[go: up one dir, main page]

WO2008131658A1 - Procédé et dispositif pour fureter le dhcp - Google Patents

Procédé et dispositif pour fureter le dhcp Download PDF

Info

Publication number
WO2008131658A1
WO2008131658A1 PCT/CN2008/070314 CN2008070314W WO2008131658A1 WO 2008131658 A1 WO2008131658 A1 WO 2008131658A1 CN 2008070314 W CN2008070314 W CN 2008070314W WO 2008131658 A1 WO2008131658 A1 WO 2008131658A1
Authority
WO
WIPO (PCT)
Prior art keywords
dhcp
binding table
user
packet
blacklist
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2008/070314
Other languages
English (en)
Chinese (zh)
Inventor
Xuefei Tan
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of WO2008131658A1 publication Critical patent/WO2008131658A1/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]

Definitions

  • the present invention relates to the field of communication network technologies, and in particular, to a DHCP listening method and device thereof. Background technique
  • DHCP Dynamic Host Configuration Protocol
  • IP/MAC spoofing attack The attacker sends a packet with its own media access control (MAC, Media Access Control) and victim Internet Protocol (IP, Internet Protocol) to the gateway router, including IP packet and address resolution protocol. (ARP, Address Resolution Protocol), etc., let the gateway router learn the binding relationship between the victim IP and its own MAC address, and all subsequent packets arriving at the victim will be forwarded to the attacker.
  • MAC media access control
  • IP Internet Protocol
  • ARP Address Resolution Protocol
  • Man-in-the-middle attack The attacker sends a packet with its own MAC address and gateway IP address (including IP and ARP packets, often ARP packets) to the victim, so that the victim learns the wrong ARP. All packets that must be sent outside the gateway are sent to the attacker. The attacker can analyze the packet and steal the information. Then, you can choose to discard or forward it to the gateway.
  • gateway IP address including IP and ARP packets, often ARP packets
  • the current common method is to enable the DHCP snooping function on the network device of the access user, such as the gateway switch.
  • DHCP snooping listens to DHCP packets and establishes a DHCP binding table.
  • the entries in the binding table include: IP address, MAC address, inbound port number, and virtual local area network (VLAN).
  • ARP address resolution protocol
  • the DHCP binding table is used to check the address resolution protocol (ARP) packet and the IP packet to solve the above-mentioned spoofing attack security problem.
  • ARP address resolution protocol
  • the basic scheme is shown in Figure 1.
  • the MAC address and IP address of User B are: B, 10.1.1.2;
  • the MAC address and IP address of User C are: C, 10.1.1.3; MAC address and IP address of network device A For: A, 10.1.1.1.
  • DHCP switch binding table created by the gateway switch to listen to DHCP packets sent by user B and user C during the application process is shown in Table 1.
  • the gateway switch searches for the DHCP binding table according to the MAC address being C, the IP address is 10.1.1.1, the ingress port number is E2, and the VLAN number is 3.
  • the gateway switch discards the ARP packet. Therefore, spoofing ARP packets will not reach any other users, including user B, thus preventing user C's attack behavior.
  • the DHCP snooping solution solves the DHCP security problem. However, the attacker packets are simply discarded. This solution cannot be used to learn any information about the attacker. Summary of the invention
  • the technical problem to be solved by the embodiments of the present invention is to provide a DHCP listening method, which records and records the attack behavior when an attack is received.
  • the embodiment of the present invention provides a DHCP listening method, including: receiving a user packet and determining whether it hits the first DHCP binding table, and if the determination result is yes, forwarding the user packet, Otherwise, proceed to the next step;
  • Extracting inbound port information, virtual local area network information, source MAC address, and source IP address of the user packet Creating a DHCP blacklist binding table, and forming a second DHCP binding table including the DHCP blacklist binding table entry and the first DHCP binding table entry;
  • the embodiment of the present invention provides a DHCP listening device, which is configured to listen to user packets received by a network device, including:
  • a binding table storage unit configured to store a DHCP binding table
  • a hit determination unit configured to search, according to information in the user packet received by the network device, a DHCP binding table stored in the binding table storage unit, to determine whether the user packet hits the first DHCP binding table And instructing the network device to forward the user message when the determination result is yes;
  • the DHCP blacklist binding table unit is configured to: when the judgment result of the hit determination unit is negative, extract the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the packet to create a DHCP blacklist.
  • the binding table is formed, and the second DHCP binding table including the DHCP blacklist binding table entry and the first DHCP binding table entry is formed in the binding table storage unit.
  • the DHCP snooping method and the device thereof are provided by the embodiment of the present invention.
  • the DHCP blacklist binding table is established, and the DHCP blacklist binding table is recorded.
  • the frequency information is used to track the attacker's purpose, so as to obtain the attacker's attack behavior information, which is convenient for the network management to analyze to obtain the necessary anti-attack measures.
  • FIG. 1 is a schematic diagram of application of a DHCP snooping method in the prior art
  • Embodiment 1 of a DHCP snooping method according to the present invention
  • Embodiment 3 is a schematic flowchart of Embodiment 3 of a DHCP listening method in the present invention
  • FIG. 4 is a schematic flow chart of an embodiment of S3003 in FIG. 3;
  • FIG. 5 is a schematic diagram of the functional module of the first embodiment of the DHCP listening device of the present invention
  • FIG. 6 is a schematic diagram of the functional module of the second embodiment of the DHCP monitoring device of the present invention
  • FIG. 7 is a schematic diagram of the third embodiment of the DHCP monitoring device of the present invention. Schematic diagram of module composition. detailed description
  • FIG. 2 is a schematic flowchart diagram of Embodiment 1 of a DHCP snooping method according to the present invention.
  • the embodiment includes the following steps:
  • S2001 Receive a user packet and determine whether it hits the first DHCP binding table. If the judgment result is yes, the user packet is forwarded. Otherwise, S2002 is performed.
  • S2002 Extracting the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the information to create a DHCP blacklist binding table, and forming the DHCP blacklist binding table entry and the first The second DHCP binding table of the DHCP binding table entry.
  • the packet When the received user packet cannot be hit by the first DHCP binding table, the packet may be an attack packet sent by the attacker. In this embodiment of the present invention, the packet is no longer used. Simply discarding, but extracting related information from the packet to establish a DHCP blacklist binding table, and forming a second DHCP including the DHCP blacklist binding table entry and the first DHCP binding table entry. Bind the table to track subsequent attacks and then discard the user message. When the subsequent received user packet hits the DHCP blacklist binding table, the frequency information of the DHCP blacklist binding table is recorded. That is, the DHCP blacklist binding table is hit several times within a certain period of time. . For example, the access device (the network switch in the figure) shown in FIG.
  • the DHCP listening unit of the access device extracts the packet.
  • Information such as the source MAC address and the source IP address, plus the inbound port information (that is, the port number) and the VLAN number, to find the first DHCP binding table. If no corresponding first DHCP binding table is found, that is, there is no DHCP binding.
  • the content of the table entry is consistent with the related information extracted from the message of user C. It is very likely that user C sends an attack message.
  • the access device does not directly discard the packet, but establishes a DHCP blacklist binding according to the source MAC address, the source IP address, the ingress port, and the VLAN information extracted from the packet.
  • Field Binding table type and hit frequency.
  • the second DHCP binding table is shown in Table 2 below.
  • the binding table type field (the BLK field in the following Table 2) is used to identify whether the second DHCP binding table entry is the first DHCP binding table or the DHCP blacklist binding table entry (the BLK field is true). Indicates that The second DHCP binding table entry is a DHCP blacklist binding table entry.
  • the hit frequency field (the RATE field in Table 2) is used to record the frequency information of the DHCP blacklist binding table entry being hit by the user packet when the second DHCP binding table entry is a DHCP blacklist binding table entry. (of course, it is also possible to record the frequency information of the first DHCP binding table entry being hit by the user packet). .
  • the binding table type field determines that the hit is a DHCP blacklist.
  • the binding table records the frequency information of the DHCP blacklist binding table entry being hit by the user packet in the hit frequency field.
  • the attacker's attack behavior information is obtained, which facilitates the network management to analyze and take further measures.
  • the packet cannot hit the second packet.
  • DHCP binding table In a practical application, if a DHCP binding table is abnormally lost, the packet sent by the corresponding user cannot access the corresponding second DHCP binding table on the access device, but the user at this time A packet cannot be regarded as an attack packet, but must be taken differently from the attack packet.
  • the present invention provides another embodiment of the DHCP snooping method.
  • the step S2002 further includes the step of: sending a DHCPNAK message to the user according to the DHCP server. That is, when the received user packet cannot be hit by the second DHCP binding table, the DHCP blacklist binding table is used to track the user according to the procedure of the first embodiment, and the DHCP server is sent to the user. DHCPNAK packet. After receiving the DHCPNAK packet, the user automatically re-initiates the first-time address request according to the DHCP protocol.
  • the DHCP snooping unit re-establishes the DHCP binding table of the corresponding user by listening to the DHCP message in the first-time address application process. Then the user can go online as usual after applying for the address. The user does not need to manually operate the whole process, and the DHCP binding table can be re-established without the user's awareness, so that the user can access the Internet as usual. In this embodiment, when the DHCP binding table corresponding to the user is abnormally lost, the corresponding DHCP binding table may be re-established without the user being aware of, so that the user accesses the Internet as usual.
  • FIG. 3 shows a third embodiment of the DHCP listening method according to the embodiment of the present invention, which includes the following steps:
  • S3001 After forming the second DHCP binding table, receiving a subsequent user packet and determining whether it hits the second DHCP binding table. If the determination result is yes, executing S3002, if the determination result is no, the DHCP server is modeled. Send a DHCPNAK message to the user.
  • S3002 Determine whether the second DHCP binding table entry of the subsequent user packet is a DHCP blacklist binding table. If the determination result is yes, execute S3003. Otherwise, forward the user packet according to the prior art.
  • S3003 Process the subsequent user message according to a predetermined configuration policy.
  • the DHCP server sends a DHCPNAK packet to the user, so that the user initiates the first address application, thereby re- Establish a corresponding DHCP binding table.
  • the binding table entry is a DHCP blacklist binding table entry, that is, determining whether the user packet hits the normal first DHCP binding table entry or the DHCP blacklist according to the binding table type field in the binding table. Bind table entries.
  • the packet is forwarded according to the prior art.
  • the binding binding table type is a DHCP blacklist binding table entry
  • the packet may be an attack packet, and the subsequent user packet may be processed according to a predetermined configuration policy, including recording the DHCP.
  • the blacklist binding table corresponds to the frequency information that the entry is hit by the user packet, that is, how many times it is hit within a predetermined time period (the predetermined time period can be configured according to actual conditions).
  • the packet is processed according to the type of the DHCP binding table entry that is hit, which enhances the device's ability to identify the attack packet.
  • the predetermined configuration policy may be: if the rate at which the user sends the user packet exceeds a preset speed limit value, the packet is discarded, and if not, the user is discarded.
  • the rate of sending user packets can be set by the DHCP blacklist binding table entry.
  • the frequency information recorded in the hit frequency field is calculated. For example, the recorded frequency information is
  • the frequency information recorded in the hit frequency field of the corresponding DHCP blacklist binding table entry is 0.03/s, which can be obtained.
  • the sending rate of the user packet is expressed in the RATE field in the second HDCP table. The sending rate of the user packet can be taken as 0.03/s.
  • FIG. 4 a flowchart of an implementation manner of S3003 is as shown in FIG. 4, and includes the following steps:
  • S4001 Record, according to the hit situation of the subsequent user packet, the frequency information that the corresponding entry of the DHCP blacklist binding table is hit by the user packet;
  • S4002 Calculate a sending rate of the user packet according to the frequency information, and compare the calculated sending rate with a rate limit value. If the sending rate is greater than the rate limit value, discard the User message, otherwise, execute S4003.
  • the frequency information is the frequency information of the DHCP blacklist binding table entry recorded in S2003, and the frequency information is converted into the sending rate of the user packet according to the foregoing method.
  • the speed limit value can be preset as needed.
  • S4003 Sends a DHCPNAK packet to the user in the same manner as the DHCP server.
  • the present invention further provides an embodiment of a DHCP listening device, and a schematic diagram of a functional module of the DHCP listening device is shown in FIG. 5.
  • the DHCP snooping device embodiment is configured to listen to user packets received by the network device, including a binding table storage unit 3, a hit determining unit 8, and a DHCP blacklist binding table unit 1.
  • the binding table storage unit 3 is configured to store a DHCP binding table.
  • the hit determination unit 8 is configured to search the DHCP binding table stored in the binding table storage unit 3 according to the information in the user packet received by the network device, and determine whether the user packet hits the DHCP binding table. And, when the judgment result is yes, instructing the network device to forward the user message;
  • the DHCP blacklist binding table unit 1 is configured to: when the judgment result of the hit determination unit 8 is negative, extract the inbound port information, the virtual local area network information, the source MAC address, and the source IP address information of the user packet to create a DHCP black.
  • the list binding table stores the DHCP blacklist binding table in the binding table storage unit 3. That is, when the received user packet does not match the DHCP binding table entry, the inbound port information of the packet and its source MAC address and source IP address information are extracted to create a DHCP blacklist binding table. Called DHCP
  • the blacklist binding table is because the user packet is only an attack packet sent by the hacker.
  • the DHCP binding table corresponding to the hacker is not lost. In this case, it is convenient to track the hacker's attack behavior.
  • the DHCP blacklist binding table unit 1 establishes a corresponding DHCP blacklist binding table.
  • the binding table storage unit 3 further includes a binding table type storage unit 31, configured to store whether the type of the DHCP binding table is a DHCP blacklist binding table. Instructions. Specifically, two fields are added to the normal DHCP binding table (described below in the first DHCP binding table): a binding table type field and a hit frequency field, forming a new DHCP binding table (hereinafter referred to as The second binding table is as shown in Table 2.
  • the binding table type field (the BLK field in Table 2 above) is used to identify whether the second DHCP binding table entry is the first DHCP binding table entry, or the DHCP blacklist binding table table mentioned in the present invention. item
  • the BLK field is true to indicate that the second DHCP binding table entry is a DHCP blacklist binding table entry
  • the hit frequency field (the RATE field in Table 2 above) is used when the second DHCP binding table entry is DHCP.
  • the frequency information of the DHCP packet blacklist binding table entry being hit by the user packet is recorded (of course, the frequency information of the first DHCP binding table entry being hit by the user packet may also be recorded) .
  • the behavior information of the attacker can be effectively tracked, which facilitates the network management to analyze.
  • the access device and the network device actually include all network devices that support DHCP snooping.
  • the gateway switch mentioned above is only a special case of the network device, and is not limited thereto.
  • FIG. 6 A schematic diagram of a functional module of the second embodiment of the DHCP monitoring device of the present invention is shown in FIG. 6. It is different from the first embodiment in that it further includes a DHCP anti-confirmation unit 4 for determining that the result of the hit determination unit 8 is If the user packet does not match the DHCP binding table entry, the DHCP server sends a DHCPNAK packet to the user, telling the user that the IP address is no longer available, and instructing the user to re-initiate the first address request. After receiving the DHCPNAK packet, the user initiates the first address request, and the DHCP snooping device monitors the DHCP packet sent in the first address application process and re-establishes the corresponding DHCP binding table. After the user successfully addresses the address, they can go online as usual.
  • a DHCP anti-confirmation unit 4 for determining that the result of the hit determination unit 8 is If the user packet does not match the DHCP binding table entry, the DH
  • FIG. 7 is a schematic diagram showing the structure of a function of the improved DHCP listening device, that is, the function module of the third embodiment.
  • the method further includes a type determining unit 5, a first processing unit 6, and a second Processing unit 7.
  • the type judging unit 5 is configured to: when the judgment result of the hit judging unit 8 is that the subsequent user packet received by the network device hits the second DHCP binding table, that is, when the received subsequent user packet hits
  • the second DHCP binding table entry is determined according to the type field of the DHCP binding table, and the second DHCP binding table entry that is determined by the subsequent user packet is a DHCP blacklist binding table entry, that is, It is judged whether it is a DHCP blacklist binding table or a normal DHCP binding table, and the judgment result is sent to the first processing unit 6.
  • the first processing unit 6 receives the determination result of the type judging unit 5, and the second DHCP binding table entry that is the result of the type judging unit 5 is the DHCP blacklist binding table. Processing the subsequent user message according to a predetermined configuration policy;
  • the second processing unit receives the determination result of the type judging unit 5, and when the judgment result of the type judging unit 5 is that the second DHCP binding table entry of the subsequent user packet is not a DHCP blacklist as an implementation
  • the first processing unit 6 further includes a recording unit 61, a rate calculating unit 62, and a comparing unit 63.
  • the recording unit 61 is configured to record the frequency information that the DHCP blacklist binding table corresponding entry is hit according to the hit situation of the subsequent user packet; the rate calculating unit 62 is configured to use the frequency information recorded by the recording unit 61. Calculating the transmission rate of the user. For example, if the frequency information recorded by the recording unit 61 is hit by the user packet 4 times within 2 minutes of the blacklist binding table entry, the sending rate of the corresponding user packet can be calculated as 30s/time.
  • the comparison unit 63 compares the relationship between the sending rate of the user packet and the preset speed limit value. When the sending rate of the user packet is less than the speed limit value, the anti-confirming unit 4 is triggered. The user sends a DHCP message for triggering the user to re-initiate the first-time address request, otherwise the network device is triggered to discard the subsequent user message.
  • the predetermined configuration policy that is stored in the first processing unit 6 may be: if the rate at which the user sends the packet exceeds a preset rate limit, the packet is discarded, if not exceeded.
  • the DHCP anti-acknowledgment unit 4 sends a DHCPNAK message to the user, instructing the user to initiate First address application.
  • the behavior information of the attacker can be tracked, and the attack recognition capability of the device can be enhanced, thereby effectively preventing the denial of service attack by the malicious user.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé de furetage de DHCP. Afin de dépister les attaques d'agresseurs, une table de liaison de liste noire DHCP est établie lorsque des paquets de données utilisateurs reçus n'ont pas atteint la table de liaison DHCP. Les informations en matière de fréquence d'atteinte de la table de liste noire DHCP sont enregistrées. L'invention concerne également un dispositif. L'attaque des agresseurs est donc dépistée et des informations essentielles sont obtenues, ce qui aide le gestionnaire à analyser les informations.
PCT/CN2008/070314 2007-04-25 2008-02-15 Procédé et dispositif pour fureter le dhcp Ceased WO2008131658A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CNB2007100277071A CN100563149C (zh) 2007-04-25 2007-04-25 一种dhcp监听方法及其装置
CN200710027707.1 2007-04-25

Publications (1)

Publication Number Publication Date
WO2008131658A1 true WO2008131658A1 (fr) 2008-11-06

Family

ID=38889839

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/070314 Ceased WO2008131658A1 (fr) 2007-04-25 2008-02-15 Procédé et dispositif pour fureter le dhcp

Country Status (2)

Country Link
CN (1) CN100563149C (fr)
WO (1) WO2008131658A1 (fr)

Families Citing this family (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100499528C (zh) * 2007-04-25 2009-06-10 华为技术有限公司 一种dhcp监听方法及其装置
CN100563149C (zh) * 2007-04-25 2009-11-25 华为技术有限公司 一种dhcp监听方法及其装置
CN101924800B (zh) * 2009-06-11 2015-03-25 华为技术有限公司 获取DHCPv6服务器IP地址的方法、DHCPv6服务器和DHCPv6通信系统
CN102045308B (zh) * 2009-10-10 2014-04-30 中兴通讯股份有限公司 一种防止拒绝服务攻击的方法及装置
CN102487342B (zh) * 2010-12-03 2014-07-09 阿里巴巴集团控股有限公司 虚拟互联网协议地址绑定控制装置及方法
CN102413044B (zh) 2011-11-16 2015-02-25 华为技术有限公司 一种DHCP Snooping绑定表生成的方法、装置、设备及系统
CN102438028B (zh) * 2012-01-19 2016-06-15 神州数码网络(北京)有限公司 一种防止dhcp服务器欺骗的方法、装置及系统
CN102594834B (zh) * 2012-03-09 2014-09-10 北京星网锐捷网络技术有限公司 网络攻击的防御方法及装置、网络设备
CN104009967A (zh) * 2013-02-27 2014-08-27 上海斐讯数据通信技术有限公司 防止非信任服务器攻击的方法
US9900247B2 (en) * 2015-12-30 2018-02-20 Juniper Networks, Inc. Media access control address and internet protocol address binding proxy advertisement for network devices of a network
CN107612890B (zh) * 2017-08-24 2020-09-15 中国科学院信息工程研究所 一种网络监测方法及系统
CN109842692B (zh) * 2018-11-13 2022-06-14 联想企业解决方案(新加坡)有限公司 用于获得物理网络中主机信息的VxLAN交换机、系统和方法
CN110381053A (zh) * 2019-07-16 2019-10-25 新华三信息安全技术有限公司 一种报文过滤方法及装置
CN115941255A (zh) * 2022-10-21 2023-04-07 苏州浪潮智能科技有限公司 一种arp表项转主机路由方法、装置、电子设备及存储介质

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1695341A (zh) * 2002-11-06 2005-11-09 艾利森电话股份有限公司 防止非法使用ip地址的方法和装置
US20060248229A1 (en) * 2005-04-27 2006-11-02 3Com Corporation Network including snooping
CN1901511A (zh) * 2005-07-22 2007-01-24 日立通讯技术株式会社 包传输装置、通信网和数据包传输方法
CN101039223A (zh) * 2007-04-25 2007-09-19 华为技术有限公司 一种dhcp监听方法及其装置
CN101039176A (zh) * 2007-04-25 2007-09-19 华为技术有限公司 一种dhcp监听方法及其装置
CN101060495A (zh) * 2007-05-22 2007-10-24 华为技术有限公司 报文处理方法、系统和设备

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100471172C (zh) * 2006-03-04 2009-03-18 华为技术有限公司 一种黑名单实现的方法

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1695341A (zh) * 2002-11-06 2005-11-09 艾利森电话股份有限公司 防止非法使用ip地址的方法和装置
US20060248229A1 (en) * 2005-04-27 2006-11-02 3Com Corporation Network including snooping
CN1901511A (zh) * 2005-07-22 2007-01-24 日立通讯技术株式会社 包传输装置、通信网和数据包传输方法
CN101039223A (zh) * 2007-04-25 2007-09-19 华为技术有限公司 一种dhcp监听方法及其装置
CN101039176A (zh) * 2007-04-25 2007-09-19 华为技术有限公司 一种dhcp监听方法及其装置
CN101060495A (zh) * 2007-05-22 2007-10-24 华为技术有限公司 报文处理方法、系统和设备

Also Published As

Publication number Publication date
CN100563149C (zh) 2009-11-25
CN101039176A (zh) 2007-09-19

Similar Documents

Publication Publication Date Title
WO2008131658A1 (fr) Procédé et dispositif pour fureter le dhcp
CN100586106C (zh) 报文处理方法、系统和设备
CN104137513B (zh) 攻击防范方法和设备
US7562390B1 (en) System and method for ARP anti-spoofing security
WO2021008028A1 (fr) Procédé de traçage de et de protection contre une source d'attaque de réseau, dispositif de électronique et support de stockage informatique
CN101483515A (zh) Dhcp攻击防护方法和客户端设备
WO2008131667A1 (fr) Procédé, dispositif d'identification des flux de services et procédé, système de protection contre une attaque par déni de service
WO2017088326A1 (fr) Procédé, dispositif et système de traitement de connexion tcp
US8320249B2 (en) Method and system for controlling network access on a per-flow basis
WO2011140795A1 (fr) Procédé et dispositif de commutation permettant d'empêcher une attaque par mystification d'adresse de contrôle d'accès au support
WO2019178966A1 (fr) Procédé et appareil de défense contre une attaque de réseau, et dispositif informatique et support d'informations
WO2011020254A1 (fr) Procédé et dispositif pour prévenir des attaques de réseau
WO2010000171A1 (fr) Procédé, système et dispositif d'établissement de communication
CN106878326A (zh) 基于反向检测的IPv6邻居缓存保护方法及其装置
Yaibuates et al. A combination of ICMP and ARP for DHCP malicious attack identification
WO2008131650A1 (fr) Procédé de furetage de dhcp et dispositif associé
WO2005004410A1 (fr) Procede pour controler la retransmission d'un message de donnees dans un dispositif d'acheminement
CN101415002A (zh) 防止报文攻击的方法、数据通信设备及通信系统
WO2010048808A1 (fr) Procédé, système et passerelle permettant de prévenir les attaques réseau
CN110198290B (zh) 一种信息处理方法、设备、装置及存储介质
WO2019096104A1 (fr) Prévention contre les attaques
CN101494536A (zh) 一种防arp攻击的方法、装置和系统
WO2009018769A1 (fr) Procédé et dispositif réseau de défense contre une attaque par message invalide
WO2012100494A1 (fr) Procédé et appareil destinés à améliorer la sécurité de la recherche pour la découverte du voisinage
CN107786496B (zh) 针对局域网arp表项欺骗攻击的预警方法及装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08706687

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08706687

Country of ref document: EP

Kind code of ref document: A1