CN102299906A - Method for preventing spoofed message attack as well as upstream device and downstream device suitable for same - Google Patents
Method for preventing spoofed message attack as well as upstream device and downstream device suitable for same Download PDFInfo
- Publication number
- CN102299906A CN102299906A CN2010102195951A CN201010219595A CN102299906A CN 102299906 A CN102299906 A CN 102299906A CN 2010102195951 A CN2010102195951 A CN 2010102195951A CN 201010219595 A CN201010219595 A CN 201010219595A CN 102299906 A CN102299906 A CN 102299906A
- Authority
- CN
- China
- Prior art keywords
- message
- security information
- special packet
- upstream equipment
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention provides a method for preventing spoofed message attack, and the method is used in a system comprising a downstream device and an upstream device, wherein the downstream device creates and sends a specific message to the upstream device, and the special message can ensure that the upstream device carries out a table entry deletion operation. The method comprises the following steps: the upstream device judges whether the received special message carries safety information by the upstream device, if the special message carries safety information, the upstream device carries out safety certificate on the special message, if the special message passes the safety certificate, the upstream device carries out table entry deletion operation, if the special message does not pass through the safety certificate, the upstream device discards the special message. The method for preventing the spoofed message attack can be used for realizing safety control on the message through preset fields in the message and setting of a judgment method, thereby improving the stability of the upstream device.
Description
Technical field
The present invention relates to a kind of method that prevents network attack, be specifically related to a kind of prevent illegal, can make method operation, that counterfeit message is attacked that equipment carries out the list item deletion with and the upstream equipment and the upstream device that are suitable for.
Background technology
The one of four states machine is arranged in flexible link group, be respectively the port information state machine (PIM of every port, portinformation machine), the timer state machine (TMR of every port, TIMER STATEMACHINE), the port status selection mode machine (PSS of each SMART-LINK group, port stateselection machine) and the port state shift state machine of every port (PST, port state transitionmachine).Receive the incident of needs response as PIM after, if contention mode then triggers the TMR state machine and begins countdown, be used to carry out preemption delay, after overtime, call the state that the PSS state machine recomputates the group inner port, otherwise directly call the state that the PSS state machine recomputates the group inner port by TMR.If variation has taken place the SMART-LINK state of port, then call the PST state machine again and revise state and issue hardware.The filling of Flush message and triggering are finished by the PSS state machine.When port status changed or Link State changes, each state machine transformational relation as shown in Figure 1.
In the prior art, the effect of cleaning message (Flush message) is that announcement apparatus upgrades list item.The Flush message adopts the IEEE802.3 encapsulation at present, comprises information fields such as Destination MAC, Source MAC, ControlVLAN ID, VLAN Bitmap, Auth-mode and Password.Wherein: Destination MAC is the unknown multicast address; Source MAC represents to send the bridge MAC Address of the equipment of Flush message; Control VLAN ID represents to send ID number that controls VLAN; VLAN Bitmap represents the VLAN bitmap, is used to carry the vlan list that needs the refresh address table; Auth-mode and Password do not use at present.
Specifically, as shown in Figure 2, upstream equipment therein, Switch B 202, Switch C 203 and Switch D 204 can both discern under the situation of Flush message, the working mechanism of flexible link group is: the port GigabitEthernet1/0/1 (GE1/0/1) of Switch A 201 is a master port, and port GigabitEthernet1/0/2 (GE1/0/2) is secondary port.Under all normal situation of two up links, master port is in forwarding state, and the link at its place is an active link; Secondary port is ready, and its place link is a reserve link.Transmit along the represented link of solid line by the data of being sent in the main frame 205, do not have loop in the network, avoid producing broadcast storm.
When link switchover took place flexible link group (Smart Link group), original forwarding-table item no longer had been applicable to new topological network, need carry out the renewal of mac address forwarding table item and ARP list item to whole net.Smart Link notifies other equipment to carry out the refresh operation of list item by the Flush message.
When the active link of Switch A 201 (switch A 201) broke down, master port GigabitEthernet1/0/1 switched to armed state, and secondary port GigabitEthernet1/0/2 switches to forwarding state.At this moment, mac address forwarding table item in the network on each equipment and ARP list item be mistake, and a kind of MAC and ARP update mechanism need be provided, and finishes the quick switching of flow, in order to avoid cause traffic loss.
In order to realize quick link switching, need on Switch A 201, open Flush message sending function, all port opens that are on two uplink networks receive processing Flush message function at upstream equipment.Specifically, in the transmission and receiving course of Flush message: after link switchover takes place Switch A 201, can send the Flush message from new active link (dotted line shows link, former reserve link), promptly send the Flush message from the GigabitEthernet1/0/2 port.The VLAN Bitmap field of Flush message is filled the protection VLAN ID that is in the GigabitEthernet1/0/1 port place Smart Link group of forwarding state in the preceding group of link switchover, and Control VLAN id field is filled the transmission control VLANID of Smart Link configuration set.When upstream equipment is received the Flush message, judge whether the transmission control VLAN of this Flush message controls in the vlan list in the reception of the port arrangement of receiving message.If in receiving the control vlan list, equipment does not process this Flush message, directly transmit; If in receiving the control vlan list, equipment will extract the VLAN Bitmap data in the Flush message, MAC and ARP list item that equipment is learnt in these VLAN are deleted.
