Method and system for defending denial of service attack, wireless access point and wireless controller

Abstract

The invention provides a method and a system for defending denial of service attack, a wireless access point and a wireless controller. The method comprises the following steps that: the wireless controller receives a first message of a client forwarded by the wireless access point; the wireless controller judges whether the first message is an attack message or not according to a receiving signal intensity indication threshold which corresponds to the client and is returned by the wireless access point; and the wireless controller directly discards the first message when determining that thefirst message is the attack message. By the method and the system for defending the denial of service attack, the wireless access point and the wireless controller which are provided by the invention, defense against a denial of service (DOS) attack can be realized, the client cannot be off-line or a wireless access service cannot be interrupted due to the DOS attack to the message, and the service quality of the wireless access of the client is improved.

Description

technical field [0001] The invention relates to network communication technology, in particular to a denial of service attack defense method, system, wireless access point and wireless controller. Background technique [0002] Wireless Local Area Networks (WLAN for short) refers to a network that uses wireless communication technology to interconnect computer equipment so that clients can access broadband networks anytime and anywhere to realize information sharing. Wherein, a wireless client (for example: a notebook computer supporting a WLAN access function, a personal digital assistant or a wireless network card) accesses the wireless local area network through a wireless access point (Access Point; AP for short). The AP is a bridge connecting the wired network and the wireless local area network. Its main function is to connect various wireless clients together, and then connect the wireless network to the Ethernet. [0003] Generally, the AP only has the function of 80...

AI Technical Summary

Problems solved by technology

[0005] The above method can provide certain protection for the management message. However, the above method needs to complete the key negotiation between the client and the AP before the management message can be encrypted and authenticated. The management message still cannot provide protection, because there is no key at this time, therefore, the attacker will also use the above point to attack the management message, so that the AP sends an offline message to the client by itself, causing the wireless access service to fail. to interrupt

In addition, in an 802.11w network, after the client is associated with the AP and transmits data, if an attacker sends a forged Assoc Request or authentication request (Capabilities, Basic Rate sets, etc.) do not meet the requirements of the AP. At this time, the AP will return an offline message carrying a legal MIC value to the client. At this time, the client will still be logged out. line, resulting in the interruption of wireless access services

[0006] From the above analysis, it can be seen that the current 802.11w wireless network is still unable to defend against the DOS attack that the attacker forces the AP to send offline messages to the client by certain means to interrupt the wireless access service.

Images