit, configured to store a DHCP binding table;

命中判断单元, 用于根据所述网络设备接收的用户报文中的信息查找存储 于所述绑定表存储单元中的 DHCP 绑定表, 判断所述用户报文是否命中第一 DHCP绑定表, 并在判断结果为是时命令所述网络设备转发所述用户报文; a hit determination unit, configured to search, according to information in the user packet received by the network device, a DHCP binding table stored in the binding table storage unit, to determine whether the user packet hits the first DHCP binding table And instructing the network device to forward the user message when the determination result is yes;

DHCP黑名单绑定表单元,用于当所述命中判断单元的判断结果为否时,提 取所述报文的入端口信息、 虚拟局域网信息及其源 MAC、 源 IP地址信息创建 DHCP黑名单绑定表,并形成包括该 DHCP黑名单绑定表表项及所述第一 DHCP 绑定表表项的第二 DHCP绑定表后存储于所述绑定表存储单元。 The DHCP blacklist binding table unit is configured to: when the judgment result of the hit determination unit is negative, extract the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the packet to create a DHCP blacklist. The binding table is formed, and the second DHCP binding table including the DHCP blacklist binding table entry and the first DHCP binding table entry is formed in the binding table storage unit.

实施本发明, 具有如下有益效果:  The implementation of the present invention has the following beneficial effects:

本发明实施例提供的一种 DHCP监听方法及其装置, 通过当收到的用户报 文不能命中 DHCP绑定表时建立 DHCP黑名单绑定表, 并记录该 DHCP黑名单 绑定表被命中的频率信息, 达到跟踪攻击者的目的, 从而获得了攻击者的攻击 行为信息, 便于网管进行分析以釆取必要的反攻击措施。 附图说明  The DHCP snooping method and the device thereof are provided by the embodiment of the present invention. When the received user packet fails to hit the DHCP binding table, the DHCP blacklist binding table is established, and the DHCP blacklist binding table is recorded. The frequency information is used to track the attacker's purpose, so as to obtain the attacker's attack behavior information, which is convenient for the network management to analyze to obtain the necessary anti-attack measures. DRAWINGS

图 1是现有技术中 DHCP监听方法的应用示意图;  1 is a schematic diagram of application of a DHCP snooping method in the prior art;

图 2是本发明中 DHCP监听方法实施例一的流程示意图;  2 is a schematic flowchart of Embodiment 1 of a DHCP snooping method according to the present invention;

图 3是本发明中 DHCP监听方法实施例三的流程示意图;  3 is a schematic flowchart of Embodiment 3 of a DHCP listening method in the present invention;

图 4是图 3中 S3003的一实施方式的流程示意图;  4 is a schematic flow chart of an embodiment of S3003 in FIG. 3;

图 5是本发明中 DHCP监听装置实施例一的功能模块组成示意图; 图 6是本发明中 DHCP监听装置实施例二的功能模块组成示意图; 图 7是本发明中 DHCP监听装置实施例三的功能模块组成示意图。 具体实施方式  5 is a schematic diagram of the functional module of the first embodiment of the DHCP listening device of the present invention; FIG. 6 is a schematic diagram of the functional module of the second embodiment of the DHCP monitoring device of the present invention; FIG. 7 is a schematic diagram of the third embodiment of the DHCP monitoring device of the present invention. Schematic diagram of module composition. detailed description

下面结合附图对本发明作进一步详细清楚的说明。 图 2示出了本发明 DHCP监听方法实施例一的流程示意图, 该实施例包括 以下步骤: The present invention will be further described in detail with reference to the accompanying drawings. FIG. 2 is a schematic flowchart diagram of Embodiment 1 of a DHCP snooping method according to the present invention. The embodiment includes the following steps:

S2001 : 接收用户报文并判断其是否命中第一 DHCP绑定表, 如果判断结果 为是, 则转发所述用户报文, 否则, 执行 S2002。  S2001: Receive a user packet and determine whether it hits the first DHCP binding table. If the judgment result is yes, the user packet is forwarded. Otherwise, S2002 is performed.

S2002: 提取所述 ^艮文的入端口信息、 虚拟局域网信息及其源 MAC、 源 IP 地址信息创建 DHCP黑名单绑定表, 并且形成包括该 DHCP黑名单绑定表表项 及所述第一 DHCP绑定表表项的第二 DHCP绑定表。  S2002: Extracting the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the information to create a DHCP blacklist binding table, and forming the DHCP blacklist binding table entry and the first The second DHCP binding table of the DHCP binding table entry.

S2003: 记录后续收到的用户报文命中所述 DHCP 黑名单绑定表的频率信 息。  S2003: Record the frequency information of the subsequent received user message hitting the DHCP blacklist binding table.