After the transmission and receiving course through above-mentioned Flush message, if it is the data message of Switch A 201 that Switch D 204 receives destination device, for the message that needs carry out two layers of forwarding (data Layer forwarding), Switch D 204 can transmit by the L 2 broadcast mode; For the message that needs carry out three layers of forwarding (network layer forwarding), equipment can upgrade the ARP list item earlier by the ARP detection mode, then message is forwarded.Like this, data traffic just can correctly send.
Can draw according to above Smart Link working mechanism, carry out the situation of the message of three layers of forwarding for needs, if upstream equipment is received the Flush message, the transmission control VLAN of Flush message is in the reception control vlan list of the port arrangement of receiving message, equipment will extract the VLANBitmap data in the Flush message, and MAC and ARP list item that equipment is learnt in these VLAN are deleted.If there is the counterfeit equipment of assailant to send the Flush message of forging, upstream equipment is handled the Flush message of forging, thereby make ARP, MAC address entries carry out the unnecessary operation that empties, and then influence the stability of forwarding of flow and flexible link group link.
Similarly, on the current network equipment, except the flexible link group technology, also having other technologies also is according to receiving that certain message will go remove entries, and such as the RELEASE message among the DHCP, server receives that the RELEASE message can remove the lease list item.Such as the leave message in the multicast, server is received leave message deletion multicast list again.Can make very serious of harm of the counterfeit message of unit deletion list item.
Summary of the invention
In view of this, main purpose of the present invention is can receive the problem that counterfeit message is attacked at the network equipment of the prior art, the method that provides a kind of counterfeit message that prevents to forge to attack.
Further, the invention provides a kind of above-mentioned upstream equipment that method was suitable for and upstream device that prevents that the counterfeit message of forging from attacking.
For achieving the above object, technical scheme provided by the invention is as follows:
A kind of method that prevents that counterfeit message from attacking, be used for comprising the system of upstream device and upstream equipment, special packet is created and sent to institute's upstream device that send to described upstream equipment, described special packet can make this upstream equipment carry out the operation of list item deletion, said method comprising the steps of: described upstream equipment judges whether the described special packet of its reception has security information, if then described upstream equipment carries out safety certification to described special packet, if through safety certification then described upstream equipment carries out the operation of list item deletion, if not through safety certification then described upstream equipment abandons described special packet.
In technique scheme, described upstream equipment judges that described special packet has after the security information, and described upstream equipment carries out described special packet before the safety certification, and described method further comprises: described upstream equipment judges that described special packet is that security information is transmitted message or notice message;
Described upstream equipment carries out safety certification to described special packet, and described upstream equipment according to the operation of the list item as a result of safety certification deletion or the concrete grammar that abandons described special packet is:
If described security information is transmitted message, then described upstream equipment transmits message to described security information and carries out safety certification, if authentication success then described upstream equipment are preserved described security information and are transmitted the security information that message has, for described upstream equipment later described special packet is carried out safety certification and use, otherwise described upstream equipment abandons this message;
If described notice message, described upstream equipment carries out safety certification to described notice message, if authentication success, then described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message.
In technique scheme, described special packet comprises first field and second field; The value that described first field contains can distinguish whether described special packet has security information and to state special packet be that security information is transmitted message or had the notice message of security information having district office under the situation of security information; Described second field contains security information; Described method specifically may further comprise the steps:
Steps A: described upstream equipment extracts the value that described first field in the described special packet contains;
Step B: the value that described upstream equipment contains according to described first field judges whether described special packet has security information, if otherwise abandon described special packet, then forward step C to if be;
Step C: the value that described upstream equipment contains according to described first field judges that described special packet is that described security information is transmitted message or described notice message, if transmitting message, described security information then forwards step D to, if described notice message otherwise forward step e to;
Step D: described upstream equipment extracts the security information in described second field, and search the security information that has stored in this locality: as search the security information that success extracts in then with this step and compare with the local security information that stores, then preserve the security information of extracting in this this step as the comparison result unanimity, as comparison result is inconsistent then abandon as described in special packet; As search unsuccessfully, then the security information of extracting in this this step is stored in this locality;
Step e: described upstream equipment extracts the security information in described second field, judge that the security information extracted in this step and the local security information that stores compare, if as the comparison result unanimity as described in upstream equipment carry out the operation of list item deletion, otherwise described upstream equipment abandons this message.
A kind of upstream equipment, it can receive the special packet that is sended over by upstream device, described special packet can make this upstream equipment carry out the operation of list item deletion, described upstream equipment comprises judge module and authentication module: described judge module, be connected with described authentication module, be used to judge whether described special packet has security information; Described authentication module is connected with described judge module, if described special packet has security information, then described authentication module is used for described security information is carried out safety certification; After this safety certification was passed through, described upstream equipment carried out the operation of list item deletion.
