CN102299906B - Method for preventing spoofed message attack as well as upstream device suitable for same - Google Patents
Method for preventing spoofed message attack as well as upstream device suitable for same Download PDFInfo
- Publication number
- CN102299906B CN102299906B CN201010219595.1A CN201010219595A CN102299906B CN 102299906 B CN102299906 B CN 102299906B CN 201010219595 A CN201010219595 A CN 201010219595A CN 102299906 B CN102299906 B CN 102299906B
- Authority
- CN
- China
- Prior art keywords
- security information
- message
- upstream equipment
- special packet
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Abstract
The invention provides a method for preventing spoofed message attack, and the method is used in a system comprising a downstream device and an upstream device, wherein the downstream device creates and sends a specific message to the upstream device, and the special message can ensure that the upstream device carries out a table entry deletion operation. The method comprises the following steps: the upstream device judges whether the received special message carries safety information by the upstream device, if the special message carries safety information, the upstream device carries out safety certificate on the special message, if the special message passes the safety certificate, the upstream device carries out table entry deletion operation, if the special message does not pass through the safety certificate, the upstream device discards the special message. The method for preventing the spoofed message attack can be used for realizing safety control on the message through preset fields in the message and setting of a judgment method, thereby improving the stability of the upstream device.
Description
Technical field
The present invention relates to a kind of method that prevents network attack, be specifically related to a kind of prevent illegal, can make method operation, counterfeit message attack that equipment carries out list item deletion with and applicable upstream equipment.
Background technology
In flexible link group, there is one of four states machine, respectively the port information state machine (PIM of every port, port information machine), the timer state machine (TMR of every port, TIMER STATE MACHINE), the port status selection mode machine (PSS of each SMART-LINK group, port state selection machine) and the port state shift state machine of every port (PST, port state transition machine).When PIM receives after the event that needs response, if contention mode triggers TMR state machine and starts countdown, be used for carrying out preemption delay, after overtime, by TMR, call the state that PSS state machine recalculates group inner port, otherwise directly call the state that PSS state machine recalculates group inner port.If variation has occurred the SMART-LINK state of port, call again PST state machine and revise state and issue hardware.The filling of Flush message and triggering are completed by PSS state machine.When port status changes or Link State changes, each state machine transformational relation as shown in Figure 1.
In the prior art, the effect of cleaning message (Flush message) is that announcement apparatus upgrades list item.Flush message adopts IEEE802.3 encapsulation at present, comprises the information fields such as Destination MAC, Source MAC, Control VLAN ID, VLAN Bitmap, Auth-mode and Password.Wherein: Destination MAC is unknown multicast address; Source MAC represents to send the bridge MAC Address of the equipment of Flush message; Control VLAN ID represents No. ID of transmission control VLAN; VLAN Bitmap represents VLAN bitmap, for carrying the vlan list that needs refresh address table; Auth-mode and Password are not used at present.
Specifically, as shown in Figure 2, upstream equipment therein, Switch B202, Switch C203 and Switch D204 can both identify in the situation of Flush message, the working mechanism of flexible link group is: be the port GigabitEthernet1/0/1(GE1/0/1 of Switch A201) master port, and port GigabitEthernet1/0/2(GE1/0/2) be secondary port.Two up links are all in normal situation, and master port is in forwarding state, and the link at its place is active link; Secondary port is standby, and its place link is reserve link.The data of sending in main frame 205 are transmitted along the represented link of solid line, do not have loop in network, avoid producing broadcast storm.
When link switching occurs flexible link group (Smart Link group), original forwarding-table item has no longer been applicable to new topological network, need to carry out to whole net the renewal of mac address forwarding table item and ARP list item.Smart Link notifies other equipment to carry out the refresh operation of list item by Flush message.
When Switch A201(switch A 201) active link while breaking down, master port GigabitEthernet1/0/1 is switched to armed state, secondary port GigabitEthernet1/0/2 is switched to forwarding state.Now, the mac address forwarding table item in network on each equipment and ARP list item be mistake, and the mechanism that need to provide a kind of MAC and ARP to upgrade, completes the quick switching of flow, in order to avoid cause traffic loss.
In order to realize quick link switching, need on Switch A201, open Flush message sending function, in all port open reception & disposal Flush message functions on two uplink networks of upstream equipment.Specifically, in the sending and receiving process of Flush message: Switch A201 occurs after link switching, can send Flush message from new active link (dotted line shows link, former reserve link), from GigabitEthernet1/0/2 port, send Flush message.The VLAN Bitmap field of Flush message is filled the protection VLAN ID in the GigabitEthernet1/0/1 of forwarding state port place Smart Link group in the front group of link switching, and Control VLAN id field is filled the transmission control VLAN ID that Smart Link assembly is put.When upstream equipment is received Flush message, judge whether the transmission control VLAN of this Flush message controls in vlan list in the reception of receiving the port arrangement of message.If, in receiving control vlan list, equipment does not process this Flush message, directly forward; If in receiving control vlan list, equipment is by the VLAN Bitmap data of extracting in Flush message, and MAC and the ARP list item equipment being learnt in these VLAN arrive are deleted.
