Method and device for preventing neighbor discovery (ND) attack

Abstract

The invention discloses a method for preventing neighbor discovery (ND) attack. The method comprises the following steps: accessing a switch to receive an ND message from a terminal; extracting the identity information of the terminal from the ND message; judging whether the terminal is a legal authenticated terminal or not according to the identity information of the terminal; and upgrading a self ND SNOOPING item when the terminal is the legal authenticated terminal. The invention integrates an authentication mechanism with the ND SNOOPING to improve the safety of an ND item-studying mechanism and prevent common ND attacks, and the like.

Description

technical field [0001] The invention relates to the field of communication technology, in particular to a method and device for preventing ND attacks. Background technique [0002] ND (Neighbor Discovery, Neighbor Discovery) protocol is a basic component of IPv6 (Internet Protocol Version6, Internet Protocol), and this ND agreement has realized ARP (Address Resolution Protocol, Address Resolution Protocol), ICMP (Internet Control Message Protocol, The router discovery part in the control message protocol), all the functions of the redirection protocol, and has a neighbor unreachable detection mechanism. [0003] However, because the ND protocol is proposed based on the premise of a trusted network, it will bring inherent hidden dangers to the Internet architecture; with the widespread application of IPv6 technology, the ND protocol has also become the main target of attack, spoofing gateway attacks and targeting The attack on the capacity of the gateway device ND table entr...

AI Technical Summary

Problems solved by technology

[0003] However, because the ND protocol is proposed based on the premise of a trusted network, it will bring inherent hidden dangers to the Internet architecture; with the widespread application of IPv6 technology, the ND protocol has also become the main target of attack, spoofing gateway attacks and targeting The attack on the capacity of the gateway device ND table entry is becoming more and more serious. Among them, the common ND attack types include: (1) flood attack; the attacker forges a large number of spoofed MAC (Media Access Control, Media Access Control) messages in the network, And quickly fill up the MAC table of the switch, so that the traffic is broadcast in all ports, causing the switch to work like a shared HUB (multi-port forwarder), and the attacker can use various sniffing attacks to obtain network information; in addition, when the MAC table is full After that, the traffic will be flooded to all interfaces, resulting in excessive load on the switch, slow network, packet loss or even paralysis

(2) NS / NA (Neighbor Request / NeighborAdvertisement, Neighbor Request / Neighbor Advertisement) spoofing attack; figure 1 As shown in the NS / NA attack diagram, the attacker forges the NS / NA message and sends it to the gateway or the victim host, thereby modifying the MAC address on the gateway or the victim host, so that the victim host cannot receive normal data packets

(3) DAD (Duplicate Address Detection, duplicate address detection) attack; figure 2 As shown in the DAD attack schematic diagram, when the victim host performs DAD detection, the attacker creates a conflict with the NS message of the victim host by forging the NS message; or, forges the NA message to reply the NS message of the victim host; so that the victim host cannot The correct address is obtained, and normal network communication cannot be performed

(4) RA (RouterAdvertisement, router advertisement) attack; image 3 As shown in the schematic diagram of RA attack, the attacker can forge the non-existing prefix and modify the routing table of the victim host by sending a forged RA message; or, forge the MAC and lifetime (use time) of the gateway, causing the default gateway Change; or, fake DHCP (Dynamic Host Configuration Protocol, dynamic host allocation protocol) server, causing the victim host to use the false address assigned by the DHCP server

[0005] However, when using ND SNOOPING and ND DETECTION to prevent ND attacks, only when the user information table established by ND SNOOPING is trustworthy, can the follow-up anti-attack processing be performed according to the user information table; while the current implementation mechanism of ND SNOOPING The user information table is established according to the user's DAD NS message. No matter whether the user is legal or not, when the IP address is successfully obtained, the DAD NS message will be sent for address conflict detection, and the user information table can be easily established according to NDSNOOPING; therefore , There is a big loophole in the security of the user information table created by ND SNOOPING. An attacker can first create a wrong user information table to cause the failure of the subsequent NDDETECTION detection

[0006] When using DHCPV6 SNOOPING and ND DETECTION to prevent ND attacks, DHCPV6 SNOOPING only records the information of users who successfully obtain IP addresses dynamically through the switch (that is, users who have been confirmed by the DHCPV6 server to assign and use IP addresses), although the security of the user information table It has been improved, but it can only prevent ND attacks caused by dynamic users, and it is invalid for ND attacks caused by static users. In the actual networking environment of IPV6, most users use static IP addresses, which causes the problem of this solution. less practical

Images