In technique scheme, described upstream equipment also comprises memory module, and described memory module is connected with described authentication module;
Described judge module also is used for: judge that described special packet is that security information is transmitted message or notice message;
Described authentication module also is used for: transmit message if described special packet is described security information, then described authentication module transmits message to described security information and carries out safety certification; If described special packet is described notice message, described authentication module carries out safety certification to described notice message, if authentication success, then described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message;
Described memory module is used for: if described security information is transmitted message by described authentication module authentication success, then described memory module is preserved described security information and is transmitted the security information that message has, for described authentication module later described special packet is carried out safety certification and use, otherwise described upstream equipment abandons this message.
In technique scheme, described special packet comprises first field and second field; The value that described first field contains can distinguish whether described special packet has security information and to state special packet be that security information is transmitted message or had the notice message of security information having district office under the situation of security information; Described second field contains security information;
Described upstream equipment also comprises extraction module and searches module, institute counts extraction module and is connected with described authentication module with described judge module respectively, is used for extracting the security information that value that described first field of described special packet contains and described second field contain; The described module of searching is connected respectively with described authentication module with described memory module, is used for searching on described memory module the security information that has stored;
Described judge module also is used for: judge according to the value that described first field contains whether described special packet has security information, if otherwise abandoned described special packet, would be that described security information is transmitted message or described notice message if the value that then described judge module contains according to described first field is judged described special packet;
Described authentication module also is used for:
If being described security information, described special packet transmits message: search module as described and on described memory module, find described security information, the security information that then described authentication module extracts described extraction module and the security information of described storage module stores are compared, if comparison result unanimity then described memory module is preserved the security information that described extraction module extracts, as comparison result inconsistent then as described in upstream equipment abandon this message; Search module as described and can not find described security information on described memory module, then described memory module is preserved the security information that described extraction module extracts;
If described special packet is described notice message: search module as described and on described memory module, find described security information, the security information that then described authentication module extracts described extraction module and the security information of described storage module stores are compared, as the comparison result unanimity then as described in upstream equipment carry out the operation of list item deletion, as comparison result inconsistent then as described in upstream equipment abandon this message; Search module as described and can not find described security information on described memory module, then described upstream equipment abandons this message.
A kind of upstream device, it can upstream device send special packet, and described special packet can make described upstream equipment carry out the operation of list item deletion; Described upstream device comprises:
The message creation module is connected with the message sending module, is used to create the described special packet that has safety certification;
The message sending module is connected with the message creation module, is used to send the described special packet that has safety certification.
In technique scheme, described special packet is the Flush message in the flexible link group, and perhaps DynamicHost is provided with the RELEASE message in the agreement, the perhaps leave message in the multicast; Described upstream equipment is the upstream switches in the flexible link group, and perhaps DynamicHost is provided with the server in the agreement, perhaps the server in the multicast.
The method of counterfeit message attack and suitable upstream equipment and the upstream device thereof of preventing of the present invention has following beneficial effect:
The method that prevents that counterfeit message from attacking of the present invention, it can be accomplished message is carried out security control, thereby improve the stability of upstream equipment by the setting of preset field in the message and determination methods.
The method that prevents that counterfeit message from attacking of the present invention is applied in the flexible link group, can prevent to forge the attack of Flush message, this method is utilized in the Flush message definition and the judgement to Auth-mode and Password field specifically, realize the transmission of equipment room security information, and it is simple to operate, compatible strong.
The method that prevents that counterfeit message from attacking of the present invention is applied in the flexible link group, can expands the effect of existing Flush message, specifically, equipment can send the Flush message when link switchover, and the indication upstream switches carries out MAC, ARP entry updating; Equipment can transmit secure authenticated information by timed sending Flush message when link was stablized.
Description of drawings
Fig. 1 is a state machine graph of a relation in the flexible link group;
Fig. 2 is the equipment connection diagram in the flexible link group;
Fig. 3 a is the schematic flow sheet that prevents the center invention thought of the method that counterfeit message is attacked of the present invention;
Fig. 3 b is the schematic flow sheet that prevents to add in the method that counterfeit message attacks after the step 311 of the present invention;
Fig. 3 c is the schematic flow sheet that the method that prevents that counterfeit message from attacking of the present invention is handled the Flush message in flexible link group;
Fig. 4 a, 4b are respectively a kind of structural representation of upstream equipment of the present invention;
Fig. 4 c is suitable for structural representation method, that be applied in a kind of upstream switches of the present invention in the flexible link group that prevents that counterfeit message from attacking of the present invention;
Fig. 5 is suitable for structural representation method, that be applied in a kind of downstream switch of the present invention in the flexible link group that prevents that counterfeit message from attacking of the present invention;
Reference numeral wherein is expressed as:
201-Switch A; 202-Switch B; 203-Switch C; 204-Switch D; The 205-main frame;
The 400-upstream equipment; Upstream switches in the 401-flexible link group; The 402-judge module; The 403-authentication module; The 404-memory module; The 405-extraction module; 406-searches module;
Downstream switch in the 501-flexible link group; 502-message creation module; 503-message sending module.