After the sending and receiving process of above-mentioned Flush message, if it is the data message of Switch A201 that Switch D204 receives object equipment, for the message that need to carry out two layers of forwarding (data Layer forwarding), Switch D204 can forward by L 2 broadcast mode; For the message that need to carry out three layers of forwarding (network layer forwarding), equipment can first upgrade ARP list item by ARP detection mode, then forwards the packet away.Like this, data traffic just can correctly send.
According to above Smart Link working mechanism, can draw, for the situation that need to carry out the message of three layers of forwarding, if upstream equipment is received Flush message, the transmission of Flush message is controlled VLAN and is controlled in vlan list in the reception of receiving the port arrangement of message, equipment is by the VLAN Bitmap data of extracting in Flush message, and MAC and ARP list item that equipment is learnt in these VLAN are deleted.If there is the counterfeit equipment of assailant to send the Flush message of forging, upstream equipment is processed the Flush message of forging, thereby make ARP, MAC address entries carry out the unnecessary operation that empties, and then affect the forwarding of flow and the stability of flexible link group link.
Similarly, on the current network equipment, except flexible link group technology, also having other technologies is also according to receiving that certain message will go remove entries, and such as the RELEASE message in DHCP, server receives that RELEASE message can remove lease list item.Such as the leave message in multicast, server is received leave message deletion multicast list again.Can make very serious of harm of the counterfeit message of unit deletion list item.
Summary of the invention
In view of this, main purpose of the present invention is can receive the problem of counterfeit message attack for the network equipment of the prior art, and a kind of method that prevents the counterfeit message attack of forgery is provided.
Further, the invention provides a kind of above-mentioned applicable upstream equipment and upstream device of method that prevents the counterfeit message attack of forgery.
For achieving the above object, technical scheme provided by the invention is as follows:
A kind of method that prevents counterfeit message attack, for comprising the system of upstream device and upstream equipment, the upstream device that send creates and sends special packet to described upstream equipment, described special packet can make this upstream equipment carry out the operation of list item deletion, said method comprising the steps of: described upstream equipment judges that whether the described special packet of its reception is with security information, if it is described upstream equipment carries out safety certification to described special packet, if through safety certification, described upstream equipment carries out the operation of list item deletion, if not through safety certification,, described upstream equipment abandons described special packet.
In technique scheme, described upstream equipment judges that described special packet is with after security information, and before described upstream equipment carries out safety certification to described special packet, described method further comprises: described upstream equipment judges that described special packet is that security information is transmitted message or notice message;
Described upstream equipment carries out safety certification to described special packet, and the operation that described upstream equipment is deleted according to the result list item of safety certification or the concrete grammar that abandons described special packet are:
If described security information is transmitted message, described upstream equipment carries out safety certification to described security information transmission message, if authentication success, described upstream equipment preserve described security information transmit message with security information, for described upstream equipment, later described special packet is carried out to safety certification, otherwise described upstream equipment abandons this message;
If described notice message, described upstream equipment carries out safety certification to described notice message, if authentication success, described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message.
In technique scheme, described special packet comprises the first field and the second field; The value that described the first field contains can be distinguished described special packet, and whether with security information and with security information in the situation that, to distinguish described special packet be that security information is transmitted message or with the notice message of security information; Described the second field contains security information; Described method specifically comprises the following steps:
Steps A: described upstream equipment extracts the value that described the first field in described special packet contains;
Step B: the value that described upstream equipment contains according to described the first field judges that whether described special packet is with security information, if otherwise abandon described special packet, if be, forward step C to;
Step C: the value that described upstream equipment contains according to described the first field judges that described special packet is that described security information is transmitted message or described notice message, if transmitting message, described security information forwards step D to, if described notice message otherwise forward step e to;
Step D: described upstream equipment extracts the security information in described the second field, and in this locality, search the security information having stored: as search successfully and the security information of extracting in this step and the local security information storing are compared, as comparison result is unanimously preserved the security information of extracting in this this step, as inconsistent in comparison result abandon as described in special packet; As search unsuccessfully, the security information of extracting in this this step is stored in to this locality;
Step e: described upstream equipment extracts the security information in described the second field, judge that the security information extracted in this step and the local security information storing compare, if as consistent in comparison result, described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message.
A kind of upstream equipment, it can receive the special packet being sended over by upstream device, described special packet can make this upstream equipment carry out the operation of list item deletion, described upstream equipment comprises judge module and authentication module: described judge module, be connected with described authentication module, for judging that whether described special packet is with security information; Described authentication module, is connected with described judge module, if described special packet with security information, described authentication module is for carrying out safety certification to described security information; After this safety certification is passed through, described upstream equipment carries out the operation of list item deletion.