当收到的用户报文不能命中第一 DHCP绑定表时, 很大的可能是因为该报 文是攻击者发送的攻击报文, 在本发明的该实施例中, 不再将该报文简单丟弃, 而是从该报文中提取相关信息建立一个 DHCP黑名单绑定表, 并且形成包括该 DHCP黑名单绑定表表项及所述第一 DHCP绑定表表项的第二 DHCP绑定表, 以跟踪后续的攻击行为, 然后才丟弃该用户报文。 后续收到的用户报文命中该 DHCP黑名单绑定表时, 记录该 DHCP黑名单绑定表被命中的频率信息, 即, 在某一定时间内该 DHCP黑名单绑定表被命中了几次。 例如, 如图 1中所示的 接入设备(图中为网络交换机)收到用户 C的报文, 由于入端口使能了 DHCP 监听功能, 接入设备的 DHCP监听单元从该报文中提取源 MAC以及源 IP地址 等信息, 加上入端口信息(即端口号)和 VLAN号, 去查找第一 DHCP绑定表, 如果查找不到对应的第一 DHCP绑定表(即没有一个 DHCP绑定表的表项内容 与从用户 C的报文中提取出的相关信息一致),很大的可能是因为用户 C发送的 是攻击报文。 这时, 接入设备不是直接丟弃该报文, 而是根据从该报文中提取 的源 MAC、 源 IP地址、 入端口及 VLAN信息像建立第一 DHCP绑定表那样建 立 DHCP黑名单绑定表, 并且形成包括该 DHCP黑名单绑定表表项及所述第一 DHCP绑定表表项的第二 DHCP绑定表, 如表 1所示, 第一 DHCP绑定表包括 MAC地址、 IP地址、入端口号、 VLAN号四个字段,本实施例中的包含有 DHCP 黑名单绑定表表项的第二 DHCP绑定表表项比正常的第一 DHCP绑定表增加了 两个字段: 绑定表类型及命中频率。 第二 DHCP绑定表如下表 2所示。 其中, 绑定表类型字段(如下表 2中 BLK字段)用于标识该第二 DHCP绑定表表项是 正常第一的 DHCP绑定表还是 DHCP黑名单绑定表表项( BLK字段为真表示该 第二 DHCP绑定表表项为 DHCP黑名单绑定表表项)。 命中频率字段(如下表 2 中 RATE字段)用于当该第二 DHCP绑定表表项为 DHCP黑名单绑定表表项时 记录 DHCP黑名单绑定表表项 被用户报文命中的频率信息, (当然同时也可以 记录第一 DHCP绑定表表项被用户报文命中的频率信息)。。 即, 在建立 DHCP 黑名单绑定表之后, 如果有用户报文命中包含有所述 DHCP黑名单绑定表的第 二 DHCP绑定表, 通过绑定表类型字段判断被命中的为 DHCP黑名单绑定表, 则在命中频率字段中记录该 DHCP黑名单绑定表表项被用户报文命中的频率信 息。 表 2 When the received user packet cannot be hit by the first DHCP binding table, the packet may be an attack packet sent by the attacker. In this embodiment of the present invention, the packet is no longer used. Simply discarding, but extracting related information from the packet to establish a DHCP blacklist binding table, and forming a second DHCP including the DHCP blacklist binding table entry and the first DHCP binding table entry. Bind the table to track subsequent attacks and then discard the user message. When the subsequent received user packet hits the DHCP blacklist binding table, the frequency information of the DHCP blacklist binding table is recorded. That is, the DHCP blacklist binding table is hit several times within a certain period of time. . For example, the access device (the network switch in the figure) shown in FIG. 1 receives the packet of the user C. Since the DHCP listening function is enabled on the ingress port, the DHCP listening unit of the access device extracts the packet. Information such as the source MAC address and the source IP address, plus the inbound port information (that is, the port number) and the VLAN number, to find the first DHCP binding table. If no corresponding first DHCP binding table is found, that is, there is no DHCP binding. The content of the table entry is consistent with the related information extracted from the message of user C. It is very likely that user C sends an attack message. At this time, the access device does not directly discard the packet, but establishes a DHCP blacklist binding according to the source MAC address, the source IP address, the ingress port, and the VLAN information extracted from the packet. Forming a second DHCP binding table including the DHCP blacklist binding table entry and the first DHCP binding table entry, as shown in Table 1, the first DHCP binding table includes a MAC address, In the four fields of the IP address, the inbound port number, and the VLAN number, the second DHCP binding table entry containing the DHCP blacklist binding table entry in this embodiment is two more than the normal first DHCP binding table. Field: Binding table type and hit frequency. The second DHCP binding table is shown in Table 2 below. The binding table type field (the BLK field in the following Table 2) is used to identify whether the second DHCP binding table entry is the first DHCP binding table or the DHCP blacklist binding table entry (the BLK field is true). Indicates that The second DHCP binding table entry is a DHCP blacklist binding table entry. The hit frequency field (the RATE field in Table 2) is used to record the frequency information of the DHCP blacklist binding table entry being hit by the user packet when the second DHCP binding table entry is a DHCP blacklist binding table entry. (of course, it is also possible to record the frequency information of the first DHCP binding table entry being hit by the user packet). . That is, after the DHCP blacklist binding table is established, if a user packet hits the second DHCP binding table that includes the DHCP blacklist binding table, the binding table type field determines that the hit is a DHCP blacklist. The binding table records the frequency information of the DHCP blacklist binding table entry being hit by the user packet in the hit frequency field. Table 2

Figure imgf000007_0001
Figure imgf000007_0001

通过该实施例, 获得了攻击者的攻击行为信息, 便于网管进行分析, 以釆 取进一步的措施。  With this embodiment, the attacker's attack behavior information is obtained, which facilitates the network management to analyze and take further measures.

如上所述, 当收到的用户报文是攻击报文时, 该报文不能命中所述第二 As described above, when the received user packet is an attack packet, the packet cannot hit the second packet.

DHCP绑定表。 在实际应用中, 如果某一 DHCP绑定表非正常丟失, 则与之相 对应的用户所发送的报文在接入设备上就无法命中对应的第二 DHCP绑定表, 但这时的用户报文不能等同看作攻击报文, 而必须对其釆取不同于攻击报文的 措施。 DHCP binding table. In a practical application, if a DHCP binding table is abnormally lost, the packet sent by the corresponding user cannot access the corresponding second DHCP binding table on the access device, but the user at this time A packet cannot be regarded as an attack packet, but must be taken differently from the attack packet.

为此, 本发明提供 DHCP监听方法的另一实施例, 该实施例与实施例一的 不同在于, 在步骤 S2002 中还包括步骤: 仿照 DHCP 服务器向该用户发送 DHCPNAK报文。 即, 当收到的用户报文不能命中所述第二 DHCP绑定表时, 除按照实施例一的步骤建立 DHCP黑名单绑定表对该用户进行跟踪外, 还仿照 DHCP服务器向该用户发送 DHCPNAK报文。 当用户接收到这个 DHCPNAK报 文后, 按照 DHCP协议规程, 用户将自动重新发起首次地址申请, DHCP监听 单元通过监听首次地址申请过程中的 DHCP报文,重新建立起对应用户的 DHCP 绑定表, 则用户在申请地址成功之后就可以照常上网了。 整个过程中无需用户 手动操作, 可以在用户不觉察的情况下重新建立起 DHCP绑定表, 使用户照常 上网。 通过本实施例, 当用户对应的 DHCP绑定表非正常丟失时, 可以在用户不 觉察的情况下重新建立起对应的 DHCP绑定表, 使用户照常上网。 To this end, the present invention provides another embodiment of the DHCP snooping method. The difference between the embodiment and the first embodiment is that the step S2002 further includes the step of: sending a DHCPNAK message to the user according to the DHCP server. That is, when the received user packet cannot be hit by the second DHCP binding table, the DHCP blacklist binding table is used to track the user according to the procedure of the first embodiment, and the DHCP server is sent to the user. DHCPNAK packet. After receiving the DHCPNAK packet, the user automatically re-initiates the first-time address request according to the DHCP protocol. The DHCP snooping unit re-establishes the DHCP binding table of the corresponding user by listening to the DHCP message in the first-time address application process. Then the user can go online as usual after applying for the address. The user does not need to manually operate the whole process, and the DHCP binding table can be re-established without the user's awareness, so that the user can access the Internet as usual. In this embodiment, when the DHCP binding table corresponding to the user is abnormally lost, the corresponding DHCP binding table may be re-established without the user being aware of, so that the user accesses the Internet as usual.