Embodiment
Of the present inventionly prevent that the center design of the method that counterfeit message is attacked from being: in the system that forms by upstream and downstream equipment, when upstream equipment receive by upstream device send can make this upstream equipment carry out the special packet of operation of list item deletion the time, this method may further comprise the steps:
Step 310: described upstream equipment judges whether the described special packet of its reception has security information;
Step 320: judged result is for being that then described upstream equipment carries out safety certification to described special packet in the step 310;
Step 330: if by the safety certification in the step 320, then described upstream equipment carries out the operation of list item deletion;
Step 340: if not by the safety certification in the step 320, then described upstream equipment abandons described special packet.
Thereby this method has accomplished message is carried out security control, thereby has improved the stability of upstream equipment.
Further, described upstream equipment judges that described special packet has after the security information, and described upstream equipment carries out before the safety certification described special packet, and described method further comprises:
Step 311: described upstream equipment judges that described special packet is that security information is transmitted message or notice message;
On step 311 basis, above-mentioned step 320 to step 340 specifically replaces with:
Step 312: if described security information is transmitted message, then described upstream equipment transmits message to described security information and carries out safety certification, if authentication success then described upstream equipment are preserved described security information and are transmitted the security information that message has, for described upstream equipment later described special packet is carried out safety certification and use, otherwise described upstream equipment abandons this message; And
Step 313: if described notice message, described upstream equipment carries out safety certification to described notice message, if authentication success, then described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message.
The improvement project that prevents the method that counterfeit message is attacked of the present invention can be by being that security information is transmitted message or the notice message is judged to described special packet, and then make corresponding processing with step 312 or step 313 pair this message respectively, thereby make that upstream equipment can clearer processing special packet, be beneficial to the stability of this upstream equipment.
The center design of upstream equipment of the present invention is: utilize judge module and authentication module to cooperatively interact, the special packet that upstream equipment is subjected to authenticates, and to avoid this special packet it is caused attack.
Specifically, shown in Fig. 4 a, upstream equipment comprises judge module and authentication module: described judge module, be connected with described authentication module, and be used to judge whether described special packet has security information; Described authentication module is connected with described judge module, if described special packet has security information, then described authentication module is used for described security information is carried out safety certification; After this safety certification was passed through, described upstream equipment carried out the operation of list item deletion.
Further, shown in Fig. 4 b, upstream equipment of the present invention can also include the memory module that is connected with described authentication module.In the described upstream equipment of this moment:
Described judge module also is used for: judge that described special packet is that security information is transmitted message or notice message;
Described authentication module also is used for: transmit message if described special packet is described security information, then described authentication module transmits message to described security information and carries out safety certification; If described special packet is described notice message, described authentication module carries out safety certification to described notice message, if authentication success, then described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message;
Described memory module is used for: if described security information is transmitted message by described authentication module authentication success, then described memory module is preserved described security information and is transmitted the security information that message has, for described authentication module later described special packet is carried out safety certification and use, otherwise described upstream equipment abandons this message
For make purpose of the present invention, technical scheme, and advantage clearer, below with reference to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
In a flexible link group system shown in Figure 2,, be example below, method of the present invention is done to describe in detail with flexible link group and Flush message in conjunction with Fig. 3 c.In flexible link group, referring to Fig. 2, equipment can send the Flush message during link switchover, and indication upstream equipment Switch D 204 carries out the renewal of MAC, ARP list item.When link was stablized, equipment meeting timed sending Flush message was used for transmitting secure authenticated information.In flexible link group, the method that prevents that counterfeit message from attacking of the present invention utilizes Auth-mode and Password field to realize the transmission of security information.
Specifically, for the Auth-mode field, agreement Auth-mode length 1 byte can value 0,1,2.Value is 0 o'clock, and expression is not organized with the Smartlink of safety certification.Value is 1 o'clock, and the effect of representing this Flush message is to transmit security information, but not announcement apparatus empties list item, need insert encrypted message in the Password field simultaneously.Value is 2 o'clock, and the effect of representing this Flush message is the operation that announcement apparatus empties MAC, ARP list item.
For the Password field, when creating flexible link group, the user can be provided with password by hand.Password field length 16 bytes, preceding 8 bytes are used for representing new password, back 8 byte representation Old Passwords.Behind the password of finishing the initial setting flexible link group, Auth-mode field value is 1 in the Flush message, the new password that preceding 8 bytes of Password field are initial setting, and back 8 byte values are 0.When the user will revise password, preceding 8 bytes of the Password field of Flush message were filled new password, and back 8 bytes are filled Old Password.
The concrete implication information of Auth-mode, Password field sees Table 1 in the foregoing.