In technique scheme, described upstream equipment also comprises memory module, and described memory module is connected with described authentication module;
Described judge module also for: judge that described special packet is that security information is transmitted message or notice message;
Described authentication module also for: if described special packet is described security information, transmit message, described authentication module transmits message to described security information and carries out safety certification; If described special packet is described notice message, described authentication module carries out safety certification to described notice message, if authentication success, described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message;
Described memory module is used for: if described security information is transmitted message by described authentication module authentication success, described memory module preserve described security information transmit message with security information, for described authentication module, later described special packet is carried out to safety certification, otherwise described upstream equipment abandons this message.
In technique scheme, described special packet comprises the first field and the second field; The value that described the first field contains can be distinguished described special packet, and whether with security information and with security information in the situation that, to distinguish described special packet be that security information is transmitted message or with the notice message of security information; Described the second field contains security information;
Described upstream equipment also comprises extraction module and searches module, institute counts extraction module and is connected with described authentication module with described judge module respectively, the security information containing for extracting value that described first field of described special packet contains and described the second field; The described module of searching is connected respectively with described authentication module with described memory module, for search the security information having stored in described memory module;
Described judge module also for: the value containing according to described the first field judges that whether described special packet is with security information, if otherwise abandoned described special packet, the value that if it is described judge module contains according to described the first field would judge that described special packet is that described security information is transmitted message or described notice message;
Described authentication module also for:
If described special packet is described security information, transmit message: as described in search module as described in find in memory module as described in security information, the security information that described authentication module extracts described extraction module and the security information of described storage module stores are compared, if comparison result is consistent, described memory module is preserved the security information that described extraction module extracts, as inconsistent in comparison result as described in upstream equipment abandon this message; As described in search module can not as described in find in memory module as described in security information, described memory module is preserved the security information that described extraction module extracts;
If described special packet is described notice message: as described in search module as described in find in memory module as described in security information, the security information that described authentication module extracts described extraction module and the security information of described storage module stores are compared, as consistent in comparison result as described in upstream equipment carry out the operation of list item deletion, as inconsistent in comparison result as described in upstream equipment abandon this message; As described in search module can not as described in find in memory module as described in security information, described upstream equipment abandons this message.
A upstream device, it can upstream device send special packet, and described special packet can make described upstream equipment carry out the operation of list item deletion; Described upstream device comprises:
Message creation module, is connected with message sending module, for creating the described special packet with safety certification;
Message sending module, is connected with message creation module, for sending the described special packet with safety certification.
In technique scheme, described special packet is the Flush message in flexible link group, or DynamicHost arranges the RELEASE message in agreement, or the leave message in multicast; Described upstream equipment is the upstream switches in flexible link group, or DynamicHost arranges the server in agreement, or the server in multicast.
Of the present inventionly prevent that the method for counterfeit message attack and applicable upstream equipment and upstream device thereof have following beneficial effect:
The method that prevents counterfeit message attack of the present invention, it,, by the setting of preset field in message and determination methods, can be accomplished message to carry out security control, thereby improve the stability of upstream equipment.
By of the present invention, prevent that the method for counterfeit message attack is applied in flexible link group, can prevent from forging the attack of Flush message, the method is utilized definition and the judgement to Auth-mode and Password field in Flush message specifically, realize the transmission of equipment room security information, and simple to operate, compatible strong.
By of the present invention, prevent that the method for counterfeit message attack is applied in flexible link group, can expand the effect of existing Flush message, specifically, when link switching, equipment can send Flush message, and indication upstream switches carries out MAC, ARP entry updating; The steady timing device of link can, by timed sending Flush message, transmit secure authenticated information.
Accompanying drawing explanation
Fig. 1 is state machine graph of a relation in flexible link group;
Fig. 2 is the equipment connection schematic diagram in flexible link group;
Fig. 3 a is the schematic flow sheet of the center invention thought of the method that prevents counterfeit message attack of the present invention;
Fig. 3 b adds the schematic flow sheet after step 311 in the method that prevents counterfeit message attack of the present invention;
Fig. 3 c is the schematic flow sheet that the method that prevents counterfeit message attack of the present invention is processed Flush message in flexible link group;
Fig. 4 a, 4b are respectively a kind of structural representation of upstream equipment of the present invention;
Fig. 4 c is applicable structural representation method, that be applied in a kind of upstream switches of the present invention in flexible link group that prevents counterfeit message attack of the present invention;
Fig. 5 is applicable structural representation method, that be applied in a kind of downstream switch of the present invention in flexible link group that prevents counterfeit message attack of the present invention;
Reference numeral is wherein expressed as:
201-Switch A; 202-Switch B; 203-Switch C; 204-Switch D; 205-main frame;
400-upstream equipment; Upstream switches in 401-flexible link group; 402-judge module; 403-authentication module; 404-memory module; 405-extraction module; 406-searches module;
Downstream switch in 501-flexible link group; 502-message creation module; 503-message sending module.Embodiment
The center design of the method that prevents counterfeit message attack of the present invention is: in the system being comprised of upstream and downstream equipment, when upstream equipment receive by upstream device, sent can make this upstream equipment carry out the special packet of operation of list item deletion time, the method comprises the following steps:
Step 310: described upstream equipment judges that whether the described special packet of its reception is with security information;
Step 320: judgment result is that it is that described upstream equipment carries out safety certification to described special packet in step 310;
Step 330: if by the safety certification in step 320, described upstream equipment carries out the operation of list item deletion;
Step 340: if not by the safety certification in step 320, described upstream equipment abandons described special packet.
