[go: up one dir, main page]

CN104426839A - Router advertisement attack prevention method, apparatus and device - Google Patents

Router advertisement attack prevention method, apparatus and device Download PDF

Info

Publication number
CN104426839A
CN104426839A CN201310364782.2A CN201310364782A CN104426839A CN 104426839 A CN104426839 A CN 104426839A CN 201310364782 A CN201310364782 A CN 201310364782A CN 104426839 A CN104426839 A CN 104426839A
Authority
CN
China
Prior art keywords
host
message
attack
attacking
prefix
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
CN201310364782.2A
Other languages
Chinese (zh)
Inventor
范亮
朱承旭
袁博
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN201310364782.2A priority Critical patent/CN104426839A/en
Priority to PCT/CN2014/077811 priority patent/WO2014173343A1/en
Publication of CN104426839A publication Critical patent/CN104426839A/en
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • General Health & Medical Sciences (AREA)
  • Business, Economics & Management (AREA)
  • General Business, Economics & Management (AREA)
  • Multimedia (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a router advertisement (RA) attack prevention method, apparatus and device. The method includes the following steps: determining an RA attack host according to a received RA message; notifying information of the RA attack host to a network management system; and/or forbidding forwarding of messages, which include specific prefixes, of a source internet protocol (IP) address and sending messages of the determined RA attack host to a network side and redirecting the messages to an entrance server prompt page, wherein the specific prefixes are prefixes carried by RA messages sent by the RA attack host; and/or instructing an access device of the RA attack host to forbid the RA attack host from accessing a network; and/or simulating an attacker of the RA attack host to send new RA messages, wherein the lifetime of prefixes carried by the new RA messages is smaller than the lifetime of the prefixes carried by the RA messages sent by the RA attack host. Through the technical scheme, RA attacks of malicious hosts can be effectively prevented.