在实施例一或实施例二的基础上, 在建立了 DHCP黑名单绑定表并记录其 被命中的频率信息, 且形成所述第二 DHCP绑定表后, 本发明的 DHCP监听方 法还可以作进一步的改进, 如图 3示出了本发明实施例 DHCP监听方法的实施 例三, 包括以下步骤:  On the basis of the first embodiment or the second embodiment, after the DHCP blacklist binding table is established and the frequency information of the hit is established, and the second DHCP binding table is formed, the DHCP listening method of the present invention can also As a further improvement, FIG. 3 shows a third embodiment of the DHCP listening method according to the embodiment of the present invention, which includes the following steps:

S3001 : 在形成所述第二 DHCP绑定表后,接收后续用户报文并判断其是否 命中第二 DHCP绑定表, 如果判断结果为是, 执行 S3002, 如果判断结果为否, 则仿照 DHCP服务器向所述用户发送 DHCPNAK报文。  S3001: After forming the second DHCP binding table, receiving a subsequent user packet and determining whether it hits the second DHCP binding table. If the determination result is yes, executing S3002, if the determination result is no, the DHCP server is modeled. Send a DHCPNAK message to the user.

S3002: 判断所述后续用户报文命中的第二 DHCP绑定表表项是否为 DHCP 黑名单绑定表, 如果判断结果为是, 执行 S3003 , 否则, 按照现有技术转发所述 用户报文。  S3002: Determine whether the second DHCP binding table entry of the subsequent user packet is a DHCP blacklist binding table. If the determination result is yes, execute S3003. Otherwise, forward the user packet according to the prior art.

S3003: 按照预定的配置策略处理所述后续用户报文。  S3003: Process the subsequent user message according to a predetermined configuration policy.

当收到的后续用户报文不能命中第二 DHCP绑定表时, 在本实施例中和实 施例二一样, 仿照 DHCP服务器向该用户发送 DHCPNAK报文, 使用户发起首 次地址申请, 从而重新建立对应的 DHCP绑定表。 当收到的用户报文命中了所 述第二 DHCP绑定表表项, 这时, 不是直接将报文按现有技术转发, 而是要进 一步判断所述后续用户报文命中的第二 DHCP绑定表表项是否为 DHCP黑名单 绑定表表项, 即, 根据绑定表中的绑定表类型字段判断用户报文命中的是正常 的第一 DHCP绑定表表项还是 DHCP黑名单绑定表表项。 如果被命中的是正常 的第一 DHCP绑定表, 则说明该报文不是欺骗攻击报文, 则按现有技术转发。 如果判断命中的绑定表类型为 DHCP黑名单绑定表表项, 则说明该报文有可能 是攻击报文, 则可按照预定的配置策略对该后续用户报文进行处理, 包括记录 该 DHCP黑名单绑定表对应表项被用户报文命中的频率信息, 即在预定时间段 内被命中了多少次(该预定时段可根据实际情况进行配置)。  When the received subsequent user packet cannot be hit by the second DHCP binding table, in the embodiment, as in the second embodiment, the DHCP server sends a DHCPNAK packet to the user, so that the user initiates the first address application, thereby re- Establish a corresponding DHCP binding table. When the received user packet hits the second DHCP binding table entry, the packet is not directly forwarded according to the prior art, but the second DHCP of the subsequent user packet is further determined. Whether the binding table entry is a DHCP blacklist binding table entry, that is, determining whether the user packet hits the normal first DHCP binding table entry or the DHCP blacklist according to the binding table type field in the binding table. Bind table entries. If the packet is not the spoofing attack packet, the packet is forwarded according to the prior art. If the binding binding table type is a DHCP blacklist binding table entry, the packet may be an attack packet, and the subsequent user packet may be processed according to a predetermined configuration policy, including recording the DHCP. The blacklist binding table corresponds to the frequency information that the entry is hit by the user packet, that is, how many times it is hit within a predetermined time period (the predetermined time period can be configured according to actual conditions).

通过本实施例, 可以根据被命中的 DHCP绑定表表项的类型对报文分别进 行处理, 增强了设备对攻击报文的识别能力。  In this embodiment, the packet is processed according to the type of the DHCP binding table entry that is hit, which enhances the device's ability to identify the attack packet.

作为一种实施方式, 所述预定的配置策略可以为: 如果该用户发送用户报 文的速率超过了预设的某一限速值, 则丟弃该报文, 如果没有超过, 则向该用 户发送 DHCPNAK报文。 用户报文的发送速率可以由 DHCP黑名单绑定表表项 的命中频率字段中所记录的频率信息计算得出。 如,, 所记录的频率信息为该As an implementation manner, the predetermined configuration policy may be: if the rate at which the user sends the user packet exceeds a preset speed limit value, the packet is discarded, and if not, the user is discarded. Send a DHCPNAK packet. The rate of sending user packets can be set by the DHCP blacklist binding table entry. The frequency information recorded in the hit frequency field is calculated. For example, the recorded frequency information is

DHCP黑名单绑定表对应表项 2分钟内被用户报文命中了 4次,则对应的 DHCP 黑名单绑定表表项的命中频率字段所记录的频率信息为 0.03/s,可以得到对应的 用户报文的发送速率, 按第二 HDCP表中 RATE字段表达方式, 该用户报文的 发送速率值可取为 0.03/s。 If the corresponding number of the DHCP blacklist binding table entry is hit 4 times within 2 minutes, the frequency information recorded in the hit frequency field of the corresponding DHCP blacklist binding table entry is 0.03/s, which can be obtained. The sending rate of the user packet is expressed in the RATE field in the second HDCP table. The sending rate of the user packet can be taken as 0.03/s.

对应上述配置策略, S3003的一种实施方式流程图如图 4所示, 包括以下 步骤:  Corresponding to the foregoing configuration policy, a flowchart of an implementation manner of S3003 is as shown in FIG. 4, and includes the following steps:

S4001 : 根据所述后续用户报文的命中情况, 记录所述 DHCP黑名单绑定表 对应表项被用户报文命中的频率信息;  S4001: Record, according to the hit situation of the subsequent user packet, the frequency information that the corresponding entry of the DHCP blacklist binding table is hit by the user packet;

S4002: 根据所述频率信息计算所述用户报文的发送速率, 并将所述计算的 发送速率与一限速值进行比较, 如果所述发送速率大于所述限速值, 则丟弃所 述用户报文, 否则, 执行 S4003。  S4002: Calculate a sending rate of the user packet according to the frequency information, and compare the calculated sending rate with a rate limit value. If the sending rate is greater than the rate limit value, discard the User message, otherwise, execute S4003.

所述频率信息为 S2003中记录的该 DHCP黑名单绑定表表项被命中的频率 信息, 按照前述方法将该频率信息换算成用户报文的发送速率。 所述限速值可 以根据需要预先设定。  The frequency information is the frequency information of the DHCP blacklist binding table entry recorded in S2003, and the frequency information is converted into the sending rate of the user packet according to the foregoing method. The speed limit value can be preset as needed.

S4003: 仿照 DHCP服务器向所述用户发送 DHCPNAK报文。  S4003: Sends a DHCPNAK packet to the user in the same manner as the DHCP server.

通过上述配置策略, 可以有效防止恶意用户的拒绝服务攻击。  Through the above configuration policy, a denial of service attack by a malicious user can be effectively prevented.

相应地, 本发明还提供 DHCP监听装置的实施例, DHCP监听装置的功能 模块组成示意图如图 5所示。 该 DHCP监听装置实施例用于监听网络设备收到 的用户报文, 包括有绑定表存储单元 3、 命中判断单元 8、 DHCP黑名单绑定表 单元 1。  Correspondingly, the present invention further provides an embodiment of a DHCP listening device, and a schematic diagram of a functional module of the DHCP listening device is shown in FIG. 5. The DHCP snooping device embodiment is configured to listen to user packets received by the network device, including a binding table storage unit 3, a hit determining unit 8, and a DHCP blacklist binding table unit 1.

绑定表存储单元 3用于存储 DHCP绑定表;  The binding table storage unit 3 is configured to store a DHCP binding table.

命中判断单元 8用于根据所述网络设备接收的用户报文中的信息查找存储 于所述绑定表存储单元 3中的 DHCP绑定表,判断所述用户报文是否命中 DHCP 绑定表表项, 并在判断结果为是时命令所述网络设备转发所述用户报文;  The hit determination unit 8 is configured to search the DHCP binding table stored in the binding table storage unit 3 according to the information in the user packet received by the network device, and determine whether the user packet hits the DHCP binding table. And, when the judgment result is yes, instructing the network device to forward the user message;

DHCP黑名单绑定表单元 1用于当所述命中判断单元 8的判断结果为否时, 提取所述用户报文的入端口信息、虚拟局域网信息及其源 MAC、源 IP地址信息 创建 DHCP黑名单绑定表, 并将所述 DHCP黑名单绑定表存储于绑定表存储单 元 3。 即, 当收到的用户报文未命中 DHCP绑定表表项时, 提取所述报文的入端 口信息及其源 MAC、源 IP地址信息创建 DHCP黑名单绑定表。之所以叫做 DHCP 黑名单绑定表,是因为该用户报文只是黑客发送的攻击报文,黑客对应的 DHCP 绑定表并没有丟失, 这时, 为便于跟踪黑客的攻击行为。 这时, 为便于跟踪攻 击者的攻击行为, DHCP黑名单绑定表单元 1建立起对应的 DHCP黑名单绑定 表。 The DHCP blacklist binding table unit 1 is configured to: when the judgment result of the hit determination unit 8 is negative, extract the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the user packet to create a DHCP black. The list binding table stores the DHCP blacklist binding table in the binding table storage unit 3. That is, when the received user packet does not match the DHCP binding table entry, the inbound port information of the packet and its source MAC address and source IP address information are extracted to create a DHCP blacklist binding table. Called DHCP The blacklist binding table is because the user packet is only an attack packet sent by the hacker. The DHCP binding table corresponding to the hacker is not lost. In this case, it is convenient to track the hacker's attack behavior. At this time, in order to facilitate the tracking of the attacker's attack behavior, the DHCP blacklist binding table unit 1 establishes a corresponding DHCP blacklist binding table.

为区别正常的 DHCP绑定表和 DHCP黑名单绑定表, 绑定表存储单元 3还 包括绑定表类型存储单元 31 , 用于存储 DHCP绑定表的类型是否为 DHCP黑名 单绑定表的指示信息。 具体地, 对正常的 DHCP绑定表(以下以第一 DHCP绑 定表说明) 内容增加了 2个字段: 绑定表类型字段和命中频率字段, 形成一个 新的 DHCP绑定表(以下以第二 DHCP绑定表说明 ),第二绑定表如上表 2所示。 其中, 绑定表类型字段(如上表 2中 BLK字段)用于标识该第二 DHCP绑定表 表项是第一 DHCP绑定表表项, 还是本发明提到的 DHCP 黑名单绑定表表项 To distinguish between the normal DHCP binding table and the DHCP blacklist binding table, the binding table storage unit 3 further includes a binding table type storage unit 31, configured to store whether the type of the DHCP binding table is a DHCP blacklist binding table. Instructions. Specifically, two fields are added to the normal DHCP binding table (described below in the first DHCP binding table): a binding table type field and a hit frequency field, forming a new DHCP binding table (hereinafter referred to as The second binding table is as shown in Table 2. The binding table type field (the BLK field in Table 2 above) is used to identify whether the second DHCP binding table entry is the first DHCP binding table entry, or the DHCP blacklist binding table table mentioned in the present invention. item