Thereby the method has accomplished message to carry out security control, thereby improved the stability of upstream equipment.
Further, described upstream equipment judges that described special packet is with after security information, and before described upstream equipment carries out safety certification to described special packet, described method further comprises:
Step 311: described upstream equipment judges that described special packet is that security information is transmitted message or notice message;
On step 311 basis, above-mentioned step 320 to step 340 specifically replaces with:
Step 312: if described security information is transmitted message, described upstream equipment carries out safety certification to described security information transmission message, if authentication success, described upstream equipment preserve described security information transmit message with security information, for described upstream equipment, later described special packet is carried out to safety certification, otherwise described upstream equipment abandons this message; And
Step 313: if described notice message, described upstream equipment carries out safety certification to described notice message, if authentication success, described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message.
The improvement project of the method that prevents counterfeit message attack of the present invention can be by being that security information is transmitted message or notice message judges to described special packet, and then with step 312 or step 313 pair this message, make corresponding processing respectively, thereby make the upstream equipment can clearer processing special packet, be beneficial to the stability of this upstream equipment.
The center design of upstream equipment of the present invention is: utilize judge module and authentication module to cooperatively interact, the special packet that upstream equipment is subject to authenticates, to avoid this special packet to cause attack to it.
Specifically, as shown in Fig. 4 a, upstream equipment comprises judge module and authentication module: described judge module, is connected with described authentication module, for judging that whether described special packet is with security information; Described authentication module, is connected with described judge module, if described special packet with security information, described authentication module is for carrying out safety certification to described security information; After this safety certification is passed through, described upstream equipment carries out the operation of list item deletion.
Further, shown in Fig. 4 b, upstream equipment of the present invention can also include the memory module being connected with described authentication module.In described upstream equipment now:
Described judge module also for: judge that described special packet is that security information is transmitted message or notice message;
Described authentication module also for: if described special packet is described security information, transmit message, described authentication module transmits message to described security information and carries out safety certification; If described special packet is described notice message, described authentication module carries out safety certification to described notice message, if authentication success, described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message;
Described memory module is used for: if described security information is transmitted message by described authentication module authentication success, described memory module preserve described security information transmit message with security information, for described authentication module, later described special packet is carried out to safety certification, otherwise described upstream equipment abandons this message
For making object of the present invention, technical scheme and advantage clearer, referring to the accompanying drawing embodiment that develops simultaneously, the present invention is described in more detail.
Below in the flexible link group system shown in a Fig. 2, in conjunction with Fig. 3 c, take flexible link group and Flush message is example, and method of the present invention is described in detail.In flexible link group, referring to Fig. 2, during link switching, equipment can send Flush message, and indication upstream equipment Switch D204 carries out the renewal of MAC, ARP list item.When link is stablized, equipment meeting timed sending Flush message, is used for transmitting secure authenticated information.In flexible link group, of the present inventionly prevent that the method for counterfeit message attack from utilizing Auth-mode and Password field to realize the transmission of security information.
Specifically, for Auth-mode field, agreement Auth-mode length 1 byte, can value 0,1,2.Value is 0 o'clock, represents not the Smartlink group with safety certification.Value is 1 o'clock, and the effect that represents this Flush message is to transmit security information, but not announcement apparatus empties list item, need in Password field, insert encrypted message simultaneously.Value is 2 o'clock, and the effect that represents this Flush message is the operation that announcement apparatus empties MAC, ARP list item.
For Password field, while creating flexible link group, user can arrange password by hand.Password field length 16 bytes, front 8 bytes are used for representing new password, rear 8 byte representation Old Passwords.After completing the password of initial setting flexible link group, in Flush message, Auth-mode field value is the new password that front 8 bytes of 1, Password field are initial setting, and rear 8 byte values are 0.When user wants Modify password, front 8 bytes of the Password field of Flush message are filled new password, and rear 8 bytes are filled Old Password.
In foregoing, the concrete meaning information of Auth-mode, Password field is in Table 1.
Table 1
When upstream switches is received Flush message, referring to Fig. 3 c, will make the deterministic process of following steps 301-307:
Step 301: described upstream switches extracts the value that Auth-mode field contains;
Step 302: the value that described upstream switches contains according to described Auth-mode field judges that whether described Flush message is with security information, if otherwise forward step 307 to, if it is forward step 303 to;
Step 303: described upstream switches judges that described Flush message is that security information is transmitted message or described notice message, goes to step 304 if described security information is transmitted message, if described notice message goes to step 305;
Step 304: described upstream switches extracts the security information of carrying in Password field, and in this locality, search the security information having stored: as search successfully and the security information of extracting in this step and the local security information storing are compared, as comparison result is unanimously preserved the security information of extracting in this this step, as inconsistent in comparison result abandon as described in Flush message; As search unsuccessfully, the security information of extracting in this this step is stored in to this locality;
Step 305: described upstream switches extracts the security information of carrying in Password field, the security information of extracting in this step and the local security information storing are compared, as comparison result unanimously goes to step 306, if comparison result is inconsistent, go to step 307;
Step 306: described upstream switches empties MAC, ARP list item, and spreads;
Step 307: described upstream switches abandons this Flush message.
Below divide different situations to describe:
1) when upstream switches is initial, user creates flexible link group, specifies master port and from port.Master port is in forwarding state, from port in stand-by state (Standby).Upstream device timed sending Flush message, filling Auth-mode field is that 1, Password field is encrypted message.
Upstream switches is received Flush message, carries out following determining step:
Step 301: described upstream switches extracts Auth-mode field and contains value, and this value is 1;
Step 302: described upstream switches judges that this Flush message, for security information, goes to step 303;
Step 303: described upstream switches judges that described Flush message transmits message for transmitting security information, goes to step 304;
Step 304: extract the security information that Password field is carried, and in this locality, search the security information having stored: as search successfully and the security information of extracting in this step and the local security information storing are compared, as comparison result is unanimously preserved the security information of extracting in this this step, as inconsistent in comparison result abandon as described in Flush message; As search unsuccessfully, the security information of extracting in this this step is stored in to this locality.
2) when master port breaks down or link upstream switches that primary link detected while breaking down by CFD, by sending Flush message from port, the value of filling Auth-mode field is that 2, Password field is encrypted message.
Upstream switches is received the judgement of carrying out following steps after this Flush message:
Step 301: extracting the value of Auth-mode field, is 2;
Step 302: described upstream switches judges that this Flush message, for security information, goes to step 303;
Step 303: described upstream switches judges that described Flush message, for notice message, goes to step 305;
Step 305: described upstream switches extracts the security information in Password field, the security information of extracting in this step and the local security information storing are compared, as comparison result unanimously goes to step 306, if comparison result is inconsistent, go to step 307;
Step 306: described upstream switches empties MAC, ARP list item, and spreads;
Step 307: abandon this Flush message.
Wherein " diffusion " in step 306 refers to: upstream switches, according to the message flooding mechanism of Flush message, is propagated to other upstream switches, until Flush message is diffused into all upstream switches.Thereby finally from port in forwarding state, master port is in blocked state.
Below again in conjunction with the upstream and downstream switch in flexible link group Smartlink group in Fig. 2, and upstream switches is for the concrete deterministic process of Flush message, and the method for the present embodiment is done to illustrate.
Downstream switch switch A201 when stable state, GE1/0/1 be master port in forwarding state, can timed sending Flush message, filling Auth-mode field is that 1, password field is the security information of user's setting.Through spreading by platform equipment, until principal and subordinate's chain pipeline equipment is all received this security information.When primary link breaks down, GE1/0/2 sends Flush message, and filling Auth-mode field is that 2, password field is security information.The upstream switches Switch C203 that is positioned at described downstream switch switch A201 upstream receives this message, through judgement, think to notify message, first can take out encrypted message in message and local comparing of preserving, find inconsistently to abandon, can not carry out the diffusion of Flush message; Find unanimously, to empty local mac address forwarding table item and ARP list item, and carry out the diffusion of Flush message.Until Flush message is diffused into all upstream switches.Thereby final GE1/0/2 is in forwarding state, and GE1/0/1 is in blocked state.
The present embodiment is by expanding the effect of Flush message, utilize in Flush message still untapped Auth-mode and Password field, in flexible link group, realize controling mechanism, prevent that assailant from sending counterfeit Flush message malicious attack equipment, improve stability and the reliability of equipment.
By of the present invention, prevent that the method for counterfeit message attack is applied in flexible link group, can expand the effect of Flush message, when link switching, equipment can send Flush message, and indication upstream switches carries out MAC, ARP entry updating; The steady timing device meeting of link timed sending Flush message, is used for transmitting secure authenticated information.
Fig. 4 c has shown the upstream switches 401 in a kind of flexible link of the applicable method that prevents counterfeit message attack of the present invention, and this upstream switches 401 can receive Flush message, and empties MAC, ARP list item, and the operation of spreading.
In the present embodiment, the described upstream switches 401 in flexible link group comprises judge module 402, authentication module 403, memory module 404, extraction module 405 and searches module 406.
Described judge module 402, is connected with described authentication module 403, for judging that whether described special packet is with security information.
Described authentication module 403, is connected with described judge module 402, if described special packet with security information, described authentication module 403 is for carrying out safety certification to described security information; After this safety certification is passed through, described upstream equipment carries out the operation of list item deletion.
Described memory module 404 is for storing security information.
Institute counts extraction module 405 and is connected with described authentication module 403 with described judge module 402 respectively, the security information containing for extracting value that the described Auth-mode field of described Flush message contains and described Password field.
The described module 406 of searching is connected respectively with described authentication module 403 with described memory module 404, for search the security information having stored in described memory module 404.
Specifically:
Described Flush message comprises Auth-mode field and Password field; The value that described Auth-mode field contains can be distinguished described Flush message, and whether with security information and with security information in the situation that, to distinguish described Flush message be that security information is transmitted message or with the notice message of security information; Described Password field contains security information.
Described judge module 402 for: the value containing according to described Auth-mode field judges that whether described Flush message is with security information, if otherwise abandoned described Flush message, the value that if it is described judge module 402 contains according to described Auth-mode field would judge that described Flush message is that described security information is transmitted message or described notice message;
For described authentication module 403:
If being described security information, described Flush message transmits message, now as described in search module 406 as described in find in memory module 404 as described in security information, the security information that the security information that described authentication module 403 extracts described extraction module 405 and described memory module 404 store is compared, if comparison result is consistent, described memory module 404 is preserved the security information that described extraction module 405 extracts, as inconsistent in comparison result as described in upstream switches abandon this message; As described in search module 406 can not as described in find in memory module 404 as described in security information, described memory module 404 is preserved the security information that described extraction module 405 extracts;
If described Flush message is described notice message: as described in search module 406 as described in find in memory module 404 as described in security information, the security information that the security information that described authentication module 403 extracts described extraction module 405 and described memory module 404 store is compared, as consistent in comparison result as described in upstream switches carry out the operation of list item deletion, as inconsistent in comparison result as described in upstream switches abandon this message; As described in search module 406 can not as described in find in memory module 404 as described in security information, described upstream switches abandons this message.
Described memory module 404 for: if described security information is transmitted message by described authentication module 403 authentication successs, described memory module 404 preserve described security information transmit message with security information, for 403 pairs of later described Flush messages of described authentication module, carry out safety certification, otherwise described upstream switches abandons this message.
Upstream equipment of the present invention can prevent from forging the attack of Flush message, can stablize, work reliably.
Embodiment 3
Fig. 5 has shown the downstream switch 501 in a kind of flexible link group of the applicable method that prevents counterfeit message attack of the present invention.Downstream switch 501 in this flexible link group upstream switch sends the Flush message that contains Auth-mode field and Password field, the operation that described Flush message can make described upstream switches carry out MAC, the deletion of ARP list item and upgrade.Described downstream switch comprises: interconnective message creation module 502 and message sending module 503.Message creation module 502 is for creating the described Flush message with safety certification.Message sending module 503 is for sending the described Flush message with safety certification.
Described upstream switches receives identical with embodiment 2 of processing mode after described Flush message, repeats no more here.
On the current network equipment, except flexible link group technology, also having other technologies is also according to receiving that certain message will go remove entries, such as DynamicHost arranges agreement (Dynamic Host Configuration Protocol, DHCP) the RELEASE message in, server receives that RELEASE message can remove lease list item.Such as the leave message in multicast, server is received leave message deletion multicast list again.So in other embodiment, the mode that also can apply in above-described embodiment is carried out security control to special packets such as RELEASE message or leave message, thus the stability of raising equipment.Specifically, for example, after judgement obtains the result into notice message, the operation that empties MAC, ARP list item and spread, in other embodiment, above-mentioned steps and processing mode are corresponding is so judged as safe packet legal, can the operation of trigger table entry deletion, next carries out the operation of list item deletion.Do not repeat them here.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.
Claims (6)
1. a method that prevents counterfeit message attack, for comprising the system of upstream device and upstream equipment, the upstream device that send creates and sends special packet to described upstream equipment, described special packet makes this upstream equipment carry out the operation of list item deletion, it is characterized in that, said method comprising the steps of:
Described upstream equipment judges that whether the described special packet of its reception is with security information, if it is described upstream equipment carries out safety certification to described special packet, if through safety certification, described upstream equipment carries out the operation of list item deletion, if not through safety certification, described upstream equipment abandons described special packet;
Described upstream equipment judges that described special packet is with after security information, and before described upstream equipment carries out safety certification to described special packet, described method further comprises: described upstream equipment judges that described special packet is that security information is transmitted message or notice message;
Described upstream equipment carries out safety certification to described special packet, and the operation that described upstream equipment is deleted according to the result list item of safety certification or the concrete grammar that abandons described special packet are:
If described security information is transmitted message, described upstream equipment carries out safety certification to described security information transmission message, if authentication success, described upstream equipment preserve described security information transmit message with security information, for described upstream equipment, later described special packet is carried out to safety certification, otherwise described upstream equipment abandons this message;
If described notice message, described upstream equipment carries out safety certification to described notice message, if authentication success, described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message.
2. method according to claim 1, is characterized in that, described special packet comprises the first field and the second field; The value that described the first field contains is distinguished described special packet, and whether with security information and with security information in the situation that, to distinguish described special packet be that security information is transmitted message or with the notice message of security information; Described the second field contains security information; Described method specifically comprises the following steps:
Steps A: described upstream equipment extracts the value that described the first field in described special packet contains;
Step B: the value that described upstream equipment contains according to described the first field judges that whether described special packet is with security information, if otherwise abandon described special packet, if be, forward step C to;
Step C: the value that described upstream equipment contains according to described the first field judges that described special packet is that described security information is transmitted message or described notice message, if transmitting message, described security information forwards step D to, if described notice message otherwise forward step e to;
Step D: described upstream equipment extracts the security information in described the second field, and in this locality, search the security information having stored: as search successfully and the security information of extracting in this step and the local security information storing are compared, as comparison result is unanimously preserved the security information of extracting in this this step, as inconsistent in comparison result abandon as described in special packet; As search unsuccessfully, the security information of extracting in this this step is stored in to this locality;
Step e: described upstream equipment extracts the security information in described the second field, judge that the security information extracted in this step and the local security information storing compare, if as consistent in comparison result, described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message.
3. according to the arbitrary described method of claim 1 to 2, it is characterized in that,
Described special packet is the Flush message in flexible link group, or DynamicHost arranges the RELEASE message in agreement, or the leave message in multicast;
Described upstream equipment is the upstream switches in flexible link group, or DynamicHost arranges the server in agreement, or the server in multicast.
4. a upstream equipment, it receives the special packet being sended over by upstream device, and described special packet makes this upstream equipment carry out the operation of list item deletion, it is characterized in that, and described upstream equipment comprises judge module and authentication module:
Described judge module, is connected with described authentication module, for judging that whether described special packet is with security information;
Described authentication module, is connected with described judge module, if described special packet with security information, described authentication module is for carrying out safety certification to described security information; After this safety certification is passed through, described upstream equipment carries out the operation of list item deletion;
Described upstream equipment also comprises memory module, and described memory module is connected with described authentication module;
Described judge module also for: judge that described special packet is that security information is transmitted message or notice message;
Described authentication module also for: if described special packet is described security information, transmit message, described authentication module transmits message to described security information and carries out safety certification; If described special packet is described notice message, described authentication module carries out safety certification to described notice message, if authentication success, described upstream equipment carries out the operation of list item deletion, otherwise described upstream equipment abandons this message;
Described memory module is used for: if described security information is transmitted message by described authentication module authentication success, described memory module preserve described security information transmit message with security information, for described authentication module, later described special packet is carried out to safety certification, otherwise described upstream equipment abandons this message.
5. upstream equipment according to claim 4, is characterized in that, described special packet comprises the first field and the second field; The value that described the first field contains is distinguished described special packet, and whether with security information and with security information in the situation that, to distinguish described special packet be that security information is transmitted message or with the notice message of security information; Described the second field contains security information;
Described upstream equipment also comprises extraction module and searches module, institute counts extraction module and is connected with described authentication module with described judge module respectively, the security information containing for extracting value that described first field of described special packet contains and described the second field; The described module of searching is connected with described authentication module with described memory module respectively, for search the security information having stored in described memory module;
Described judge module also for: the value containing according to described the first field judges that whether described special packet is with security information, if otherwise abandoned described special packet, the value that if it is described judge module contains according to described the first field would judge that described special packet is that described security information is transmitted message or described notice message;
Described authentication module also for:
If described special packet is described security information, transmit message: as described in search module as described in find in memory module as described in security information, the security information that described authentication module extracts described extraction module and the security information of described storage module stores are compared, if comparison result is consistent, described memory module is preserved the security information that described extraction module extracts, as inconsistent in comparison result as described in upstream equipment abandon this message; As described in search module can not as described in find in memory module as described in security information, described memory module is preserved the security information that described extraction module extracts;
If described special packet is described notice message: as described in search module as described in find in memory module as described in security information, the security information that described authentication module extracts described extraction module and the security information of described storage module stores are compared, as consistent in comparison result as described in upstream equipment carry out the operation of list item deletion, as inconsistent in comparison result as described in upstream equipment abandon this message; As described in search module can not as described in find in memory module as described in security information, described upstream equipment abandons this message.
6. according to the arbitrary described upstream equipment of claim 4 to 5, it is characterized in that,
Described special packet is the Flush message in flexible link group, or DynamicHost arranges the RELEASE message in agreement, or the leave message in multicast.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010219595.1A CN102299906B (en) | 2010-06-25 | 2010-06-25 | Method for preventing spoofed message attack as well as upstream device suitable for same |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010219595.1A CN102299906B (en) | 2010-06-25 | 2010-06-25 | Method for preventing spoofed message attack as well as upstream device suitable for same |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102299906A CN102299906A (en) | 2011-12-28 |
| CN102299906B true CN102299906B (en) | 2014-04-16 |
Family
ID=45360089
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010219595.1A Expired - Fee Related CN102299906B (en) | 2010-06-25 | 2010-06-25 | Method for preventing spoofed message attack as well as upstream device suitable for same |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102299906B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106453221B (en) * | 2016-06-29 | 2020-02-14 | 华为技术有限公司 | Message detection method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101030912A (en) * | 2007-04-06 | 2007-09-05 | 华为技术有限公司 | Fast ring network method against attack based on RRPP, apparatus and system |
| CN101465813A (en) * | 2009-01-08 | 2009-06-24 | 杭州华三通信技术有限公司 | Method for switching main and standby links, ring shaped networking and switching equipment |
| CN101640644A (en) * | 2009-09-01 | 2010-02-03 | 杭州华三通信技术有限公司 | Method and equipment for flow equilibrium based on flexible link group |
| US7664033B1 (en) * | 2005-09-30 | 2010-02-16 | At&T Corp. | Method and apparatus for automating the detection and clearance of congestion in a communication network |
| CN101667963A (en) * | 2009-09-09 | 2010-03-10 | 中兴通讯股份有限公司 | Link switching method and device |
| CN101741535A (en) * | 2008-11-12 | 2010-06-16 | 中兴通讯股份有限公司 | Method and device for sending message in Ethernet dual-homed link protection |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP4370999B2 (en) * | 2004-07-30 | 2009-11-25 | 日本電気株式会社 | Network system, node, node control program, and network control method |
-
2010
- 2010-06-25 CN CN201010219595.1A patent/CN102299906B/en not_active Expired - Fee Related
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7664033B1 (en) * | 2005-09-30 | 2010-02-16 | At&T Corp. | Method and apparatus for automating the detection and clearance of congestion in a communication network |
| CN101030912A (en) * | 2007-04-06 | 2007-09-05 | 华为技术有限公司 | Fast ring network method against attack based on RRPP, apparatus and system |
| CN101741535A (en) * | 2008-11-12 | 2010-06-16 | 中兴通讯股份有限公司 | Method and device for sending message in Ethernet dual-homed link protection |
| CN101465813A (en) * | 2009-01-08 | 2009-06-24 | 杭州华三通信技术有限公司 | Method for switching main and standby links, ring shaped networking and switching equipment |
| CN101640644A (en) * | 2009-09-01 | 2010-02-03 | 杭州华三通信技术有限公司 | Method and equipment for flow equilibrium based on flexible link group |
| CN101667963A (en) * | 2009-09-09 | 2010-03-10 | 中兴通讯股份有限公司 | Link switching method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102299906A (en) | 2011-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101099320B (en) | Clock-based replay protection | |
| EP2555476A1 (en) | Method, system and device for protecting multicast in communication network | |
| KR101048510B1 (en) | Method and apparatus for enhancing security in Zigbee wireless communication protocol | |
| US8817792B2 (en) | Data forwarding method, data processing method, system and relevant devices | |
| CN103491076B (en) | The prevention method and system of a kind of network attack | |
| CN101645907A (en) | Method and system for processing abnormal off-line of Web authenticated user | |
| CN100466583C (en) | Fast ring network method against attack based on RRPP, apparatus and system | |
| JP5134141B2 (en) | Unauthorized access blocking control method | |
| WO2014094432A1 (en) | Deep packet inspection result dissemination method and device | |
| CN102137073B (en) | Method and access equipment for preventing imitating internet protocol (IP) address to attack | |
| CN104486243A (en) | Data transmission method, equipment and system | |
| CN105812318A (en) | Method, controller and system for preventing attack in network | |
| CN103701818A (en) | ARP (address resolution protocol) attack centralized detection and defense method for wireless controller system | |
| CN104283882A (en) | Intelligent safety protection method for router | |
| CN103475657B (en) | The treating method and apparatus of anti-SYN extensive aggression | |
| CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
| CN103095563A (en) | Message processing method and system | |
| CN112822103B (en) | Information reporting method, information processing method and equipment | |
| CN101895552A (en) | Security gateway and method thereof for detecting proxy surfing | |
| US20120101987A1 (en) | Distributed database synchronization | |
| CN102891850A (en) | Method for preventing parameter resetting in IPSec (IP Security) channel updating | |
| CN102333013B (en) | Method, device and system for detecting medium access control (MAC) address conflicts | |
| CN102299906B (en) | Method for preventing spoofed message attack as well as upstream device suitable for same | |
| CN103227733B (en) | A kind of topology discovery method and system | |
| CN112887312B (en) | Slow protocol message processing method and related device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20140416 Termination date: 20200625 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |