CN101197659B - Supervisor encrypting type anti-attack information communication network safety defending method and system - Google Patents
Supervisor encrypting type anti-attack information communication network safety defending method and system Download PDFInfo
- Publication number
- CN101197659B CN101197659B CN2007101248358A CN200710124835A CN101197659B CN 101197659 B CN101197659 B CN 101197659B CN 2007101248358 A CN2007101248358 A CN 2007101248358A CN 200710124835 A CN200710124835 A CN 200710124835A CN 101197659 B CN101197659 B CN 101197659B
- Authority
- CN
- China
- Prior art keywords
- address
- analysis protocol
- information
- proxy portion
- protocol proxy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention belongs to the defense of network security field, in particular to a data communication network security defense method encrypting an ARP demand message and a system. The defense method sends the information to an encryption part to encrypt through a demand terminal in one direction and decrypts the encrypted information through an ARP agency part. After the decryption is verified, the polling message is sent to the demand terminal in one direction and the demand terminal is in correspondence with a destination terminal according to the acknowledged information. The defense method is realized by a defensive system comprising the ARP agency part, a switching device with the encryption function and a communication terminal. The encryption type attack-proof information communication network security defense method of the invention is simple in principle and reasonable in design. The defense method can solve the technical problems of the prior art of the attack of a fake physical address, the inundant attack of the physical address and the fake physical address to cause an IP conflict in a large extent; therefore, the invention has great practicability.
Description
[technical field]
The invention belongs to network security defence field, be specifically related to a kind of by the address resolution protocol request message being carried out the data communication network safety defense method and the system of defense of encryption.
[background technology]
Ethernet protocol is the LAN protocol collection by one group of IEEE 802.3 standard definition.Now be link layer of local area network agreement the most commonly used.Layer 2 ethernet switch is based on a kind of equipment that the physical address of link layer carries out packet switch.
The IP agreement is the data communication network layer protocol standard that is most widely used at present.The IP agreement uses the IP address of 32bit to come unique identification equipment, and the propagation of data message on network layer all is based on the IP address and finishes addressing.But the IP address is only effective to network layer, carries the hardware device of IP network and do not rely on the IP address to carry out addressing.Such as, the Ethernet physical equipment is to use unique 48bit ethernet address to discern hardware interface, never checks the purpose IP address in the IP datagram in link layer.On radio network, the mapping between these two kinds of address formats is finished by address resolution protocol, and this mapping process is finished automatically.
In the system that realizes address resolution protocol, address resolution protocol can dynamically generate and keep the mapping relations between IP address and the hardware address in a period of time, when needs use hardware address, system can be that unique identification is searched mapping relations with the IP address, and the hardware address in the mapping relations that found is exactly to upload the required discernible address of hardware of literary composition of transmitting messages at physical network.The generation of this kind mapping relations depends on two kinds of protocol massages of address resolution protocol, and arp request and address resolution protocol are replied.
When the system of operation address resolution protocol did not have to find the mapping relations of needed IP address and hardware address, this system will send the arp request message, asks the hardware address of needed IP address.Sending request system can be included in IP address and the hardware address corresponding relation of oneself in this message, and indicates the IP address information that needs the request hardware address.This message extensively sends in the mode of broadcasting in network.According to common realization, the system that any one receives this arp request message and moves address resolution protocol, all should use the request sender's who is comprised in this request message IP address and hardware address information to generate mapping relations, if the mapping relations that to have existed with this IP address be sign then should use the hardware address in this message to upgrade this mapping relations.
When the IP address of needs request hardware address specified in the arp request message that receives of system discovery of certain operation address resolution protocol is the IP address of oneself, then can send the address resolution protocol response message to the requestor.With the hardware address notice request person of oneself, this message is that mode of unicast sends, and after the requestor receives this response message, just can generate mapping relations between corresponding IP address and the hardware address according to the information that comprises in this response message.The key of the normal operation of address resolution protocol is the correctness that guarantees the mapping relations of IP address and hardware address.The system of operation address resolution protocol can not initiatively find whether mistake of mapping relations, if generated wrong mapping relations, the sender of message will send message according to the hardware address of mistake, the recipient can't receive message, thereby cause the interruption of data forwarding, even more serious is, because the sender of message thinks that message recipient's hardware address has been arranged oneself, therefore the request message that just can not send address resolution protocol upgrades this mapping relations, the mapping of this mistake will keep within a certain period of time always, sent just possible being repaired of address analysis protocol message up to the both sides that relate to the message transmission, this can have a strong impact on the use of data network.
At this weakness of address resolution protocol, the assailant of malice can realize the attack to the network of operation address resolution protocol by the method for forging the address resolution protocol response message.
Below enumerating specific embodiment describes the problem that exists: information transmitting terminal with the communication process of information receiving end is in the prior art: the first step: when the information transmitting terminal host A begins to communicate by letter with the information receiving end host B, host A need be searched from address stored analytic protocol table [host name IP address and physical address mapping table], search the physical address of host B, as find then jump to the 5th the step with the information receiving end host B carry out information communication; If at the physical address that in the memory address analytic protocol table, does not find host B of host A then executive address analysis protocol learning process entered for second step; Second step, host A will be broadcasted an arp request, the pairing physical address of requesting host B in net; The 3rd step, all terminals in this LAN will receive this arp request, and host B is received this request, finds that this request is oneself, and it will respond unicast address analysis protocol response of host A, tell its oneself physical address; The 4th step, host A are received this address resolution protocol response, and the IP address of host B and the physical address corresponding relation of host B are deposited in the address analysis protocol table of host A; Physical address and B main frame that the 5th step, host A are searched the B main frame in the address analysis protocol table carry out communication.
Several security breaches are arranged in above-mentioned flow process, may be utilized by virus or artificial program, attack method commonly used has following three kinds:
First kind of security breaches: the physical address puppet is emitted attack.The physical address deceptive practices occur in the 3rd step of above-mentioned flow process, this moment is because the arp request message is a broadcasting packet, existing common Layer 2 switch can be broadcasted to all terminals, this request message all terminals in this LAN all can be received, for example host C has also been received and has been given the arp request message, if virus or rogue program are arranged on the host C, it can disguise oneself as host B transmission address resolution protocol back message using to host A, in the 4th step, host A is received this camouflage address analysis protocol message, the physical address corresponding relation of itself and host C can be deposited in the address analysis protocol table of himself, all data during host A and host B communication so later on will all send to host C, and host C just can successfully be intercepted and captured all the communication data information between host A and the host B like this.
Second kind of security breaches: the physical address overflowing attack causes network paralysis.Usually the quantity as the address resolution protocol mapping of the equipment of gateway is limited in the radio network, if the pseudo-respectively address resolution message request message that emits different source IP addresss of a large amount of transmissions of assailant, the data forwarding of whole radio network is broken down, and this moment, attack also can be called as the address resolution protocol overflowing attack.
The third security breaches: the physical address puppet is emitted and is caused the IP conflict.Common IP Ethernet Hosts system is for preventing IP address conflict, can outwards send several address resolution protocol declarations in the initial period of networking, whether inquire about this IP has the people to take, if someone takies, then this main frame can not use this IP, this just might have malicious attacker after receiving this declaration, initiates a response, and camouflage has taken this IP and caused this main frame to network.
Have only forbidding host address analysis protocol function at unique solution of these attacks at present, use static configuration address resolution protocol mapping relations method.
Said as preamble, the address resolution protocol mapping relations are dynamically to generate, and also just because of be dynamically to generate, have caused puppet to emit other users to send message for the attack of malice, the chance of blocking-up data message forwarding.And the static configuration address resolution protocol is meant that the user disposes the mapping relations message that generates IP address and hardware address, and these mapping relations do not change along with the time.Because its priority is higher than the dynamic mapping relations that produce by address resolution protocol, therefore can not change along with information entrained in the address analysis protocol message yet.The address resolution protocol puppet is emitted though static configuration address resolution protocol mapping relations can solve effectively, overflowing attack causes the ground data message forwarding to be blocked the ground problem, but, static configuration address resolution protocol mapping relations must manually generate and safeguard the mapping relations of IP address and hardware address in large quantities, discarded the benefit that address resolution protocol is brought fully, only actually is to have simulated the final result that address resolution protocol generates, and has abandoned address resolution protocol itself.