( BLK字段为真表示该第二 DHCP绑定表表项为 DHCP黑名单绑定表表项); 命中频率字段(如上表 2中 RATE字段)用于当第二 DHCP绑定表表项为 DHCP 黑名单绑定表表项时, 记录该 DHCP黑名单绑定表表项被用户报文命中的频率 信息(当然同时也可以记录第一 DHCP绑定表表项被用户报文命中的频率信息)。 (The BLK field is true to indicate that the second DHCP binding table entry is a DHCP blacklist binding table entry); the hit frequency field (the RATE field in Table 2 above) is used when the second DHCP binding table entry is DHCP. When the blacklist is bound to a table entry, the frequency information of the DHCP packet blacklist binding table entry being hit by the user packet is recorded (of course, the frequency information of the first DHCP binding table entry being hit by the user packet may also be recorded) .

通过本实施例, 通过记录用户 ^艮文的频率信息, 可以有效跟踪攻击者的行 为信息, 便于网管进行分析。  In this embodiment, by recording the frequency information of the user, the behavior information of the attacker can be effectively tracked, which facilitates the network management to analyze.

需要注意的是, 所述接入设备及网络设备实际上包括所有支持 DHCP Snooping 功能的网络设备。 上文中提到的网关交换机只是所述网络设备的一个 特例, 并不限于此。  It should be noted that the access device and the network device actually include all network devices that support DHCP snooping. The gateway switch mentioned above is only a special case of the network device, and is not limited thereto.

本发明 DHCP监听装置实施例二的功能模块组成示意图如图 6所示, 它与 实施例一的不同在于还包括有 DHCP反确认单元 4 ,用于当所述命中判断单元 8 的判断结果为所述用户报文未命中 DHCP绑定表表项, 则仿照 DHCP服务器向 所述用户发送 DHCPNAK报文, 告诉用户该 IP地址已不可以使用, 指示其重新 发起首次地址申请。则用户收到该 DHCPNAK报文后发起首次地址申请, DHCP 监听装置监听首次地址申请流程中往来的 DHCP报文,重新建立起对应的 DHCP 绑定表。 用户申请地址成功后即可照常上网。  A schematic diagram of a functional module of the second embodiment of the DHCP monitoring device of the present invention is shown in FIG. 6. It is different from the first embodiment in that it further includes a DHCP anti-confirmation unit 4 for determining that the result of the hit determination unit 8 is If the user packet does not match the DHCP binding table entry, the DHCP server sends a DHCPNAK packet to the user, telling the user that the IP address is no longer available, and instructing the user to re-initiate the first address request. After receiving the DHCPNAK packet, the user initiates the first address request, and the DHCP snooping device monitors the DHCP packet sent in the first address application process and re-establishes the corresponding DHCP binding table. After the user successfully addresses the address, they can go online as usual.

通过本实施例, 除能实现实施例一的功能外, 还可以实现当 DHCP绑定表 非正常丟失时, 在用户不觉察的情况下自动重新建立起 DHCP绑定表, 使用户 照常上网。 在实施例一或二的基础上还可以对 DHCP监听装置作进一步的改进, 以充 分利用 DHCP黑名单绑定表单元 1、 绑定表类型存储单元 31的功能。 图 7示出 了改进后的 DHCP监听装置, 即实施例三的功能模块组成示意图, 除包括实施 例二的所有功能单元外, 它还包括有类型判断单元 5、 第一处理单元 6、 第二处 理单元 7。 In this embodiment, in addition to the functions of the first embodiment, when the DHCP binding table is abnormally lost, the DHCP binding table is automatically re-established when the user does not notice, so that the user can access the Internet as usual. Further, the DHCP listening device can be further improved on the basis of the first or second embodiment to fully utilize the functions of the DHCP blacklist binding table unit 1, the binding table type storage unit 31. FIG. 7 is a schematic diagram showing the structure of a function of the improved DHCP listening device, that is, the function module of the third embodiment. In addition to all the functional units of the second embodiment, the method further includes a type determining unit 5, a first processing unit 6, and a second Processing unit 7.

类型判断单元 5用于当所述命中判断单元 8的判断结果为所述网络设备收 到的后续用户报文命中所述第二 DHCP绑定表时, 即当收到的后续用户报文命 中所述第二 DHCP绑定表表项时, 根据 DHCP绑定表的类型字段, 判断所述后 续用户报文命中的第二 DHCP绑定表表项是否为 DHCP黑名单绑定表表项,即, 判断其是 DHCP黑名单绑定表还是正常的 DHCP绑定表, 并将判断结果发送给 所述第一处理单元 6。  The type judging unit 5 is configured to: when the judgment result of the hit judging unit 8 is that the subsequent user packet received by the network device hits the second DHCP binding table, that is, when the received subsequent user packet hits The second DHCP binding table entry is determined according to the type field of the DHCP binding table, and the second DHCP binding table entry that is determined by the subsequent user packet is a DHCP blacklist binding table entry, that is, It is judged whether it is a DHCP blacklist binding table or a normal DHCP binding table, and the judgment result is sent to the first processing unit 6.

第一处理单元 6接收所述类型判断单元 5的判断结果, 当所述类型判断单 元 5的判断结果为所述后续用户报文命中的第二 DHCP绑定表表项为 DHCP黑 名单绑定表表项时, 按照预定的配置策略处理所述后续用户报文;  The first processing unit 6 receives the determination result of the type judging unit 5, and the second DHCP binding table entry that is the result of the type judging unit 5 is the DHCP blacklist binding table. Processing the subsequent user message according to a predetermined configuration policy;

第二处理单元接收所述类型判断单元 5的判断结果,当所述类型判断单元 5 的判断结果为所述后续用户报文命中的第二 DHCP绑定表表项不是 DHCP黑名 作为一种实施方式, 第一处理单元 6进一步包括有记录单元 61、 速率计算 单元 62及比较单元 63。  The second processing unit receives the determination result of the type judging unit 5, and when the judgment result of the type judging unit 5 is that the second DHCP binding table entry of the subsequent user packet is not a DHCP blacklist as an implementation The first processing unit 6 further includes a recording unit 61, a rate calculating unit 62, and a comparing unit 63.

