Automatic locating and isolating method of internal attack source of local area network

Abstract

The embodiment of the invention discloses an automatic locating and isolating method of an internal attack source of a local area network. The method comprises the following steps: automatically collecting data of a network device, and storing the data in a database, inquiring an MAC address of the network device according to an IP address of the attack source, detecting ARP fraud counterfeiting the host and matching the timestamps of different IP-MAC items to automatically process the situation that one IP address corresponds to a plurality of MAC addresses, locating a switch port according to the MAC address, and filtering a cascade port of the switch and matching the timestamps of different MAC-switch port items to automatically process the situation that one MAC address corresponds to a plurality of switch ports, and operating the switch to isolate the attack source. The automatic locating and isolating method can be applicable to all kinds of network environments without any manual operation, the larger the network scale is, the more obvious the effect of the automatic locating and isolating method is, by adoption of the automatic locating and isolating method, the processing time of a network security event can be shortened, the working efficiency of a network administrator is improved, and the network security of the local area network is ensured.

Description

technical field [0001] The invention relates to the technical field of network communication, in particular to a method for automatically locating and isolating attack sources inside a local area network. Background technique [0002] The security of the LAN is a very important part of network security. There are various network threats in the LAN: such as ARP (Address Resolution Protocol) spoofing, DHCP (Dynamic Host Configuration Potocal) server interference, UDP Flood flood attacks, etc., external Hackers will also make waves in the local area network after intrusion. During the daily operation and maintenance of the network, the ARP firewall, IDS (Intrusion Detection System), Internet behavior management and manual packet capture at the client end can detect network attacks and obtain the attacker's IP (Internet Protocol) address or MAC address. (Media Access Control) address, and then the network administrator needs to locate the network port and computer of the attack...

AI Technical Summary

Problems solved by technology

In particular, under normal circumstances, the correspondence between IP addresses and MAC addresses, and between MAC addresses and switch ports is a complex many-to-many relationship. Complex judgments are required to establish the correct correspondence. The judgment process is cumbersome and error-prone.

[0004] Existing network protocols cannot solve the above problems. For example, some LANs enable 802.1x protocol, which can realize authentication based on MAC address and port. The administrator can also control whether a certain MAC address is allowed to access the network, but it is not suitable for LAN There are three reasons for the location and isolation of attack sources: First, some old switches do not support the 802.1x protocol; second, the 802.1x configuration is complex and requires background support such as Radius and AD; the most important thing is that 802.1x is a pure Layer 2 protocol. The positioning of network attacks requires a combination of Layer 2 and Layer 3 protocols.

[0005] Now there are some software that can solve a certain link of the above problems, but no overall solution is given

For example, some software can automatically collect the ARP table of the third-layer device or the MAC address table of the second-layer device and save it to the database. Some software, such as the User Tracking of the LAN Management Solution (LMS) of CiscoWorks, realizes the IP, MAC, and port positioning functions. Some software provides the function of automatically operating switch ports (via CLI command line or SNMP), etc., but no system automatically integrates the processes of network device data collection, IP-MAC location, MAC-switch port location, and attack source isolation Especially since there is no complex many-to-many correspondence between IP addresses and MAC addresses and MAC addresses and switch ports, it is impossible to automatically locate and isolate LAN attack sources.

[0006] In order to solve the complex correspondence between IP-MAC and MAC-switch ports in LANs, some LANs have adopted a "binding" method, including binding IP-MAC addresses on routers, binding IP-MAC addresses on DHCP servers, and The switch binds the MAC address and the switch port, etc. Although this can realize the one-to-one correspondence between the IP address and the MAC address and the MAC address and the switch port, it will make the use of the network very inflexible, especially the binding maintenance workload is huge and easy to make mistakes

Images