[summary of the invention]
Emit attack, physical address overflowing attack and physical address puppet to emit technical problems such as causing the IP conflict in order better to solve the physical address puppet that exists in the prior art, the invention provides a kind of supervisor encrypting type anti-attack information communication network safety defending method.
Utilize the present invention of this supervisor encrypting type anti-attack information communication network safety defending method that a kind of supervisor encrypting type anti-attack information communication network safety defending system also is provided.
The present invention solves technical scheme that the prior art problem adopted for a kind of supervisor encrypting type anti-attack information communication network safety defending method is provided, and described defence method comprises step: the first, by bridge-set unidirectional being sent to of the ARP information of request end added compact part; The second, send after by the described compact part that adds described information encryption; Three, by described address analysis protocol proxy portion enciphered message is decrypted, confirms; Four, the described request end carries out communication according to the affirmation information and the destination of described address analysis protocol proxy portion.
According to a preferred embodiment of the invention: information described in the described first step is the address resolution protocol declaration of described request end and the address lookup information of described destination.
According to a preferred embodiment of the invention: correct and each terminal IP physical address corresponding are contained in described address analysis protocol proxy portion before carrying out the first step, and manage by described address analysis protocol proxy portion.
According to a preferred embodiment of the invention: described address analysis protocol proxy portion establishes address analysis protocol table, and described address analysis protocol table comprises the correspondence relationship information of each IP address of terminal and physical address.
According to a preferred embodiment of the invention: described second step further comprises substep: at first, information that the described request end is sent detects, and confirms arp request; Secondly, by the described compact part that adds described arp request packet is encrypted; At last, with the described arp request after the described encryption broadcast transmission or direct unidirectional address analysis protocol proxy portion that is sent in net.
According to a preferred embodiment of the invention: described the 3rd step further comprises substep: at first, described address analysis protocol proxy portion is decrypted described enciphered message; Secondly, described address analysis protocol proxy portion confirms whether described request end self address information is occupied, and with the unidirectional described request end that is sent to of described confirmation; At last, described address analysis protocol proxy portion confirms the address information request of the search purposes end of described request end, and with the unidirectional described request end that is sent to of described confirmation.
According to a preferred embodiment of the invention: described the 4th step further comprises substep: one, the address information of the described destination that feeds back to of the described request end described address analysis protocol proxy portion that will receive is stored; Two, described request end and described destination carry out one-way communication.
The present invention also provides a kind of supervisor encrypting type anti-attack information communication network safety defending system, described system of defense comprises: address analysis protocol proxy portion, bridge-set and communicating terminal with encryption function, wherein, described each communicating terminal is connected with described bridge-set, described bridge-set is connected with described address analysis protocol proxy portion, and described each terminal communication is each other carried out the storage and the management of address information by described address analysis protocol proxy portion.
According to a preferred embodiment of the invention: described address analysis protocol proxy portion is self-contained unit or is deployed in functional part or software on the relevant apparatus.
According to a preferred embodiment of the invention: described bridge-set is switch or router.
Each terminal is only declared broadcast data packet to adding address resolution protocol of the unidirectional transmission of compact part among the present invention when networking, address resolution protocol broadcasting is encrypted to seal again become to have only address analysis protocol proxy portion just can separate the special broadcast data packet of knowing by adding compact part, and all equipment of Intranet sent new special broadcast data packet after the sealing again, equipment in the Intranet is received can not separate this broadcast data packet after the broadcast data packet after this process encryption and is known, therefore this IP can directly be inquired about by other hold facilities of Intranet from address analysis protocol proxy portion in the request end whether, and the physical address puppet is emitted the technical problem that causes the IP conflict in the solution address resolution protocol.Address resolution protocol in this method after the process encryption is the not transmission of all devices in Intranet also, and the directly unidirectional described address analysis protocol proxy portion that sends to is decrypted, whether inquire about this IP by other hold facilities of Intranet, the physical address puppet is emitted the technical problem that causes the IP conflict in the solution address resolution protocol.
Among the present invention the request end be in address analysis protocol proxy portion directly this IP of inquiry whether taken by the Intranet other machines, effectively solved in the address resolution protocol physical address puppet and emitted and cause the IP conflict.
Terminal equipment arp request broadcast packet when intercoming mutually can not send all terminal equipments of Intranet among the present invention, but directly obtains the physical address of related communication terminal equipment by address analysis protocol proxy portion.Effectively solve the physical address puppet and emitted attack.
Handle by transmission frequency on switch, prevent that the assailant from sending puppet in a large number and emitting the address resolution request message, solve the address resolution protocol overflowing attack broadcast data.
Supervisor encrypting type anti-attack information communication network safety defending method principle of the present invention is simple, reasonable in design, emit attack, physical address overflowing attack and physical address puppet to emit technical problems such as causing the IP conflict by the physical address puppet that exists in the system of defense extraordinary solution prior art of application energy in practice, have very high practicality.
[description of drawings]
Fig. 1 is a supervisor encrypting type anti-attack information communication network safety defending method flow diagram of the present invention;
Fig. 2 is a supervisor encrypting type anti-attack information communication network safety defending system construction drawing of the present invention.
[embodiment]
The present invention is further described below in conjunction with description of drawings and embodiment.
See also Fig. 1 supervisor encrypting type anti-attack information communication network safety defending method flow diagram of the present invention, supervisor encrypting type anti-attack information communication network safety defending method of the present invention as shown in Figure 1 comprises key step: the first, by bridge-set 200 unidirectional being sent to of the ARP information of request end added compact part 204; The second, send after adding 204 pairs of described information encryptions of compact part by described; Three, be decrypted, confirm by 201 pairs of enciphered messages of described address analysis protocol proxy portion; Four, the described request end carries out communication according to the affirmation information and the destination of described address analysis protocol proxy portion 201.
Wherein, information described in the described first step is the address resolution protocol declaration of described request end and to the address lookup information of described destination.Correct and each terminal IP physical address corresponding are contained in described address analysis protocol proxy portion 201 before carrying out the first step, and manage by described address analysis protocol proxy portion.Described address analysis protocol proxy portion establishes address analysis protocol table, and described address analysis protocol table comprises the correspondence relationship information of each IP address of terminal and physical address.The address information that each terminal is correct described in the embodiment of the invention deposits the method for described address analysis protocol proxy portion 201 in can manual configuration.
Described second step further comprises substep: at first, information that the described request end is sent detects, and confirms arp request; Secondly, encrypt by the described 204 pairs of described arp request packets of compact part that add; At last, with the described arp request after the described encryption broadcast transmission or direct unidirectional address analysis protocol proxy portion 201 that is sent in net.
Described the 3rd step further comprises substep: at first, 201 pairs of described enciphered messages of described address analysis protocol proxy portion are decrypted; Secondly, whether described address analysis protocol proxy portion 201 pairs of described request ends self address information is occupied confirms, and with the unidirectional described request end that is sent to of described confirmation; At last, the address information request of the search purposes end of 201 pairs of described request ends of described address analysis protocol proxy portion confirms, and with the unidirectional described request end that is sent to of described confirmation.
Described the 4th step further comprises substep: one, the address information of the described destination that feeds back to of the described request end described address analysis protocol proxy portion 201 that will receive is stored; Two, described request end and described destination carry out one-way communication.