Description

Router advertisement attack prevention method, device and equipment
Technical Field
The present invention relates to communications, and in particular, to a method, an apparatus, and a device for preventing Router Advertisement (RA) attack.
Background
With the rapid popularization of the Internet and the rapid development of data communication technology, the number of Internet Protocol (IP) terminals has been increased, the public Network Address of the fourth version of the current Internet Protocol (IPv 4, Internet Protocol version 4) has been exhausted, and the popularization of the sixth version of the Internet Protocol (IPv 6, Internet Protocol version 6) technology, which has many limitations on performance and application layer support, longer coding length and more Address space, is a major issue for global operators and users.
The difficulty of limiting the popularization of the IPv6 technology is mainly focused on the aspects of policy support, technology upgrading difficulty, less application support and the like, and with the completion of the distribution of the IPv4 address space and the increasing demand of the large-scale development of the terminal market on the IPv6, governments of various countries actively support the popularization of the IPv6, and various large-scale Content service providers (ICP, Internet Content Provider) and application developers also upgrade the support capability of the existing IPv 4-based application on the IPv6 on a large scale. Cost pressure faced by the current operator for upgrading the IPv6 technology is one of the most important factors blocking the popularization of the IPv6 technology, and which devices need to be upgraded preferentially for the IPv6 support capability becomes an important research subject of the operator.
The access network is the area with the largest scale and the highest investment cost in the operator network, and which devices in the access network need to preferentially support the IPv6 capability is one of the most concerned focus subjects in the operator IPv6 upgrading plan.
In an access Network supporting IPv6, a general Network topology is composed of an IPv6 Broadband Network Gateway (BNG), a two-layer access device, and an IPv6 host. Usually, a Router Advertisement (RA) message is sent to an access network by a BNG, where the RA message includes information such as an IPv6 prefix and a Maximum Transmission Unit (MTU) of a link, and after receiving the RA, an IPv6 host generates an IPv6 address and directs a default route to a BNG, which is a device that sends the RA message, so that IPv6 network communication can be performed. If a malicious IPv6 host actively sends RA messages, wherein the RA messages comprise RA messages sent by multicast of a malicious IPv6 host and unicast RA messages actively replied after the malicious IPv6 host receives Router Requests (RS) of other hosts in the same broadcast domain, so that the IPv6 host points default routes to the malicious IPv6 host, the user information of the host can be intercepted, and the network security is influenced; and may also cause invalid addresses obtained by the host to connect to the network; in addition, a malicious host sending a large number of RA messages to attack the network is prone to network paralysis.
In view of the above problems, a currently and generally adopted technical solution is to upgrade a two-layer access device to support a so-called secure RA technology, that is, a user-side port of the two-layer access device rejects receiving a malicious RA message through command configuration, so that forwarding of a malicious RA is prevented to a certain extent, and normal operation of a network is ensured, but this requires upgrading the two-layer access device to a three-layer network device and supporting a processing function of an IPv6 message, and accordingly, software upgrading or even hardware replacement is required, but upgrading and replacement of a large-scale access device inevitably leads to increase of upgrading cost of an operator, and affects popularization of the IPv6 technology. In addition, the manual configuration of the security RA function of the two-layer device also requires a large investment in operation and maintenance cost, which increases the implementation cost of the IPv6 technology upgrade of the operator.
In summary, there is no solution in the related art for how to effectively prevent RA attacks from malicious hosts at low cost.
Disclosure of Invention
In view of this, embodiments of the present invention provide a method, an apparatus, and a device for preventing RA attacks, so as to at least solve the problem that the related art cannot effectively prevent RA attacks of a malicious host.
In order to achieve the above purpose, the technical solution of the embodiment of the present invention is realized as follows:
the embodiment of the invention provides a method for preventing RA attack, which comprises the following steps:
determining an RA attack host according to the received RA message;
notifying a Network Management System (NMS) of information of the RA attack host; and/or the presence of a gas in the gas,
forbidding a message of which a source IP address contains a specific prefix and a message sent by the RA attack host to be forwarded to a network side, and redirecting the message containing the specific prefix and the message sent by the RA attack host to an entrance (Portal) server, wherein the specific prefix is a prefix carried by an RA message sent by the RA attack host; and/or the presence of a gas in the gas,
instructing the access device of the RA attacking host to forbid the RA attacking host from accessing the network; and/or the presence of a gas in the gas,
and simulating the RA attack host to send a new RA message, wherein the lifetime of the prefix carried by the new RA message is less than that of the prefix carried by the RA message sent by the RA attack host.
Preferably, the determining the RA attack host according to the received RA message includes:
sending an RS message to a host of a Virtual Local Area Network (VLAN) corresponding to a user side port through the user side port, and determining the host which returns an RA message to the user side port aiming at the RS message as the host which performs RA attack; or,
and determining the host which actively sends the multicast RA message to the user-side port as the host which performs RA attack.
Preferably, the transmitted RS message carries the same source MAC address and/or source MAC address prefix as the RS message transmitted last time, or carries a different source MAC address and/or source MAC address prefix.
Preferably, the information of the RA attacking host comprises at least one of the following information: the MAC address of the RA attack host, the position information of the RA attack host and a prefix carried by an RA message sent by the RA attack host.
Preferably, the information of the RA attacking host comprises at least one of the following information: the user side port and VLAN information of the RA attack host, the access device of the RA attack host and the user side port information of the RA attack host.
Preferably, before notifying the NMS of the access device of the RA attack host and its user-side port information, the method further comprises:
determining access equipment and user side port information of the RA attack Host according to a DHCPv4 function (operation) 82 when the RA attack Host acquires an IP address through a Dynamic Host Configuration Protocol fourth version (DHCPv 4, Dynamic Host Configuration Protocol version 4) or a function (operation) 18 when the RA attack Host acquires the IP address through a Dynamic Host Configuration Protocol sixth version (DHCPv 6, Dynamic Host Configuration Protocol version 6), or determining access equipment and user side port information of the RA attack Host according to an Ethernet Point-to-Point Protocol Circuit serial number (PPPoC Circuit ID, Point-to-Point Protocol over Ethernet port ID) when the RA attack Host acquires the IP address through a PPP (Point-to-Point Protocol) mode before sending the RA message.
Preferably, after redirecting the message to a Portal server, the method further comprises: and informing a host with a sending source IP address containing a specific prefix of the information attacked by the RA and a corresponding processing strategy, and informing the RA attacking host of the attacking behavior of the RA host and the corresponding processing strategy.
Preferably, the corresponding processing policy advertised to the host sending the source IP address containing a specific prefix includes at least one of the following policies: prompting to set a shielding function, releasing a configured IP address, restarting a host and dialing a service hotline;
the corresponding processing policy advertised to the RA attack host includes at least one of the following policies: prompting to close the attack process, checking and killing trojans or viruses, and dialing a service hotline.