记录单元 61用于根据所述后续用户报文的命中情况,记录所述 DHCP黑名 单绑定表对应表项被命中的频率信息; 速率计算单元 62用于根据所述记录单元 61记录的频率信息计算所述用户 ^艮文的发送速率。 例如, 记录单元 61所记录的 频率信息为该黑名单绑定表表项 2分钟内被用户报文命中了 4次, 则可以计算 出对应用户报文的发送速率为 30s/次。 比较单元 63比较所述用户报文的发送速 率及预先设定的限速值的大小关系, 当所述用户报文的发送速率小于所述限速 值时, 触发所述反确认单元 4 向所述用户发送用于触发该用户重新发起首次地 址申请的 DHCP报文, 否则触发所述网络设备丟弃所述后续用户报文。  The recording unit 61 is configured to record the frequency information that the DHCP blacklist binding table corresponding entry is hit according to the hit situation of the subsequent user packet; the rate calculating unit 62 is configured to use the frequency information recorded by the recording unit 61. Calculating the transmission rate of the user. For example, if the frequency information recorded by the recording unit 61 is hit by the user packet 4 times within 2 minutes of the blacklist binding table entry, the sending rate of the corresponding user packet can be calculated as 30s/time. The comparison unit 63 compares the relationship between the sending rate of the user packet and the preset speed limit value. When the sending rate of the user packet is less than the speed limit value, the anti-confirming unit 4 is triggered. The user sends a DHCP message for triggering the user to re-initiate the first-time address request, otherwise the network device is triggered to discard the subsequent user message.

作为一种实施方式, 第一处理单元 6 中存储的预定的配置策略可以为: 如 果该用户发送报文的速率超过了预设的某一限速值, 则丟弃该报文, 如果没有 超过, DHCP反确认单元 4则向该用户发送 DHCPNAK报文, 指示该用户发起 首次地址申请。 As an implementation manner, the predetermined configuration policy that is stored in the first processing unit 6 may be: if the rate at which the user sends the packet exceeds a preset rate limit, the packet is discarded, if not exceeded. The DHCP anti-acknowledgment unit 4 sends a DHCPNAK message to the user, instructing the user to initiate First address application.

通过本实施例, 可以跟踪攻击者的行为信息, 并增强设备的攻击识别能力, 有效防止恶意用户的拒绝服务攻击。  With this embodiment, the behavior information of the attacker can be tracked, and the attack recognition capability of the device can be enhanced, thereby effectively preventing the denial of service attack by the malicious user.

以上所揭露的仅为本发明的较佳实施例而已, 当然不能以此来限定本发明之 权利范围, 因此依本发明权利要求所作的等同变化, 仍属本发明所涵盖的范围。  The above is only the preferred embodiment of the present invention, and the scope of the present invention is not limited thereto, and the equivalent changes made by the claims of the present invention are still within the scope of the present invention.