See also Fig. 2 supervisor encrypting type anti-attack information communication network safety defending system construction drawing of the present invention, a kind of as shown in Figure 2 supervisor encrypting type anti-attack information communication network safety defending system, described system of defense comprises: address analysis protocol proxy portion 201, bridge-set 200 and communicating terminal with encryption function, wherein, described each communicating terminal is connected with described bridge-set 200, described bridge-set 200 is connected with described address analysis protocol proxy portion 201, and described each terminal communication is each other carried out the storage and the management of address information by described address analysis protocol proxy portion 201.
Described address analysis protocol proxy portion 201 is for self-contained unit or be deployed in functional part on the relevant apparatus.Described bridge-set 200 is switch or router.
Below enumerate a specific embodiment supervisor encrypting type anti-attack information communication network safety defending problem of the present invention is elaborated, can consult Fig. 1 and Fig. 2 simultaneously in the explanation.Described in the present embodiment bridge-set 200 is a switch.
The first step, user at first write address analysis protocol proxy portion 201 with the IP physical address corresponding of correct terminal equipment, and operation address analysis protocol proxy portion 201;
Second step, when all terminal equipments during in initial networking, can in net, send an address resolution protocol to declare broadcast packet in the connectivity port of switch 200.
Broadcast data packet in the inlet of the 3rd step, 200 pairs of switching ports of switch detects, and when discovery is the arp request message, then this broadcast data is issued encrypting module, and the encryption in the utility model is undertaken by central processing unit;
The 4th step, the central processing unit on the switch 200 are received this message, and this message is carried out being packaged into again after the encryption the special broadcasting packet of non-address analysis protocol message, broadcast away from switch 200 again;
After the 5th step, address analysis protocol proxy portion 201 main frames are received this special broadcasting packet, be decrypted and convert normal address analysis protocol message to, give the address analysis protocol proxy program validation, respond this arp request by address analysis protocol proxy;
Whether the IP that the 6th step, all terminal equipments are inquired about oneself according to the response bag of address resolution protocol agency department 201 is occupied.
The 7th the step, when terminal equipment A202 begins to communicate by letter with terminal equipment B203, terminal equipment A202 at first searches self address stored analytic protocol table [terminal device IP address and physical address mapping table], search the physical address of terminal equipment B203, as find then jump to the 14 the step with the B terminal equipment carry out communication; If do not find the physical address of terminal equipment B203 then executive address analysis protocol learning process entered for the 8th step;
The 8th step, terminal equipment A202 will be unidirectional in net the designated port of switch 200 send an address resolution protocol to declare broadcast packet, requesting terminal equipment B 203 pairing physical addresss;
Broadcast data packet in the inlet of the 9th step, 200 pairs of switching ports of switch detects, and when discovery is the arp request message, then this broadcast data is issued encrypting module;
The tenth step, the central processing unit on the switch 200 are received this message, and this message is carried out being packaged into again after the encryption the special broadcasting packet of non-address analysis protocol message, broadcast away from switch 200 again;
After the 11 step, address analysis protocol proxy portion 201 main frames are received this special broadcasting packet, be decrypted.
The 12 step, address analysis protocol proxy portion 201 find the physical address of correct terminal equipment B203 with the request IP in the arp request message of receiving in the physics table, will be to the address resolution protocol back message using of the unidirectional transmission terminal equipment of terminal equipment A202 B203;
After the 13 step, terminal equipment A202 receive this address resolution protocol back message using, deposit the physical address corresponding relation of the IP address of terminal equipment B203 and terminal equipment B203 the address analysis protocol table of terminal equipment A202 in, use during with terminal equipment B203 communication in order to next time;
The 14 step, terminal equipment A202 carry out one-way communication according to physical address and the terminal equipment B203 of terminal equipment B.
Term has different literary styles in industry among the present invention, and for example: address resolution protocol described in this patent can be write as ARP; Described physical address also can be write as MAC Address.
Above content be in conjunction with concrete preferred implementation to further describing that the present invention did, can not assert that concrete enforcement of the present invention is confined to these explanations.For the general technical staff of the technical field of the invention, without departing from the inventive concept of the premise, can also make some simple deduction or replace, all should be considered as belonging to protection scope of the present invention.