Preferably, the instructing the access device of the RA attacking host to prohibit the RA attacking host from accessing the network includes:
and indicating the Access equipment of the RA attack host to forbid the RA attack host from accessing the network through Access point Control Protocol (ANCP) signaling or General Switch Management Protocol (GSMP) signaling.
The embodiment of the invention also provides a device for preventing the router from announcing RA attack, which comprises:
the determining unit is used for determining the RA attack host according to the received RA message;
the device further comprises: a first processing unit, and/or a second processing unit, and/or a third processing unit, and/or a fourth processing unit; wherein,
the first processing unit is used for notifying the information of the RA attack host to a network management system NMS;
the second processing unit is used for prohibiting a message of which a source IP address contains a specific prefix and a message sent by the determined RA attack host from being forwarded to a network side, and redirecting the message containing the specific prefix and the message sent by the RA attack host to a Portal server, wherein the specific prefix is a prefix carried by an RA message sent by the RA attack host; and/or the presence of a gas in the gas,
the third processing unit is configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network;
and the fourth processing unit is used for simulating the RA attacking host to send a new RA message, wherein the lifetime of the prefix carried by the new RA message is less than that of the prefix carried by the RA message sent by the RA attacking host.
Preferably, the determining unit is further configured to send an RS message to a host of a VLAN corresponding to the user-side port through the user-side port, and determine a host that returns an RA message to the user-side port for the RS message as a host that performs an RA attack; or,
and determining the host which actively sends the multicast RA message to the user-side port as the host which performs RA attack.
Preferably, the determining unit sends an RS message to the host of the VLAN corresponding to the user-side port, where the RS message carries a source MAC address and/or a source MAC address prefix that is the same as the RS message sent last time, or carries a different source MAC address and/or a different source MAC address prefix.
Preferably, the first processing unit is further configured to notify the NMS of at least one of the following information: the MAC address of the RA attack host, the position information of the RA attack host and a prefix carried by an RA message sent by the RA attack host.
Preferably, the first processing unit is further configured to notify the NMS of at least one of the following information: the user side port and VLAN information of the RA attack host, the access device of the RA attack host and the user side port information of the RA attack host.
Preferably, the first processing unit is further configured to determine the access device and the user-side port information thereof according to the DHCPv4 Option82 or the DHCPv6 Option18 when the RA attacking host acquires an IP address through the DHCPv4 before sending an RA message, or determine the access device and the user-side port information thereof according to the PPPoE Circuit ID when the RA attacking host acquires an IP address through a PPP method before sending an RA message.
Preferably, the second processing unit is further configured to, after redirecting the message to a Portal server, notify a host whose transmission source IP address includes a specific prefix of information subject to RA attack and a corresponding processing policy, and notify the RA attack host of an attack behavior of the RA host and a corresponding processing policy.
Preferably, the second processing unit advertises, to a host whose source IP address contains a specific prefix, a corresponding processing policy including at least one of:
prompting to set a shielding function, releasing a configured IP address, restarting a host and dialing a service hotline;
the second processing unit advertises to the RA attacking host a corresponding processing policy comprising at least one of:
prompting the user to carry out relation attack process, checking and killing Trojan or virus, and dialing a service hotline.
Preferably, the third processing unit is further configured to instruct, through ANCP signaling or GSMP signaling, the access device of the RA attacking host to prohibit the RA attacking host from accessing the network.
The embodiment of the present invention further provides a BNG, wherein the BNG comprises the above RA attack prevention device.
In the technical scheme of the embodiment of the invention, when a host sending the RA message, namely the RA attack host, is determined, the information of the RA attack host, including the information of the access equipment and the information of the user side port thereof, is notified to the NMS, so that the RA attack host can be conveniently and accurately positioned by the NMS;
the method comprises the following steps that a source IP address is forbidden to comprise a message with a specific prefix and a sending message of the determined RA attack host, the message is forwarded to a network side, the message is redirected to a Portal server, the specific prefix is a prefix carried by an RA message sent by the RA attack host, and the RA attack host and the host subjected to the RA attack host can timely perform corresponding processing: the host initiating the RA attack stops the RA attack in time, so that the host under the RA attack is prevented from being attacked again;
the access equipment of the RA attacking host is indicated to access the network by the RA attacking host, so that the problems that the network is paralyzed and the security of other hosts is threatened due to the fact that the RA attacking host frequently sends RA messages are avoided;
and simulating the RA attacking host attacker to send a new RA message, wherein the lifetime of the prefix carried by the new RA message is less than that of the prefix carried by the RA message sent by the RA attacking host, so that the problem that the information of the RA attacked host is leaked due to the configuration of the prefix carried by the RA message sent by the RA attacking host for the RA attacked host can be avoided.
Drawings
Fig. 1a is a schematic diagram illustrating an implementation flow of the RA attack prevention method according to the embodiment of the present invention;
fig. 1b is a schematic diagram illustrating an implementation flow of another RA attack prevention method according to an embodiment of the present invention;
FIG. 1c is a schematic diagram of a flow chart of another RA attack prevention method according to an embodiment of the present invention;
fig. 1d is a schematic diagram illustrating an implementation flow of another RA attack prevention method according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a structure of an RA attack prevention apparatus according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of the BNG structure according to the embodiment of the invention;
fig. 4a is a first schematic diagram of a networking topology for RA attack prevention according to an embodiment of the present invention;
FIG. 4b is a first schematic diagram illustrating an implementation flow of RA attack prevention according to an embodiment of the present invention;
fig. 5a is a schematic diagram of a networking topology for RA attack prevention according to an embodiment of the present invention;
FIG. 5b is a schematic diagram of an implementation flow of RA attack prevention according to the embodiment of the present invention;
fig. 6a is a schematic diagram of a networking topology for RA attack prevention according to an embodiment of the present invention;
FIG. 6b is a schematic diagram illustrating a third implementation flow of RA attack prevention according to an embodiment of the present invention;
fig. 7a is a schematic diagram of a networking topology for RA attack prevention according to an embodiment of the present invention;
fig. 7b is a schematic diagram of an implementation flow of RA attack prevention according to the embodiment of the present invention.
Detailed Description
The present invention is further described in detail below with reference to the accompanying drawings and specific embodiments, and it should be noted that features of the embodiments and examples of the present invention may be combined with each other without conflict.
An embodiment of the present invention describes a method for preventing RA attack, and fig. 1a is a schematic diagram of an implementation flow of the method for preventing RA attack in the embodiment of the present invention, as shown in fig. 1a, including:
step 101: and determining the RA attack host according to the received RA message.