Claims

权 利 要 求 Rights request 1、 一种 DHCP监听方法, 其特征在于, 包括: A DHCP snooping method, comprising: 接收用户报文并判断其是否命中第一 DHCP绑定表, 如果判断结果为是, 则转发所述用户报文, 否则, 执行下一步;  Receiving a user packet and determining whether it hits the first DHCP binding table. If the determination result is yes, forwarding the user packet, otherwise, performing the next step; 提取所述用户报文的入端口信息、虚拟局域网信息及其源 MAC、源 IP地址 信息创建 DHCP黑名单绑定表, 并形成包括该 DHCP黑名单绑定表表项及所述 第一 DHCP绑定表表项的第二 DHCP绑定表;  Extracting the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the user packet to create a DHCP blacklist binding table, and forming the DHCP blacklist binding table entry and the first DHCP binding a second DHCP binding table of the table entry; 记录后续收到的用户报文命中所述 DHCP黑名单绑定表的频率信息。  Record the frequency information of the subsequent received user packets hitting the DHCP blacklist binding table. 2、 如权利要求 1所述的 DHCP监听方法, 其特征在于, 当用户报文未命中 第一 DHCP绑定表, 则仿照 DHCP服务器向所述用户发送 DHCPNAK报文, 所 述 DHCPNAK报文用于触发该用户重新发起首次地址申请。 The DHCP snooping method according to claim 1, wherein when the user packet misses the first DHCP binding table, the DHCP server sends a DHCPNAK packet to the user, and the DHCPNAK packet is used. Triggers the user to re-initiate the first address request. 3、如权利要求 1或 2所述的 DHCP监听方法,其特征在于,所述第二 DHCP 绑定表中包括指示对应表项是否为 DHCP黑名单绑定表表项的指示信息, 所述 记录所述频率信息之后还包括: The DHCP snooping method according to claim 1 or 2, wherein the second DHCP binding table includes indication information indicating whether the corresponding entry is a DHCP blacklist binding table entry, and the record The frequency information further includes: 接收后续用户报文并判断其是否命中所述第二 DHCP绑定表, 如果判断结 果为是, 则执行下一步; 如果判断结果为否, 则仿照 DHCP服务器向所述用户 发送 DHCPNAK报文;  Receiving a subsequent user message and determining whether it hits the second DHCP binding table. If the determination result is yes, the next step is performed; if the determination result is no, the DHCP server is sent to the user according to the DHCP server; 根据所述指示信息, 判断所述用户报文命中的第二 DHCP 绑定表是否为 DHCP黑名单绑定表, 如果判断结果为是, 则执行下一步, 如果判断结果为否, 则转发所述用户"^艮文;  Determining, according to the indication information, whether the second DHCP binding table that the user packet hits is a DHCP blacklist binding table, and if the determination result is yes, performing the next step, if the determination result is no, forwarding the User "^艮文; 按照预定的配置策略处理所述后续用户报文。  The subsequent user message is processed according to a predetermined configuration policy. 4、 如权利要求 3所述的 DHCP监听方法, 其特征在于, 所述按照预定的配 置策略处理所述后续用户报文的步骤具体包括: The DHCP snooping method according to claim 3, wherein the step of processing the subsequent user message according to the predetermined configuration policy specifically includes: 根据所述频率信息, 获得对应的用户报文的发送速率, 并比较所述发送速 率与一预先设定的限速值的大小关系, 如果所述发送速率大于所述限速值, 则 丟弃所述后续用户报文, 否则, 执行下一步; 仿照 DHCP服务器向所述用户发送 DHCPNAK报文。 And obtaining, according to the frequency information, a sending rate of the corresponding user packet, and comparing a size relationship between the sending rate and a preset rate limit value, and if the sending rate is greater than the rate limit value, discarding The subsequent user message, otherwise, performs the next step; The DHCP NAK message is sent to the user in the same manner as the DHCP server. 5、一种 DHCP监听装置,用于监听网络设备收到的用户报文,其特征在于, 包括有: A DHCP listening device, configured to listen to user packets received by the network device, and is characterized by: 绑定表存储单元, 用于存储 DHCP绑定表;  a binding table storage unit, configured to store a DHCP binding table; 命中判断单元, 用于根据所述网络设备接收的用户报文中的信息查找存储 于所述绑定表存储单元中的 DHCP 绑定表, 判断所述用户报文是否命中第一 DHCP绑定表, 并在判断结果为是时命令所述网络设备转发所述用户报文; a hit determination unit, configured to search, according to information in the user packet received by the network device, a DHCP binding table stored in the binding table storage unit, to determine whether the user packet hits the first DHCP binding table And instructing the network device to forward the user message when the determination result is yes; DHCP黑名单绑定表单元,用于当所述命中判断单元的判断结果为否时,提 取所述报文的入端口信息、 虚拟局域网信息及其源 MAC、 源 IP地址信息创建 DHCP黑名单绑定表,并形成包括该 DHCP黑名单绑定表表项及所述第一 DHCP 绑定表表项的第二 DHCP绑定表后存储于所述绑定表存储单元。 The DHCP blacklist binding table unit is configured to: when the judgment result of the hit determination unit is negative, extract the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the packet to create a DHCP blacklist. The binding table is formed, and the second DHCP binding table including the DHCP blacklist binding table entry and the first DHCP binding table entry is formed in the binding table storage unit. 6、 如权利要求 5所述的 DHCP监听装置, 其特征在于, 所述绑定表存储单 元包括有: The DHCP snooping device of claim 5, wherein the binding table storage unit comprises: 绑定表类型存储单元, 用于存储 DHCP绑定表的类型是否为 DHCP黑名单 绑定表的指示信息。  The binding table type storage unit is configured to store whether the type of the DHCP binding table is an indication of a DHCP blacklist binding table. 7、 如权利要求 5所述的 DHCP监听装置, 其特征在于, 还包括有: The DHCP monitoring device of claim 5, further comprising: DHCP 反确认单元, 用于当所述命中判断单元的判断结果为否时, 仿照 a DHCP anti-confirmation unit, configured to: when the judgment result of the hit determination unit is no, DHCP服务器向所述用户发送 DHCPNAK报文, 所述 DHCPNAK报文用于触发 该用户重新发起首次地址申请。 The DHCP server sends a DHCPNAK packet to the user, and the DHCPNAK packet is used to trigger the user to re-initiate the first address request. 8、 如权利要求 5至 7中任一项所述的 DHCP监听装置, 其特征在于, 所述 装置还包括: The DHCP monitoring device according to any one of claims 5 to 7, wherein the device further comprises: 类型判断单元, 用于当所述命中判断单元的判断结果为所述网络设备收到 的后续用户报文命中第二 DHCP绑定表时, 根据绑定表类型存储单元中指示信 息判断所述被命中的是否为第二 DHCP绑定表表项中的 DHCP黑名单绑定表表 项;  a type judging unit, configured to: when the judgment result of the hit judging unit is that the subsequent user packet received by the network device hits the second DHCP binding table, determine, according to the indication information in the binding table type storage unit, Whether the hit is the DHCP blacklist binding table entry in the second DHCP binding table entry. 第一处理单元, 用于当所述类型判断单元的判断结果为所述后续用户报文 命中的第二 DHCP绑定表表项是所述 DHCP黑名单绑定表表项时, 按照预定的 配置策略处理所述后续用户报文; a first processing unit, configured to: when the determination result of the type determining unit is the subsequent user message When the second DHCP binding table entry that is hit is the DHCP blacklist binding table entry, the subsequent user packet is processed according to a predetermined configuration policy; 第二处理单元, 用于当所述类型判断单元的判断结果为所述后续用户报文 命中的第二 DHCP绑定表表项不是所述 DHCP黑名单绑定表表项时, 触发所述 网络设备将该用户报文转发。  a second processing unit, configured to trigger the network when the second DHCP binding table entry of the subsequent user packet is not the DHCP blacklist binding table entry The device forwards the user packet. 9、 如权利要求 8所述的 DHCP监听装置, 其特征在于, 所述第一处理单元 包括: The DHCP monitoring device according to claim 8, wherein the first processing unit comprises: 记录单元, 根据所述后续用户报文的命中情况, 记录并存储所述 DHCP黑 名单绑定表对应表项被命中的频率信息;  The recording unit records and stores the frequency information that the corresponding entry of the DHCP blacklist binding table is hit according to the hit situation of the subsequent user packet; 速率计算单元, 用于根据所述记录的频率信息, 计算得到对应的所述用户 报文的发送速率; 关系, 当所述用户报文的发送速率小于所述限速值时, 触发所述反确认单元向 所述用户发送 DHCPNAK报文,否则触发所述网络设备丟弃所述后续用户报文。  a rate calculation unit, configured to calculate, according to the recorded frequency information, a corresponding sending rate of the user packet; and, when the sending rate of the user packet is less than the speed limit value, triggering the reverse The acknowledgment unit sends a DHCPNAK message to the user, otherwise the network device is triggered to discard the subsequent user message.
PCT/CN2008/070314 2007-04-25 2008-02-15 Method and device for dhcp snooping Ceased WO2008131658A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2007100277071A CN100563149C (en) 2007-04-25 2007-04-25 A kind of DHCP listening method and device thereof
CN200710027707.1 2007-04-25