Claims (9)
1. supervisor encrypting type anti-attack information communication network safety defending method, it is characterized in that: described defence method comprises step:
A
0: correct and each terminal IP physical address corresponding are contained in address analysis protocol proxy portion (201), and manage by described address analysis protocol proxy portion (201);
A: unidirectional being sent to of the ARP information of request end added compact part (204) by bridge-set (200);
B: send after to described information encryption by the described compact part (204) that adds;
C: enciphered message is decrypted, confirms by described address analysis protocol proxy portion (201);
D: the described request end carries out one-way communication according to destination physical address and the destination in the unidirectional address resolution protocol back message using that sends to this request end of described address analysis protocol proxy portion (201).
2. according to the described defence method of claim 1, it is characterized in that: information described in the described steps A is the address resolution protocol declaration of described request end and to the address lookup information of described destination.
3. according to the described defence method of claim 1, it is characterized in that: described address analysis protocol proxy portion (201) establishes address analysis protocol table, and described address analysis protocol table comprises the correspondence relationship information of each IP address of terminal and physical address.
4. according to the described defence method of claim 1, it is characterized in that: described step B further comprises substep:
B1: the information that the described request end is sent detects, and confirms arp request;
B2: described arp request packet is encrypted by the described compact part (204) that adds;
B3: with the described arp request after the described encryption broadcast transmission or direct unidirectional address analysis protocol proxy portion (201) that is sent in net.
5. according to the described defence method of claim 1, it is characterized in that: described step C further comprises substep:
C1: described address analysis protocol proxy portion (201) is decrypted described enciphered message;
C2: described address analysis protocol proxy portion (201) confirms whether described request end self address information is occupied, and with the unidirectional described request end that is sent to of described confirmation;
C3: described address analysis protocol proxy portion (201) confirms the address information request of the search purposes end of described request end, and with the unidirectional described request end that is sent to of described confirmation.
6. according to the described defence method of claim 1, it is characterized in that: described step D further comprises substep:
D1: after the described request termination is received the address resolution protocol back message using, the physical address corresponding relation of the IP address of destination and destination is deposited in the address analysis protocol table of request end;
D2: described request end and described destination carry out one-way communication.
8. supervisor encrypting type anti-attack information communication network safety defending system, it is characterized in that: described system of defense comprises: address analysis protocol proxy portion (201), the bridge-set (200) with encryption function, communicating terminal and add compact part (204),
Wherein, correct and each terminal IP physical address corresponding are contained in described address analysis protocol proxy portion (201), and manage by described address analysis protocol proxy portion (201), described each communicating terminal is connected with described bridge-set (200), described bridge-set (200) is connected with described address analysis protocol proxy portion (201), described each terminal address information of communication needs is each other stored and is managed by described address analysis protocol proxy portion (201), described each communicating terminal comprises request end and destination, the described request end adds compact part (204) by bridge-set (200) with unidirectional being sent to of ARP information, the described compact part (204) that adds carries out encrypting and transmitting to described address analysis protocol proxy portion (201) to described ARP information, described address analysis protocol proxy portion (201) is decrypted enciphered message, confirm that the described request end carries out one-way communication according to destination physical address and the destination in the unidirectional address resolution protocol back message using that sends to this request end of described address analysis protocol proxy portion (201).
9. described according to Claim 8 system of defense is characterized in that: described address analysis protocol proxy portion (201) is self-contained unit or functional part on relevant apparatus or software.
10. described according to Claim 8 system of defense is characterized in that: described bridge-set (200) is switch or router.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101248358A CN101197659B (en) | 2007-12-07 | 2007-12-07 | Supervisor encrypting type anti-attack information communication network safety defending method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2007101248358A CN101197659B (en) | 2007-12-07 | 2007-12-07 | Supervisor encrypting type anti-attack information communication network safety defending method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101197659A CN101197659A (en) | 2008-06-11 |
| CN101197659B true CN101197659B (en) | 2010-08-04 |
Family
ID=39547830
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2007101248358A Expired - Fee Related CN101197659B (en) | 2007-12-07 | 2007-12-07 | Supervisor encrypting type anti-attack information communication network safety defending method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101197659B (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6513122B1 (en) * | 2001-06-29 | 2003-01-28 | Networks Associates Technology, Inc. | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities |
| US6606706B1 (en) * | 1999-02-08 | 2003-08-12 | Nortel Networks Limited | Hierarchical multicast traffic security system in an internetwork |
| CN1612537A (en) * | 2003-10-29 | 2005-05-04 | 华为技术有限公司 | Method for preventing main computer from being counterfeited in IP ethernet |
| CN1233135C (en) * | 2002-06-22 | 2005-12-21 | 华为技术有限公司 | Method for preventing IP address deceit in dynamic address distribution |
| US7120930B2 (en) * | 2002-06-13 | 2006-10-10 | Nvidia Corporation | Method and apparatus for control of security protocol negotiation |
-
2007
- 2007-12-07 CN CN2007101248358A patent/CN101197659B/en not_active Expired - Fee Related
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6606706B1 (en) * | 1999-02-08 | 2003-08-12 | Nortel Networks Limited | Hierarchical multicast traffic security system in an internetwork |
| US6513122B1 (en) * | 2001-06-29 | 2003-01-28 | Networks Associates Technology, Inc. | Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities |
| US7120930B2 (en) * | 2002-06-13 | 2006-10-10 | Nvidia Corporation | Method and apparatus for control of security protocol negotiation |
| CN1233135C (en) * | 2002-06-22 | 2005-12-21 | 华为技术有限公司 | Method for preventing IP address deceit in dynamic address distribution |
| CN1612537A (en) * | 2003-10-29 | 2005-05-04 | 华为技术有限公司 | Method for preventing main computer from being counterfeited in IP ethernet |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101197659A (en) | 2008-06-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101682656B (en) | Method and apparatus for protecting the routing of data packets | |
| CN100566294C (en) | Single broadcast reverse path repeating method | |
| US20080072035A1 (en) | Securing multicast data | |
| CN102132532B (en) | Method and apparatus for avoiding unwanted data packets | |
| CN101197664B (en) | Method, system and device for key management protocol negotiation | |
| Wu et al. | A source address validation architecture (sava) testbed and deployment experience | |
| CN105262738A (en) | Router and method for preventing ARP attacks thereof | |
| CN108966174A (en) | A kind of communication encryption method of unmanned plane and earth station | |
| CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
| WO2015174100A1 (en) | Packet transfer device, packet transfer system, and packet transfer method | |
| EP2154822A2 (en) | Securing multicast data | |
| CN105207778A (en) | Method of realizing package identity identification and digital signature on access gateway equipment | |
| Liyanage et al. | Securing virtual private LAN service by efficient key management | |
| Jankowski et al. | Information hiding using improper frame padding | |
| CN106027491B (en) | Separated links formula communication processing method and system based on isolation IP address | |
| He et al. | Towards securing duplicate address detection using P4 | |
| CN107948124A (en) | A kind of arp entry renewal management method, apparatus and system | |
| Khoussainov et al. | LAN security: problems and solutions for Ethernet networks | |
| Barriga et al. | Securing end-node to gateway communication in lorawan with a lightweight security protocol | |
| CN100512108C (en) | Method for identifying physical uniqueness of networked terminal, and access authentication system for terminals | |
| CN101197659B (en) | Supervisor encrypting type anti-attack information communication network safety defending method and system | |
| CN101197830A (en) | Safety defending method and system of reporting type anti-attack information communication network | |
| Indukuri | Layer 2 security for smart grid networks | |
| Ibhaze et al. | A review on smart grid network security issues over 6LoWPAN | |
| Bagnulo et al. | Secure neighbor discovery (send) source address validation improvement (savi) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20100804 Termination date: 20101207 |