When an RA attack host is determined according to the received RA message, an RS message is sent to a host of a VLAN corresponding to the user side port through the user side port, and the host which returns the RA message to the user side port aiming at the RS message is determined as the host which carries out RA attack; or the host which actively sends the multicast RA message to the user-side port is determined as the host which carries out RA attack.
In a preferred embodiment of step 101, an RS message is sent to a host of a VLAN corresponding to a user-side port through the user-side port, and the source MAC address and/or the source MAC address prefix different from the last-sent RS message may be carried, so as to pretend to be a different host to spoof a potential RA attack host. Of course, the same source MAC address and/or source MAC address prefix as the last transmitted RS message may also be carried.
Step 102 a: and informing the NMS of the information of the RA attack host.
Wherein the information notifying the NMS of the RA attacking host comprises at least one of: MAC address of RA attack host, position information of RA attack host, prefix carried by RA message sent by RA attack host; the information of the RA attacking host comprises at least one of the following information: the user side port and VLAN information of the RA attack host, and the access equipment and the user side port information of the RA attack host; the access device and the user side port information thereof can be determined according to DHCPv4 Option82 or DHCPv6 Option18 when the RA attacking host acquires the IP address through DHCPv4 before sending the RA message, or according to PPPoE Circuit ID when the RA attacking host acquires the IP address through PPP before sending the RA message.
The embodiment of the present invention further describes an RA attack prevention method, and fig. 1b is a schematic diagram of an implementation flow of another RA attack prevention method according to the embodiment of the present invention, as shown in fig. 1b, including:
step 101: and determining the RA attack host according to the received RA message.
The processing of step 101 is the same as described above and is not described again.
Step 102 b: and forbidding a message of which the source IP address contains a specific prefix and the determined message sent by the RA attack host to be forwarded to a network side, and redirecting the message to a Portal server, wherein the specific prefix is a prefix carried by an RA message sent by the RA attack host.
After receiving the RA message sent by the RA attacking host, the host in the same VLAN as the RA attacking host generates an IP address according to a prefix carried by the RA message, so that the source IP address of the message sent by the RA attacking host includes the prefix carried by the RA message sent by the RA attacking host, in a preferred embodiment of step 102b, the source IP address is intercepted and includes a message (i.e., a message sent by the RA attacking host) carried by the RA message sent by the RA attacking host, the intercepted and intercepted message is prohibited from being forwarded to the network side, and the intercepted and intercepted message is redirected to a Portal server page, and the RA attacking information and a corresponding processing policy are applied to the RA attacking host through the Portal server page, the policy including at least one of the following policies: prompting to set a shielding function (for example, shielding a message from an attack host), releasing a configured IP address, restarting the host, and dialing a service hotline;
intercepting a message sent by an attack host according to a source MAC address of an RA message sent by the attack host, prohibiting the intercepted message from being forwarded to a network side, redirecting the intercepted message to a Portal server page, and notifying the RA attack host of an RA attack behavior and a corresponding processing strategy through the Portal server page, wherein the strategy comprises at least one of the following strategies: prompting to close the attack process, checking and killing trojans or viruses, and dialing a service hotline.
The embodiment of the present invention further describes an RA attack prevention method, and fig. 1c is a schematic diagram of an implementation flow of another RA attack prevention method according to the embodiment of the present invention, as shown in fig. 1c, including:
step 101: and determining the RA attack host according to the received RA message.
The processing of step 101 is the same as described above and is not described again.
Step 102 c: and indicating the access equipment of the RA attacking host to access the network.
In a preferred embodiment of step 102c, the access device of the RA attack host is indicated by ANCP signaling or GSMP signaling, and is closed at the port facing the RA attack host, or the MAC address of the attack host is listed in a blacklist at the port facing the RA attack host, that is, the access device discards the packet to or from the RA attack host at the port facing the RA attack host.
The embodiment of the present invention further describes an RA attack prevention method, and fig. 1d is a schematic diagram of an implementation flow of another RA attack prevention method according to the embodiment of the present invention, as shown in fig. 1d, including:
step 101: and determining the RA attack host according to the received RA message.
The processing of step 101 is the same as described above and is not described again.
Step 102 d: and simulating the RA attacking host attacker to send a new RA message, wherein the lifetime of the prefix carried by the new RA message is less than that of the prefix carried by the RA message sent by the RA attacking host.
In a preferred embodiment of step 102d, the RA attack host is simulated to send a new RA message, that is, an RA message whose sending source MAC address is consistent with the MAC address of the RA attack host, and the lifetime parameter of the new RA message is smaller than the lifetime parameter of the RA message sent by the RA attack host, so that the prefix of the IP address configured by another host in the VLAN (that is, the prefix carried by the RA message sent by the RA attack host) can be quickly invalidated by the RA attack host, thereby achieving the purpose of preventing RA attack.
It should be noted that, in the above embodiment, the step 102 may be arbitrarily combined with one or more of the step 102a, the step 102b, the step 102c, and the step 102d, and the order of execution of one or more of the step 102a, the step 102b, the step 102c, and the step 102d may be arbitrarily changed; taking the example of sequentially executing step 102a, step 102b, step 102c and step 102d after executing step 101, when an RA attacking host is determined, first, notifying the NMS of information of the RA attacking host; secondly, forbidding a message of which the source IP address contains a specific prefix and a sending message of the RA attack host to be forwarded to the network side, and redirecting the message to a Portal server, wherein the specific prefix is a prefix carried by an RA message sent by the RA attack host; thirdly, indicating the access equipment of the RA attack host to forbid the RA attack host from accessing the network; and thirdly, simulating the RA attacking host to send a new RA message, wherein the lifetime of the prefix carried by the new RA message is less than that of the prefix carried by the RA message sent by the RA attacking host. In this way, the process of one or more of step 102a, step 102b, step 102c, and step 102d can effectively prevent RA attack on the host.
The embodiment of the present invention further describes an RA attack prevention device, and fig. 2 is a schematic view of a composition structure of the RA attack prevention device according to the embodiment of the present invention, and as shown in fig. 2, the RA attack prevention device includes:
a determining unit 21, configured to determine an RA attack host according to the received RA message;
the device further comprises: a first processing unit 22, and/or a second processing unit 23, and/or a third processing unit 24, and/or a fourth processing unit 25; wherein,
the first processing unit 21 is configured to notify the NMS of information of the RA attack host;
the second processing unit 22 is configured to prohibit a source IP address from forwarding a message including a specific prefix and a message sent by the RA attack host to a network side, and redirect the message including the specific prefix and the message sent by the RA attack host to a Portal server, where the specific prefix is a prefix carried by an RA message sent by the RA attack host;
the third processing unit 23 is configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network;
the fourth processing unit 24 is configured to simulate the RA attacking host to send a new RA message, where a lifetime of a prefix carried in the new RA message is shorter than a lifetime of a prefix carried in the RA message sent by the RA attacking host.
The determining unit 21 is further configured to send an RS message to a host of a VLAN corresponding to the user-side port through the user-side port, and determine a host that returns an RA message to the user-side port for the RS message as a host that performs an RA attack; or, the host which actively sends the multicast RA message to the user-side port is determined as the host which carries out RA attack.
The RS message sent by the determining unit 21 to the host of the VLAN corresponding to the user-side port through the user-side port carries the same source MAC address and/or source MAC address prefix as the last-sent RS message, or carries a different source MAC address and/or source MAC address prefix.
Wherein the first processing unit 22 is further configured to notify the NMS of at least one of the following information: the media access control MAC address of the RA attack host, the position information of the RA attack host and the prefix carried by the RA message sent by the RA attack host.
Wherein the first processing unit 22 is further configured to notify the NMS of at least one of the following information: the user side port and VLAN information of the RA attack host, the access device of the RA attack host and the user side port information of the RA attack host.
The first processing unit 22 is further configured to determine the access device and the user-side port information thereof according to the DHCPv4 Option82 or the DHCPv6 Option18 when the RA attacking host acquires an IP address through the DHCPv4 before sending an RA message, or determine the access device and the user-side port information thereof according to the PPPoE Circuit ID when the RA attacking host acquires an IP address through a PPP method before sending an RA message.
The second processing unit 23 is further configured to, after redirecting the message to a Portal server, notify a host with a source IP address including a specific prefix of information subject to RA attack and a corresponding processing policy, and notify the RA attack host of an attack behavior of the RA host and a corresponding processing policy; the second processing unit advertises, to a host whose source IP address contains a specific prefix, a corresponding processing policy including at least one of: prompting to set a shielding function, releasing a configured IP address, restarting a host and dialing a service hotline; the second processing unit advertises to the RA attacking host a corresponding processing policy comprising at least one of: prompting the user to carry out relation attack process, checking and killing Trojan or virus, and dialing a service hotline.
The third processing unit 24 is further configured to instruct, through ANCP signaling or general GSMP signaling, the access device of the RA attacking host to prohibit the RA attacking host from accessing the network.
Fig. 3 is a schematic structural diagram of a BNG according to an embodiment of the present invention, and as shown in fig. 3, the BNG includes an RA attack prevention device, and the RA attack prevention device includes: a determination unit 21; the RA attack prevention apparatus further comprises: a first processing unit 22, and/or a second processing unit 23, and/or a third processing unit 24, and/or a fourth processing unit 25; the functions of the units are the same as described above.
In the following, the embodiment of the present invention is described by taking a case where a BNG actively detects and sends AN alarm to a network management system as AN example, fig. 4a is a schematic diagram of a network topology for preventing RA attack according to the embodiment of the present invention, as shown in fig. 4a, a User Equipment (UE) 1, a UE2, and a UE3 access a BNG1 through AN access point (AN, AN access node), the BNG1 provides a port a facing a User side for the access of AN1 to the AN1 device, and the BNG1 maintains link connection with AN NMS.
Fig. 4b is a first schematic flow chart illustrating an implementation process of RA attack prevention according to an embodiment of the present invention, where based on the network topology shown in fig. 4a, the processing steps of RA attack prevention are shown in fig. 4b and include:
step 401: the BNG1 actively transmits RS messages with source MAC address MAC1 to VLAN1 through port A.
Step 402: the AN1 forwards the received RS message to UE1, UE2, UE3 within VLAN 1.
Step 403 to step 404: the UE1 sends AN RA message with the destination MAC address MAC1 to the BNG1 through AN 1.
The UE1 sending the RA message is a malicious UE that performs an RA attack.
And the AN sends the RA message to the BNG according to the maintained mapping relation between the MAC address and the port.
Step 405: the BNG1 sends the MAC address MAC2 of the UE1 carried in the received RA message and the Prefix1 carried in the RA message to the NMS.
The BNG informs the NMS that the UE1 having MAC address MAC2 is performing RA attack by processing of step 405, and the Prefix of RS message sent by the BNG is Prefix 1.
In a further preferred embodiment of the present invention, based on the above preferred embodiment, the method further includes:
step 406: the BNG1 acquires the access equipment information of the UE1 and the access equipment user side port information and sends the access equipment user side port information to the NMS.
The NMS may accurately and quickly locate the UE1 location based on the received access device information, access device user side port information.
When the UE1 acquires the IP address through DHCP before sending the RA message, the BNG1 determines the DHCPv4 Option82 or the DHCPv6 Option18 when the UE1 acquires the IP address through the DHCPv4 before sending the RA message through the MAC address of the UE 1; when the UE1 acquires the IP address in a PPP mode before sending the RA message, the BNG1 determines PPPoE Circuit ID information when the UE1 acquires the IP address in the PPP mode through the MAC address of the UE 1;
and extracting the access equipment information and the access equipment user side port information of the UE1 from the DHCPv 482, the DHCPv 618 or the PPPoE Circuit ID information.
After step 406, the steps 401 to 406 are repeatedly executed, in which the BNG1 uses a different MAC address for the RS message sent to the VLAN1 in step 401 from that used in the previous RS message sending, so as to masquerade as a different UE to send the RS message to a potentially malicious UE in the VLAN1, and determine the UE sending the corresponding RA message as a malicious UE performing an RA attack.
In this embodiment, when there is a UE performing RA attack in VLAN1, BNG1 can determine, according to the received RS message, the MAC address of the malicious UE and the Prefix2 of the RS message sent by the malicious UE, and notify the NMS of the MAC address and the Prefix2 in time; and moreover, the access equipment information of the malicious UE and the user side port information of the information access equipment can be obtained in time, and the NMS is notified, so that the NMS can conveniently and accurately locate the malicious UE.
Fig. 5a is a schematic diagram of a network topology for preventing RA attack according to AN embodiment of the present invention, and as shown in fig. 5a, UE4, UE5, and UE6 access BNG2 through AN2, and BNG2 maintains link connection with NMS and a Portal server.
Fig. 5b is a schematic diagram illustrating a flow of implementing RA attack prevention according to an embodiment of the present invention, where based on the network topology shown in fig. 5a, the processing steps of RA attack prevention are shown in fig. 5b, and include:
step 501: the UE5 actively sends a multicast RA message.
The source MAC address of the multicast RA message is the network card address MAC5 of the UE5, the Prefix carried by the RA message is Prefix2, and the UE5 that actively sends the multicast RA message is a malicious UE that performs RA attack.
Step 502: the AN2 broadcasts the RA message broadcast by UE5 within VLAN 2.
UE4, UE6 and BNG2 in VLAN2 all receive the RA message.
Step 503: upon receiving the RA message, BNG2 generates a forced redirection policy.
In step 503, the BNG2 records a Prefix2 carried by the RA message and a source MAC address MAC5 in the RA message, and generates a redirection policy according to the recorded Prefix2 and MAC5, where the redirection policy is configured to: and redirecting the message of the UE with the IPv6 address configured according to the Prefix2 to a Portal server prompting page, and redirecting the message of the UE with the source address of MAC5 to the Portal server prompting page.
Step 504: the UE4 and UE6 have configured the local IPv6 address according to Prefix2 in the RA message.
Step 505 to step 506: the UE5 sends a HyperText Transfer Protocol (HTTP) message to the BNG2 through the AN.
The source MAC address of the packet is MAC5, and the packet is forwarded by the AN to BNG 2.
Step 507 to step 508: the BNG2 redirects the message of the UE5 to a Portal server prompt page, which prompts the UE5 for ongoing attack behavior.
In step 508, the Portal server prompts the UE5 for information on ongoing attacks and forwards the information to the UE5 via the BNG2 and AN 2.
After the BNG2 receives the message of the UE5, according to the redirection policy generated in step 503, the message of the UE5 is redirected to a Portal server prompt page to prompt the UE5 to perform an RA attack and a corresponding processing policy, where the processing method includes, but is not limited to: prompting to close the attack process, checking and killing trojans or viruses and dialing a service hotline for processing.
Step 509 to step 510: the UE6 sends AN HTTP message to the BNG2 through the AN;
the source IP address of the packet contains the Prefix2, and the packet is forwarded to the BNG2 by the AN 2.
Step 511 to step 512: the BNG2 redirects the message of the UE6 to a Portal server prompt page, which prompts the UE5 that an RA attack is in progress.
In step 512, the Portal server prompts the UE5 for information on ongoing attacks and forwards the information to the UE6 via BNGs 2 and A N2, respectively.
After the BNG2 receives the message of the UE6, the message of the UE6 is redirected to a Portal server prompt page according to the redirection strategy generated in the step 503, so that the UE6 is prompted to be subjected to gateway spoofing by the UE 5; corresponding processing policies may also be advertised, including at least one of the following: prompt setup screening functions (e.g., screening RA messages from UE 5), release UE6 configured IPv6 address, restart UE6, dial service hotlining, etc.
The processing of the UE4 when sending the HTTP message to the BNG2 through the AN is the same as the processing of the steps 507 to 512, and is not described again.
In the embodiment, the message of the malicious UE in the VLAN2 can be redirected to a Portal server page, and the ongoing RA attack information and the corresponding processing strategy are prompted; moreover, when the VLAN2 has a UE configured with an invalid IPv6 address according to an RA message sent by a malicious UE, the BNG2 can redirect a message sent by the UE configured with the invalid IPv6 address to a Portal server page, and prompt corresponding RA attack information and a corresponding processing policy.
In the following, the embodiment of the present invention is described by taking the linkage of the BNG and the AN device as AN example, and fig. 6a is a schematic diagram of a network topology for protecting against RA attack in the embodiment of the present invention, as shown in fig. 6a, the UE7 accesses the BNG3 through the AN3, and the BNG3 provides access to the AN3 through the port B.
Fig. 6b is a schematic diagram illustrating a third implementation flow of RA attack prevention according to an embodiment of the present invention, where based on the network topology shown in fig. 6a, the processing steps of RA attack prevention are shown in fig. 6b, and include:
step 601 to step 602: the UE7 sends AN RA message to the BNG3 through the AN 3.
The RA message comprises a unicast message and a multicast RA message, and the source MAC address carried by the RA message is the MAC address MAC7 of the UE 7; and determines that the UE8 that sent the RA message is a malicious UE.
The multicast RA message is actively sent by the UE7, and the unicast RA message is a unicast RA message received from the UE7 after the BNG3 sends an RS message to the UE in the VLAN where it is located.
Step 603: the BNG3 determines from the received RA message that the access device accessing the network by the UE7 is AN3 and the access port provided by the AN3 to the UE7 is Port B.
The BNG3 determines the DHCPv4 Option82 or DHCPv6 Option18 information when the UE8 acquires the IP address through DHCP before sending the RA message through the MAC address of the UE 7; determining PPPoECircutID information when an IP address is obtained in a PPP mode before the UE7 sends the RA message through the MAC address of the UE 7;
the information of the access equipment AN3 corresponding to the UE7 and the port (port B) facing the user side provided by the BNG to the AN3 are extracted from the acquired information.
Step 604: the BNG3 sends AN instruction to the AN3 instructing the AN3 to close port B or blacklist the MAC7 at port B.
Blacklisting MAC8 at port B refers to discarding packets going to or from MAC8 through port B.
Encapsulation of control instructions between the BNG3 and the AN3 may be implemented as ANCP or GSMP.
Step 605 to step 606: the AN3 closes port B or blacklists the MAC8 on port B and sends a control command to the BNG3 that it is complete.
In this embodiment, when it is determined that the RS message sent by the UE is received (that is, it is determined that the UE is a malicious UE), the AN providing access to the malicious UE and the access port thereof are determined through the RS message sent by the malicious UE, and the AN is instructed to close the provided access port or to blacklist the MAC address of the malicious UE at the access port, so that the network paralysis caused by the fact that the malicious UE continues RA attack can be prevented.
The invention is described below by taking the example of the reverse operation performed by BNG, fig. 7a is a schematic diagram of a network topology for protecting against RA attack according to the embodiment of the invention, and as shown in fig. 7a, UE8, UE9, and UE10 access to BNG4 through AN 4.
Fig. 7b is a schematic diagram illustrating a flow of implementing RA attack prevention according to an embodiment of the present invention, where based on the network topology shown in fig. 7a, the processing steps of RA attack prevention are shown in fig. 7b, and include:
step 701 to step 702: the UE9 sends AN RA message to the BNG4 through the AN 4.
The RA message comprises a unicast RA message and a multicast RA message, and the source MAC address of the RA message is the MAC address MAC9 of the UE 9;
the multicast RA message is actively sent by the UE9, and the unicast RA message is a unicast RA message received from the UE9 after the BNG4 sends an RS message to the UE in the VLAN where it is located.
Step 703: the BNG4 encapsulates a new multicast RA message according to the received RA message, wherein the priority of the new multicast RA message is higher than that of the received RA message, the lifetime parameter carried by the new multicast RA message is less than that of the received RA message, and the prefix information carried by the new multicast RA message is the same as that carried by the received RA message.
Step 704 to step 705: the BNG4 sends the encapsulated new multicast RA message to the VLAN4 where the UE9 is located through AN 4.
Step 706: UE8, UE9, UE10 within VLAN4 configure IPv6 addresses according to the RA message assembled in step 703 received.
Since the RA message assembled by the BNG4 in step 703 has a high priority, the UE in VLAN4 configures an IPv6 address according to the RA message having the high priority; since the lifetime (100 seconds) of the RA message with high priority is lower than the lifetime (9000 seconds) of the RA message received in step 701, the IPv6 prefix lifetime locally maintained by UE10 and UE11 has a small value, and a new IPv6 address is allocated after the lifetime has reached.
In this embodiment, when a UE performing RA attack is detected, a new multicast RA message is sent by pretending a malicious UE, so that the lifetime of the IPv6 prefix that the malicious UE expects to be configured by other UEs is shortened, for example, if the lifetime of the prefix information of the new multicast RA message is 100s, the prefix information will soon fail, which avoids configuring the IPv6 address prefix that the malicious UE expects to be configured, so that the malicious UE cannot intercept information of other UEs, and thus network security is ensured.
The elements or steps of embodiments of the invention may be implemented in a general purpose computing device, they may be centralized on a single computing device or distributed across a network of multiple computing devices, and they may alternatively be implemented in program code executable by a computing device, such that they may be stored in a memory device and executed by a computing device, and in some cases, the steps shown or described may be performed in an order different than that shown or described herein, or they may be separately fabricated into individual integrated circuit modules, or multiple modules or steps thereof may be fabricated into a single integrated circuit module. Thus, the present invention is not limited to any specific combination of hardware and software.
The above description is only a preferred embodiment of the present invention and is not intended to limit the present invention, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (19)

1. A method for preventing Router Advertisement (RA) attack, the method comprising:
determining an RA attack host according to the received RA message;
informing the information of the RA attack host to a network management system NMS; and/or the presence of a gas in the gas,
forbidding a source Internet Protocol (IP) address to forward a message containing a specific prefix and a message sent by the RA attacking host to a network side, and redirecting the message containing the specific prefix and the message sent by the RA attacking host to an entrance Portal server, wherein the specific prefix is a prefix carried by an RA message sent by the RA attacking host; and/or the presence of a gas in the gas,
instructing the access device of the RA attacking host to forbid the RA attacking host from accessing the network; and/or the presence of a gas in the gas,
and simulating the RA attack host to send a new RA message, wherein the lifetime of the prefix carried by the new RA message is less than that of the prefix carried by the RA message sent by the RA attack host.
2. The method of claim 1, wherein determining the RA attacking host from the received RA message comprises:
sending a router Request (RS) message to a host of a Virtual Local Area Network (VLAN) corresponding to a user side port through the user side port, and determining the host which returns an RA message to the user side port aiming at the RS message as the host which carries out RA attack; or,
and determining the host which actively sends the multicast RA message to the user-side port as the host which performs RA attack.
3. The method of claim 2, wherein the transmitted RS message carries a same source MAC address and/or source MAC address prefix as the last transmitted RS message, or carries a different source MAC address and/or source MAC address prefix.
4. The method of claim 1,
the information of the RA attacking host comprises at least one of the following information: the MAC address of the RA attack host, the position information of the RA attack host and a prefix carried by an RA message sent by the RA attack host.
5. The method of claim 1, wherein the information of the RA attacking host comprises at least one of the following information: the user side port and VLAN information of the RA attack host, the access device of the RA attack host and the user side port information of the RA attack host.
6. The method according to claim 5, wherein before notifying the NMS of the access device of the RA attacking host and its user-side port information, the method further comprises:
determining access equipment and user side port information of the RA attacking host according to DHCPv4 function Option82 or dynamic host setting protocol sixth version DHCPv6 Option18 when the RA attacking host acquires an IP address through a dynamic host setting protocol fourth version DHCPv4 before sending an RA message, or determining the access equipment and user side port information of the RA attacking host according to Ethernet point-to-point protocol Circuit serial number PPCircuit ID when the RA attacking host acquires the IP address through a point-to-point protocol PPP mode before sending the RA message.
7. The method of claim 1, wherein after redirecting the message to a Portal server, the method further comprises: and informing a host with a sending source IP address containing a specific prefix of the information attacked by the RA and a corresponding processing strategy, and informing the RA attacking host of the attacking behavior of the RA host and the corresponding processing strategy.
8. The method of claim 1,
the corresponding processing policy advertised to the host sending the source IP address containing the specific prefix includes at least one of the following policies: prompting to set a shielding function, releasing a configured IP address, restarting a host and dialing a service hotline;
the corresponding processing policy advertised to the RA attack host includes at least one of the following policies: prompting to close the attack process, checking and killing trojans or viruses, and dialing a service hotline.
9. The method according to any one of claims 1 to 8, wherein the instructing the access device of the RA attacking host to prohibit the RA attacking host from accessing the network comprises:
and indicating the access equipment of the RA attack host to prohibit the RA attack host from accessing the network through access point control protocol (ANCP) signaling or General Switch Management Protocol (GSMP) signaling.
10. An apparatus for protecting against Router Advertisement (RA) attacks, the apparatus comprising:
the determining unit is used for determining the RA attack host according to the received RA message;
the device further comprises: a first processing unit, and/or a second processing unit, and/or a third processing unit, and/or a fourth processing unit; wherein,
the first processing unit is used for notifying the information of the RA attack host to a network management system NMS;
the second processing unit is used for prohibiting a source Internet Protocol (IP) address from forwarding a message containing a specific prefix and a message sent by the determined RA attack host to a network side, and redirecting the message containing the specific prefix and the message sent by the determined RA attack host to an entrance Portal server, wherein the specific prefix is a prefix carried by an RA message sent by the RA attack host; and/or the presence of a gas in the gas,
the third processing unit is configured to instruct the access device of the RA attacking host to prohibit the RA attacking host from accessing the network;
and the fourth processing unit is used for simulating the RA attacking host to send a new RA message, wherein the lifetime of the prefix carried by the new RA message is less than that of the prefix carried by the RA message sent by the RA attacking host.
11. The apparatus of claim 10,
the determining unit is further configured to send an RS message to a host of a virtual local area network VLAN corresponding to the user-side port through the user-side port, and determine a host that returns an RA message to the user-side port for the RS message as a host that performs an RA attack; or,
and determining the host which actively sends the multicast RA message to the user-side port as the host which performs RA attack.
12. The apparatus of claim 11,
the determining unit sends an RS message to a host of a virtual local area network VLAN corresponding to the user side port, wherein the RS message carries a source Media Access Control (MAC) address and/or a source MAC address prefix which are the same as the RS message sent last time, or carries a different source MAC address and/or a different source MAC address prefix.
13. The apparatus of claim 10,
the first processing unit is further configured to notify the NMS of at least one of the following information: the media access control MAC address of the RA attack host, the position information of the RA attack host and the prefix carried by the RA message sent by the RA attack host.
14. The apparatus of claim 10,
the first processing unit is further configured to notify the NMS of at least one of the following information: the user side port and VLAN information of the RA attack host, the access device of the RA attack host and the user side port information of the RA attack host.
15. The apparatus of claim 14,
the first processing unit is further configured to determine the access device and the user-side port information thereof according to the DHCPv4 function Option82 when the RA attack host acquires an IP address through the dynamic host configuration protocol fourth version DHCPv4 before sending an RA message or the dynamic host configuration protocol sixth version DHCPv6 Option18, or determine the access device and the user-side port information thereof according to the ethernet point-to-point protocol Circuit serial number PPPoE Circuit ID when the RA attack host acquires an IP address through the point-to-point protocol PPP before sending an RA message.
16. The apparatus of claim 10,
the second processing unit is further configured to notify a host with a source IP address including a specific prefix of information attacked by the RA and a corresponding processing policy to the host, and notify the RA attacking host of an attacking behavior of the RA host and a corresponding processing policy, after redirecting the message to the Portal server.
17. The apparatus of claim 10,
the second processing unit advertises, to a host whose source IP address contains a specific prefix, a corresponding processing policy including at least one of:
prompting to set a shielding function, releasing a configured IP address, restarting a host and dialing a service hotline;
the second processing unit advertises to the RA attacking host a corresponding processing policy comprising at least one of:
prompting the user to carry out relation attack process, checking and killing Trojan or virus, and dialing a service hotline.
18. The apparatus of any one of claims 10 to 17,
the third processing unit is further configured to instruct, through an access point control protocol ANCP signaling or a general switch management protocol GSMP signaling, the access device of the RA attack host to prohibit the RA attack host from accessing the network.
19. A broadband network gateway, BNG, characterized in that said BNG comprises the RA attack prevention device of any of claims 10 to 18.
CN201310364782.2A 2013-08-20 2013-08-20 Router advertisement attack prevention method, apparatus and device Withdrawn CN104426839A (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN201310364782.2A CN104426839A (en) 2013-08-20 2013-08-20 Router advertisement attack prevention method, apparatus and device
PCT/CN2014/077811 WO2014173343A1 (en) 2013-08-20 2014-05-19 Router advertisement attack prevention method, device, equipment and computer storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310364782.2A CN104426839A (en) 2013-08-20 2013-08-20 Router advertisement attack prevention method, apparatus and device

Publications (1)

Publication Number Publication Date
CN104426839A true CN104426839A (en) 2015-03-18

Family

ID=51791073

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310364782.2A Withdrawn CN104426839A (en) 2013-08-20 2013-08-20 Router advertisement attack prevention method, apparatus and device

Country Status (2)

Country Link
CN (1) CN104426839A (en)
WO (1) WO2014173343A1 (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107370680A (en) * 2016-05-12 2017-11-21 中兴通讯股份有限公司 A kind of multicast routing entry control method, device and communication system
CN109472139A (en) * 2017-12-25 2019-03-15 北京安天网络安全技术有限公司 It is a kind of to defend to extort virus to the method and system of the secondary encryption of host document
CN111431913A (en) * 2020-03-30 2020-07-17 中国人民解放军战略支援部队信息工程大学 Method and device for detecting existence of router advertisement protection mechanism
CN112367257A (en) * 2020-10-30 2021-02-12 新华三技术有限公司 Route notification method and device
CN115766597A (en) * 2022-11-14 2023-03-07 深圳市吉祥腾达科技有限公司 A method for realizing ipv6 automatic identification of superior server priority

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040083306A1 (en) * 2002-10-24 2004-04-29 International Business Machines Corporation Method and apparatus for maintaining internet domain name data
CN101651696A (en) * 2009-09-17 2010-02-17 杭州华三通信技术有限公司 Method and device for preventing neighbor discovery (ND) attack
CN101690082A (en) * 2007-06-06 2010-03-31 思科技术公司 Secure neighbor discovery router for defending host nodes from rogue routers
CN102244654A (en) * 2010-05-12 2011-11-16 日立系统解决方案有限公司 Content distribution system and gateway device, and program

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102244651B (en) * 2010-05-14 2014-04-16 杭州华三通信技术有限公司 Method for preventing attack of illegal neighbor discovery protocol message and access equipment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040083306A1 (en) * 2002-10-24 2004-04-29 International Business Machines Corporation Method and apparatus for maintaining internet domain name data
CN101690082A (en) * 2007-06-06 2010-03-31 思科技术公司 Secure neighbor discovery router for defending host nodes from rogue routers
CN101651696A (en) * 2009-09-17 2010-02-17 杭州华三通信技术有限公司 Method and device for preventing neighbor discovery (ND) attack
CN102244654A (en) * 2010-05-12 2011-11-16 日立系统解决方案有限公司 Content distribution system and gateway device, and program

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
张宏,龙春,葛敬国,李俊: "基于IPv6的RA欺骗攻击检测", 《计算机工程》 *

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107370680A (en) * 2016-05-12 2017-11-21 中兴通讯股份有限公司 A kind of multicast routing entry control method, device and communication system
CN109472139A (en) * 2017-12-25 2019-03-15 北京安天网络安全技术有限公司 It is a kind of to defend to extort virus to the method and system of the secondary encryption of host document
CN109472139B (en) * 2017-12-25 2022-04-19 北京安天网络安全技术有限公司 Method and system for preventing Lesox virus from secondarily encrypting host document
CN111431913A (en) * 2020-03-30 2020-07-17 中国人民解放军战略支援部队信息工程大学 Method and device for detecting existence of router advertisement protection mechanism
CN111431913B (en) * 2020-03-30 2022-06-21 中国人民解放军战略支援部队信息工程大学 Method and device for detecting existence of router advertisement protection mechanism
CN112367257A (en) * 2020-10-30 2021-02-12 新华三技术有限公司 Route notification method and device
CN112367257B (en) * 2020-10-30 2022-10-21 新华三技术有限公司 Route notification method and device
CN115766597A (en) * 2022-11-14 2023-03-07 深圳市吉祥腾达科技有限公司 A method for realizing ipv6 automatic identification of superior server priority

Also Published As

Publication number Publication date
WO2014173343A1 (en) 2014-10-30

Similar Documents

Publication Publication Date Title
US12074908B2 (en) Cyber threat deception method and system, and forwarding device
US20170195162A1 (en) Improved assignment and distribution of network configuration parameters to devices
JP7544401B2 (en) Ensuring separation of control and user planes in mobile networks
Masoud et al. On preventing ARP poisoning attack utilizing Software Defined Network (SDN) paradigm
EP2767047B1 (en) Distributed ipv6 neighbor discovery for large datacenter switching systems
US11968174B2 (en) Systems and methods for blocking spoofed traffic
WO2005036831A1 (en) Frame relay device
US12074845B2 (en) System and method for remotely filtering network traffic of a customer premise device
CN104426839A (en) Router advertisement attack prevention method, apparatus and device
CN112134891A (en) Configuration method, system and monitoring method for generating multiple honey pot nodes by single host based on linux system
CN107690004B (en) Method and device for processing address resolution protocol message
CN107241313B (en) Method and device for preventing MAC flooding attack
Thaler Evolution of the IP Model
US20120054865A1 (en) Device and Method for Preventing Internet Protocol Version 6 (IPv6) Address Being Fraudulently Attacked
CN101494536B (en) Method, apparatus and system for preventing ARP aggression
CN106815259B (en) Mobile cache service control method, device and system
JP2011505749A (en) Repair management for networks with multiple clients
Shah et al. Security Issues in Next Generation IP and Migration Networks
EP3021529B1 (en) Method and device for implementing layer 3 virtual private network
EP3200433A1 (en) Ipv6 address management method, device and terminal
Strugaru et al. The impact of using Source Address Validation filtering on processing resources
CN111431913B (en) Method and device for detecting existence of router advertisement protection mechanism
Carp et al. Practical analysis of IPv6 security auditing methods
Grob et al. What is wrong with the IPv6 RA protocol?–Some analysis and proposed solutions–
Kumar et al. First hop security considerations in IPV6 implementation

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WW01 Invention patent application withdrawn after publication

Application publication date: 20150318

WW01 Invention patent application withdrawn after publication