Table 1
| Auth- | Password | Implication | |
| 0 | 0 | Not with the message of |
|
| 1 | Encrypted message | The security information message transmission of band safety certification is used for |
|
| 2 | Encrypted message | The notice message of band safety certification is used for announcement apparatus to empty the operation of MAC, ARP list item | |
| Other values | Other values | Counterfeit message need abandon |
When upstream switches is received the Flush message,, will make the deterministic process of following steps 301-307 referring to Fig. 3 c:
Step 301: described upstream switches extracts the value that the Auth-mode field contains;
Step 302: the value that described upstream switches contains according to described Auth-mode field judges whether described Flush message has security information, if otherwise forward step 307 to, if then forward step 303 to;
Step 303: described upstream switches judges that described Flush message is that security information transmission message still is described notice message, then changes step 304 if described security information is transmitted message, if described notice message then changes step 305;
Step 304: described upstream switches extracts the security information of carrying in the Password field, and search the security information that has stored in this locality: as search the security information that success extracts in then with this step and compare with the local security information that stores, then preserve the security information of extracting in this this step as the comparison result unanimity, as comparison result is inconsistent then abandon as described in the Flush message; As search unsuccessfully, then the security information of extracting in this this step is stored in this locality;
Step 305: described upstream switches extracts the security information of carrying in the Password field, the security information of extracting in this step is compared with the local security information that stores, then change step 306 as the comparison result unanimity, change step 307 if comparison result is inconsistent;
Step 306: described upstream switches empties MAC, ARP list item, and spreads;
Step 307: described upstream switches abandons this Flush message.
Below divide different situations to describe:
1) when upstream switches was initial, the user created flexible link group, specified master port and from port.Master port is in forwarding state, is in stand-by state (Standby) from port.Upstream device timed sending Flush message, filling the Auth-mode field is 1, the Password field is an encrypted message.
Upstream switches is received the Flush message, carries out following determining step:
Step 301: described upstream switches extracts the Auth-mode field and contains value, and this value is 1;
Step 302: described upstream switches judges that this Flush message for having security information, changes step 303;
Step 303: described upstream switches judges that described Flush message transmits message for transmitting security information, changes step 304;
Step 304: extract the security information that the Password field is carried, and search the security information that has stored in this locality: as search the security information that success extracts in then with this step and compare with the local security information that stores, then preserve the security information of extracting in this this step as the comparison result unanimity, as comparison result is inconsistent then abandon as described in the Flush message; As search unsuccessfully, then the security information of extracting in this this step is stored in this locality.
2) when master port broke down or breaks down by the upstream switches that CFD interlock detects primary link, by sending the Flush message from port, the value of filling the Auth-mode field was 2, and the Password field is an encrypted message.
Upstream switches is received the judgement of carrying out following steps behind this Flush message:
Step 301: extracting the value of Auth-mode field, is 2;
Step 302: described upstream switches judges that this Flush message for having security information, changes step 303;
Step 303: described upstream switches judges that described Flush message for the notice message, changes step 305;
Step 305: described upstream switches extracts the security information in the Password field, the security information of extracting in this step is compared with the local security information that stores, then change step 306 as the comparison result unanimity, change step 307 if comparison result is inconsistent;
Step 306: described upstream switches empties MAC, ARP list item, and spreads;
Step 307: abandon this Flush message.
Wherein " diffusion " in the step 306 is meant: upstream switches is propagated and is given other upstream switches according to the message flooding mechanism of Flush message, is diffused into all upstream switches up to the Flush message.Thereby finally be in forwarding state from port, master port is in blocked state.
Upstream and downstream switch in organizing in conjunction with flexible link group Smartlink among Fig. 2 once more below, and upstream switches is done with explanation the method for present embodiment for the concrete deterministic process of Flush message.
When downstream switch switch A 201 was in stable state, GE1/0/1 was that master port is in forwarding state, meeting timed sending Flush message, and filling the Auth-mode field is 1, the password field is the security information that the user is provided with.Through by the diffusion of platform equipment, all receive this security information up to principal and subordinate's chain pipeline equipment.When primary link breaks down, GE1/0/2 sends the Flush message, and filling the Auth-mode field is 2, and the password field is a security information.The upstream switches Switch C203 that is positioned at described downstream switch switch A 201 upstreams receives this message, think to notify message through judgement, at first can take out encrypted message in the message and local comparing of preserving, find inconsistently then to abandon, can not carry out the Flush message and spread; Find unanimity, then empty local mac address forwarding table item and ARP list item, and carry out the diffusion of Flush message.Be diffused into all upstream switches up to the Flush message.Thereby final GE1/0/2 is in forwarding state, and GE1/0/1 is in blocked state.
Present embodiment is by expanding the effect of Flush message, utilize still untapped Auth-mode and Password field in the Flush message, in flexible link group, realize controling mechanism, prevent that the assailant from sending counterfeit Flush message malicious attack equipment, improve the stability and the reliability of equipment.
The method that prevents that counterfeit message from attacking of the present invention is applied in the flexible link group, can expands the effect of Flush message, promptly equipment can send the Flush message when link switchover, and the indication upstream switches carries out MAC, ARP entry updating; Equipment meeting timed sending Flush message was used for transmitting secure authenticated information when link was stablized.
Fig. 4 c has shown a kind of upstream switches 401 that is suitable in the flexible link that prevents the method that counterfeit message is attacked of the present invention, and this upstream switches 401 can receive the Flush message, and empties MAC, ARP list item, and the operation of spreading.
In the present embodiment, the described upstream switches 401 in the flexible link group comprises judge module 402, authentication module 403, memory module 404, extraction module 405 and searches module 406.
Described judge module 402 is connected with described authentication module 403, is used to judge whether described special packet has security information.
Described authentication module 403 is connected with described judge module 402, if described special packet has security information, then described authentication module 403 is used for described security information is carried out safety certification; After this safety certification was passed through, described upstream equipment carried out the operation of list item deletion.