Publications (1)

Publication Number Publication Date
WO2008131658A1 true WO2008131658A1 (en) 2008-11-06

Family

ID=38889839

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070314 Ceased WO2008131658A1 (en) 2007-04-25 2008-02-15 Method and device for dhcp snooping

Country Status (2)

Country Link
CN (1) CN100563149C (en)
WO (1) WO2008131658A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915748A (en) * 2023-07-21 2023-10-20 中国移动通信有限公司研究院 IP address binding, IP address allocation methods, devices, equipment and media

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100499528C (en) * 2007-04-25 2009-06-10 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN100563149C (en) * 2007-04-25 2009-11-25 华为技术有限公司 A kind of DHCP listening method and device thereof
CN101924800B (en) 2009-06-11 2015-03-25 华为技术有限公司 Method for obtaining IP address of DHCPv6 server, DHCPv6 server and DHCPv6 communication system
CN102045308B (en) * 2009-10-10 2014-04-30 中兴通讯股份有限公司 Method and device for preventing denial of service (DoS) attacks
CN102487342B (en) * 2010-12-03 2014-07-09 阿里巴巴集团控股有限公司 Device and method for controlling virtual internet protocol address binding
CN102413044B (en) * 2011-11-16 2015-02-25 华为技术有限公司 Method, device, equipment and system for generating DHCP (Dynamic Host Configuration Protocol) Snooping binding table
CN102438028B (en) * 2012-01-19 2016-06-15 神州数码网络(北京)有限公司 A kind of prevent Dynamic Host Configuration Protocol server from cheating method, Apparatus and system
CN102594834B (en) * 2012-03-09 2014-09-10 北京星网锐捷网络技术有限公司 Method and device for defending network attack and network equipment
CN104009967A (en) * 2013-02-27 2014-08-27 上海斐讯数据通信技术有限公司 Method for preventing attack of untrusted servers
US9900247B2 (en) * 2015-12-30 2018-02-20 Juniper Networks, Inc. Media access control address and internet protocol address binding proxy advertisement for network devices of a network
CN107612890B (en) * 2017-08-24 2020-09-15 中国科学院信息工程研究所 Network monitoring method and system
CN109842692B (en) * 2018-11-13 2022-06-14 联想企业解决方案(新加坡)有限公司 VxLAN switch, system and method for obtaining host information in physical network
CN110381053A (en) * 2019-07-16 2019-10-25 新华三信息安全技术有限公司 A kind of message filtering method and device
CN115941255A (en) * 2022-10-21 2023-04-07 苏州浪潮智能科技有限公司 A method, device, electronic equipment and storage medium for transferring ARP entry to host routing

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1695341A (en) * 2002-11-06 2005-11-09 艾利森电话股份有限公司 Method and arrangement for preventing illegitimate use of IP addresses
US20060248229A1 (en) * 2005-04-27 2006-11-02 3Com Corporation Network including snooping
CN1901511A (en) * 2005-07-22 2007-01-24 日立通讯技术株式会社 Packet transfer system, communication network, and packet transfer method
CN101039176A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN101039223A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN101060495A (en) * 2007-05-22 2007-10-24 华为技术有限公司 Message processing method, system and equipment

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100471172C (en) * 2006-03-04 2009-03-18 华为技术有限公司 A method of blacklist realization

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1695341A (en) * 2002-11-06 2005-11-09 艾利森电话股份有限公司 Method and arrangement for preventing illegitimate use of IP addresses
US20060248229A1 (en) * 2005-04-27 2006-11-02 3Com Corporation Network including snooping
CN1901511A (en) * 2005-07-22 2007-01-24 日立通讯技术株式会社 Packet transfer system, communication network, and packet transfer method
CN101039176A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN101039223A (en) * 2007-04-25 2007-09-19 华为技术有限公司 DHCP monitoring method and apparatus thereof
CN101060495A (en) * 2007-05-22 2007-10-24 华为技术有限公司 Message processing method, system and equipment

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116915748A (en) * 2023-07-21 2023-10-20 中国移动通信有限公司研究院 IP address binding, IP address allocation methods, devices, equipment and media

Also Published As

Publication number Publication date
CN100563149C (en) 2009-11-25
CN101039176A (en) 2007-09-19

Similar Documents

Publication Publication Date Title
WO2008131658A1 (en) Method and device for dhcp snooping
CN100586106C (en) Message processing method, system and device
CN104137513B (en) Attack Defense Method and Equipment
WO2021008028A1 (en) Network attack source tracing and protection method, electronic device and computer storage medium
CN101674309B (en) Method and device for Ethernet access
CN101483515A (en) DHCP attack guarding method and customer terminal equipment
WO2008131667A1 (en) Method, device for identifying service flows and method, system for protecting against a denial of service attack
US8320249B2 (en) Method and system for controlling network access on a per-flow basis
WO2017088326A1 (en) Tcp connection processing method, device and system
CN102014110A (en) Method for authenticating communication flows, communication system and protective device
WO2011140795A1 (en) Method and switching device for preventing media access control address spoofing attack
WO2019178966A1 (en) Network attack defense method and apparatus, and computer device and storage medium
WO2011020254A1 (en) Method and device for preventing network attacks
CN100499528C (en) DHCP monitoring method and apparatus thereof
CN106487807A (en) A kind of means of defence of domain name mapping and device
CN107690004A (en) The processing method and processing device of address analysis protocol message
CN106878326A (en) IPv6 Neighbor Cache Protection Method and Device Based on Reverse Detection
Yaibuates et al. A combination of ICMP and ARP for DHCP malicious attack identification
CN106603501A (en) Method, system and firewall device for preventing hijacking of domain name
CN101094235B (en) A Method of Preventing Address Resolution Protocol Attack
WO2005004410A1 (en) A method controlling retransmission of a data message in a routing device
CN106101088B (en) The method of cleaning equipment, detection device, routing device and prevention DNS attack
WO2010048808A1 (en) A method, system and gateway for preventing the network attack
CN110198290B (en) Information processing method, equipment, device and storage medium
WO2012100494A1 (en) Method and apparatus for improving security of neighbor discovery snooping

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08706687

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08706687

Country of ref document: EP

Kind code of ref document: A1