Described memory module 404 is used for security information is stored.
Institute counts extraction module 405 and is connected with described authentication module 403 with described judge module 402 respectively, is used for extracting the security information that value that the described Auth-mode field of described Flush message contains and described Password field contain.
The described module 406 of searching is connected respectively with described authentication module 403 with described memory module 404, is used for searching the security information that has stored on described memory module 404.
Specifically:
Described Flush message comprises Auth-mode field and Password field; The value that described Auth-mode field contains can distinguish whether described Flush message has security information and to state the Flush message be that security information is transmitted message or had the notice message of security information having district office under the situation of security information; Described Password field contains security information.
Described judge module 402 is used for: judge according to the value that described Auth-mode field contains whether described Flush message has security information, if otherwise abandoned described Flush message, would be that described security information is transmitted message or described notice message if the value that then described judge module 402 contains according to described Auth-mode field is judged described Flush message;
For described authentication module 403:
If being described security information, described Flush message transmits message, search module 406 as described and find described security information this moment on described memory module 404, the security information that security information that then described authentication module 403 extracts described extraction module 405 and described memory module 404 store is compared, if comparison result unanimity then described memory module 404 preserved the security information that described extraction module 405 extracts, as comparison result inconsistent then as described in upstream switches abandon this message; Search module 406 as described and can not find described security information on described memory module 404, then described memory module 404 is preserved the security information that described extraction module 405 extracts;
If described Flush message is described notice message: search module 406 as described and on described memory module 404, find described security information, the security information that security information that then described authentication module 403 extracts described extraction module 405 and described memory module 404 store is compared, as the comparison result unanimity then as described in upstream switches carry out the operation of list item deletion, as comparison result inconsistent then as described in upstream switches abandon this message; Search module 406 as described and can not find described security information on described memory module 404, then described upstream switches abandons this message.
Described memory module 404 is used for: if described security information is transmitted message by described authentication module 403 authentication successs, then described memory module 404 is preserved described security information and is transmitted the security information that message has, carry out safety certification for 403 pairs of later described Flush messages of described authentication module and use, otherwise described upstream switches abandons this message.
Upstream equipment of the present invention can prevent to forge the attack of Flush message, can stablize, work reliably.
Embodiment 3
Fig. 5 has shown a kind of downstream switch 501 that is suitable in the flexible link group that prevents the method that counterfeit message is attacked of the present invention.Downstream switch 501 in this flexible link group upstream switch sends the Flush message that contains Auth-mode field and Password field, the operation that described Flush message can make described upstream switches carry out MAC, the deletion of ARP list item and upgrade.Described downstream switch comprises: interconnective message creation module 502 and message sending module 503.Message creation module 502 is used to create the described Flush message that has safety certification.Message sending module 503 is used to send the described Flush message that has safety certification.
Described upstream switches receives identical among processing mode and the embodiment 2 behind the described Flush message, repeats no more here.
On the current network equipment, except the flexible link group technology, also having other technologies also is according to receiving that certain message will go remove entries, such as DynamicHost agreement (Dynamic Host ConfigurationProtocol is set, DHCP) the RELEASE message in, server receive that the RELEASE message can remove the lease list item.Such as the leave message in the multicast, server is received leave message deletion multicast list again.So in other embodiment, the mode that also can use in the foregoing description is carried out security control to special packets such as RELEASE message or leave message, thus the stability of raising equipment.Specifically, for example behind the result who obtains through judgement to the notice message, the operation that empties MAC, ARP list item and spread, so in other embodiment above-mentioned steps and processing mode promptly corresponding be judged as safe packet legal, can the operation of trigger table entry deletion, next carry out the operation of list item deletion.Do not repeat them here.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (9)
1. method that prevents that counterfeit message from attacking, be used for comprising the system of upstream device and upstream equipment, special packet is created and sent to institute's upstream device that send to described upstream equipment, described special packet can make this upstream equipment carry out the operation of list item deletion, it is characterized in that, said method comprising the steps of:
Described upstream equipment judges whether the described special packet of its reception has security information, if then described upstream equipment carries out safety certification to described special packet, if through safety certification then described upstream equipment carries out the operation of list item deletion, if not through safety certification then described upstream equipment abandons described special packet.
2. method according to claim 1, it is characterized in that, described upstream equipment judges that described special packet has after the security information, and described upstream equipment carries out described special packet before the safety certification, and described method further comprises: described upstream equipment judges that described special packet is that security information is transmitted message or notice message;
Described upstream equipment carries out safety certification to described special packet, and described upstream equipment according to the operation of the list item as a result of safety certification deletion or the concrete grammar that abandons described special packet is:
If described security information is transmitted message, then described upstream equipment transmits message to described security information and carries out safety certification, if authentication success then described upstream equipment are preserved described security information and are transmitted the security information that message has, for described upstream equipment later described special packet is carried out safety certification and use, otherwise described upstream equipment abandons this message;
If described notice message, described upstream equipment carries out safety certification to described notice message, if authentication success, then described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message.
3. method according to claim 2 is characterized in that, described special packet comprises first field and second field; The value that described first field contains can distinguish whether described special packet has security information and to state special packet be that security information is transmitted message or had the notice message of security information having district office under the situation of security information; Described second field contains security information; Described method specifically may further comprise the steps:
Steps A: described upstream equipment extracts the value that described first field in the described special packet contains;
Step B: the value that described upstream equipment contains according to described first field judges whether described special packet has security information, if otherwise abandon described special packet, then forward step C to if be;
Step C: the value that described upstream equipment contains according to described first field judges that described special packet is that described security information is transmitted message or described notice message, if transmitting message, described security information then forwards step D to, if described notice message otherwise forward step e to;
Step D: described upstream equipment extracts the security information in described second field, and search the security information that has stored in this locality: as search the security information that success extracts in then with this step and compare with the local security information that stores, then preserve the security information of extracting in this this step as the comparison result unanimity, as comparison result is inconsistent then abandon as described in special packet; As search unsuccessfully, then the security information of extracting in this this step is stored in this locality;
Step e: described upstream equipment extracts the security information in described second field, judge that the security information extracted in this step and the local security information that stores compare, if as the comparison result unanimity as described in upstream equipment carry out the operation of list item deletion, otherwise described upstream equipment abandons this message.
4. according to the arbitrary described method of claim 1 to 3, it is characterized in that,
Described special packet is the Flush message in the flexible link group, and perhaps DynamicHost is provided with the RELEASE message in the agreement, the perhaps leave message in the multicast;
Described upstream equipment is the upstream switches in the flexible link group, and perhaps DynamicHost is provided with the server in the agreement, perhaps the server in the multicast.
5. upstream equipment, it can receive the special packet that is sended over by upstream device, and described special packet can make this upstream equipment carry out the operation of list item deletion, it is characterized in that described upstream equipment comprises judge module and authentication module:
Described judge module is connected with described authentication module, is used to judge whether described special packet has security information;
Described authentication module is connected with described judge module, if described special packet has security information, then described authentication module is used for described security information is carried out safety certification; After this safety certification was passed through, described upstream equipment carried out the operation of list item deletion.
6. upstream equipment according to claim 5 is characterized in that described upstream equipment also comprises memory module, and described memory module is connected with described authentication module;
Described judge module also is used for: judge that described special packet is that security information is transmitted message or notice message;
Described authentication module also is used for: transmit message if described special packet is described security information, then described authentication module transmits message to described security information and carries out safety certification; If described special packet is described notice message, described authentication module carries out safety certification to described notice message, if authentication success, then described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message;
Described memory module is used for: if described security information is transmitted message by described authentication module authentication success, then described memory module is preserved described security information and is transmitted the security information that message has, for described authentication module later described special packet is carried out safety certification and use, otherwise described upstream equipment abandons this message.
7. upstream equipment according to claim 6 is characterized in that, described special packet comprises first field and second field; The value that described first field contains can distinguish whether described special packet has security information and to state special packet be that security information is transmitted message or had the notice message of security information having district office under the situation of security information; Described second field contains security information;
Described upstream equipment also comprises extraction module and searches module, institute counts extraction module and is connected with described authentication module with described judge module respectively, is used for extracting the security information that value that described first field of described special packet contains and described second field contain; The described module of searching is connected with described authentication module with described memory module respectively, is used for searching on described memory module the security information that has stored;
Described judge module also is used for: judge according to the value that described first field contains whether described special packet has security information, if otherwise abandoned described special packet, would be that described security information is transmitted message or described notice message if the value that then described judge module contains according to described first field is judged described special packet;
Described authentication module also is used for:
If being described security information, described special packet transmits message: search module as described and on described memory module, find described security information, the security information that then described authentication module extracts described extraction module and the security information of described storage module stores are compared, if comparison result unanimity then described memory module is preserved the security information that described extraction module extracts, as comparison result inconsistent then as described in upstream equipment abandon this message; Search module as described and can not find described security information on described memory module, then described memory module is preserved the security information that described extraction module extracts;
If described special packet is described notice message: search module as described and on described memory module, find described security information, the security information that then described authentication module extracts described extraction module and the security information of described storage module stores are compared, as the comparison result unanimity then as described in upstream equipment carry out the operation of list item deletion, as comparison result inconsistent then as described in upstream equipment abandon this message; Search module as described and can not find described security information on described memory module, then described upstream equipment abandons this message.
8. according to the arbitrary described upstream equipment of claim 5 to 7, it is characterized in that,
Described special packet is the Flush message in the flexible link group, and perhaps DynamicHost is provided with the RELEASE message in the agreement, the perhaps leave message in the multicast.
9. upstream device, it can upstream device send special packet, and described special packet can make described upstream equipment carry out the operation of list item deletion; It is characterized in that described upstream device comprises:
The message creation module is connected with the message sending module, is used to create the described special packet that has safety certification;
The message sending module is connected with the message creation module, is used to send the described special packet that has safety certification.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010219595.1A CN102299906B (en) | 2010-06-25 | 2010-06-25 | Method for preventing spoofed message attack as well as upstream device suitable for same |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010219595.1A CN102299906B (en) | 2010-06-25 | 2010-06-25 | Method for preventing spoofed message attack as well as upstream device suitable for same |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102299906A true CN102299906A (en) | 2011-12-28 |
| CN102299906B CN102299906B (en) | 2014-04-16 |
Family
ID=45360089
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010219595.1A Expired - Fee Related CN102299906B (en) | 2010-06-25 | 2010-06-25 | Method for preventing spoofed message attack as well as upstream device suitable for same |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102299906B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453221A (en) * | 2016-06-29 | 2017-02-22 | 华为技术有限公司 | Message detection method and device |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030912A (en) * | 2007-04-06 | 2007-09-05 | 华为技术有限公司 | Fast ring network method against attack based on RRPP, apparatus and system |
| US20070258359A1 (en) * | 2004-07-30 | 2007-11-08 | Nec Corporation | Network system, node, node control program, and network control method |
| CN101465813A (en) * | 2009-01-08 | 2009-06-24 | 杭州华三通信技术有限公司 | Method for switching main and standby links, ring shaped networking and switching equipment |
| CN101640644A (en) * | 2009-09-01 | 2010-02-03 | 杭州华三通信技术有限公司 | Method and equipment for flow equilibrium based on flexible link group |
| US7664033B1 (en) * | 2005-09-30 | 2010-02-16 | At&T Corp. | Method and apparatus for automating the detection and clearance of congestion in a communication network |
| CN101667963A (en) * | 2009-09-09 | 2010-03-10 | 中兴通讯股份有限公司 | Link switching method and device |
| CN101741535A (en) * | 2008-11-12 | 2010-06-16 | 中兴通讯股份有限公司 | Method and device for sending message in Ethernet dual-homed link protection |
-
2010
- 2010-06-25 CN CN201010219595.1A patent/CN102299906B/en not_active Expired - Fee Related
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20070258359A1 (en) * | 2004-07-30 | 2007-11-08 | Nec Corporation | Network system, node, node control program, and network control method |
| US7664033B1 (en) * | 2005-09-30 | 2010-02-16 | At&T Corp. | Method and apparatus for automating the detection and clearance of congestion in a communication network |
| CN101030912A (en) * | 2007-04-06 | 2007-09-05 | 华为技术有限公司 | Fast ring network method against attack based on RRPP, apparatus and system |
| CN101741535A (en) * | 2008-11-12 | 2010-06-16 | 中兴通讯股份有限公司 | Method and device for sending message in Ethernet dual-homed link protection |
| CN101465813A (en) * | 2009-01-08 | 2009-06-24 | 杭州华三通信技术有限公司 | Method for switching main and standby links, ring shaped networking and switching equipment |
| CN101640644A (en) * | 2009-09-01 | 2010-02-03 | 杭州华三通信技术有限公司 | Method and equipment for flow equilibrium based on flexible link group |
| CN101667963A (en) * | 2009-09-09 | 2010-03-10 | 中兴通讯股份有限公司 | Link switching method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453221A (en) * | 2016-06-29 | 2017-02-22 | 华为技术有限公司 | Message detection method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102299906B (en) | 2014-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104468624B (en) | SDN controllers, routing/exchanging equipment and network defense method | |
| CN102158864B (en) | Mobile AD Hoc network self-adapting secure routing method based on reliability | |
| KR101048510B1 (en) | Method and apparatus for enhancing security in Zigbee wireless communication protocol | |
| EP2555476A1 (en) | Method, system and device for protecting multicast in communication network | |
| CN101605061B (en) | Method and device for preventing denial service attack in access network | |
| CN103491076B (en) | The prevention method and system of a kind of network attack | |
| CN101645907A (en) | Method and system for processing abnormal off-line of Web authenticated user | |
| JP5134141B2 (en) | Unauthorized access blocking control method | |
| CN101945117A (en) | Method and equipment for preventing source address spoofing attack | |
| CN110855508A (en) | Distributed SDN synchronization method based on block chain technology | |
| CN103701818A (en) | ARP (address resolution protocol) attack centralized detection and defense method for wireless controller system | |
| CN100466583C (en) | Fast ring network method against attack based on RRPP, apparatus and system | |
| WO2019179633A1 (en) | Message cache management in a mesh network | |
| CN103475657B (en) | The treating method and apparatus of anti-SYN extensive aggression | |
| CN106911726B (en) | DDoS attack simulation and attack detection method and device for software defined network | |
| CN101883054B (en) | Multicast message processing method and device and equipment | |
| US20120101987A1 (en) | Distributed database synchronization | |
| CN102347903A (en) | Data message forwarding method as well as device and system | |
| CN104038566B (en) | A kind of method of virtual swap device address learning, apparatus and system | |
| CN103227733B (en) | A kind of topology discovery method and system | |
| CN102299906B (en) | Method for preventing spoofed message attack as well as upstream device suitable for same | |
| CN100466565C (en) | Loopback control method and device | |
| CN105790985A (en) | Data switching method, first device, second device and device | |
| CN104883337A (en) | Ring network user safety realizing method and apparatus | |
| CN100550844C (en) | The method of reducing redirected message characteristic information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140416 Termination date: 20200625 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |