Local area network security protection system and method for defending ARP spoofing and network scanning

A technology of ARP spoofing and network scanning, applied in the field of LAN security protection system, can solve the problems of poor detection ability, high false alarm rate, difficult real-time active defense, etc., and achieve the effect of preventing hijacking and sniffing and increasing difficulty

Active Publication Date: 2021-04-20
张长河
6 Cites 2 Cited by

AI-Extracted Technical Summary

Problems solved by technology

This type of method often has a high false alarm rate, and has poor detection capabilities for concealed network scanning or ARP spoofing behavior. Attackers can use new attack methods to evade the secu...
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Abstract

The invention provides a local area network security protection system and method for defending against ARP spoofing and network scanning, and the basic technical idea is that the method comprises the steps: an IP address and a default gateway IP allocated to a host by a DHCP server at a DHCP interaction stage are modified when the host in a local area network obtains the IP address, wherein the IP address obtained by each host occupies one network segment alone; and ARP spoofing between hosts in the same network segment is eradicated; secondly, a plurality of inexistent disguised hosts are randomly generated in a network segment where each host IP is located, the disguised hosts can generate false flow to confuse attackers, attack trapping and false response can be performed on scanning behaviors of the attackers, and when the attackers actively scan a local area network, the attackers can touch the false hosts with a great probability, and the false host can be used for carrying out real-time early warning and blocking on scanning behaviors of an attacker; and thirdly, the default gateway IP allocated to the host is dynamically updated when the DHCP lease of the host expires for renewing, thereby increasing the difficulty of implementing ARP spoofing on the gateway.

Application Domain

Technology Topic

Server allocationIp address +7

Image

  • Local area network security protection system and method for defending ARP spoofing and network scanning
  • Local area network security protection system and method for defending ARP spoofing and network scanning
  • Local area network security protection system and method for defending ARP spoofing and network scanning

Examples

  • Experimental program(1)

Example Embodiment

[0046]The technical solutions of the present invention will be described in detail below with reference to the accompanying drawings to understand the scope of the invention, but is not limited to the scope of the invention.
[0047]The defense ARP spoofing and network scanning of the present invention is mainly used in DHCP environments, against ARP spoofing and network scans in the LAN. First, the technological innovation principle of the present invention will be described. The basic technical idea of ​​the present invention is that first, the DHCP interaction phase of the IP address is first obtained at the local area network, and the DHCP server is modified to the host's IP address and the default gateway IP, so that the IP address obtained by each host monoped a network segment, ie The IP addresses of the two hosts belong to different network segments (the IP obtained by the modified IP and the default gateway IP obtained in the same network segment); secondly, randomly generate more than the network segment where each host IP is located. Presented camouflage hosts (cannot conflict with host IP or host's default gateway), these camouflage main opportunities produce false traffic to confuse attackers, can attack and false responses to attackers' scan behavior; again, when host DHCP lease expires When renewal, you can dynamically update the default gateway IP assigned to the host. Since all hosts are in different network segments, this eliminates the ARP spoofing and ARP scanning between the hosts of the network, and the default gateway IP of each host is different and dynamically updated. The false host of the network segment of the host IP is generated. The traffic can confuse the attacker, which prevents the ARP spoofing for the gateway to a large extent; the false host is generated in the network segment in which each host is located, and the attacker will touch the local area network. To these false hosts, false hosts can be used to perform real-time warning and blocking of attacker scanning behavior, with a low false positive rate.
[0048]The defense ARP spoofing and network scan of the present invention can be deployed at the two or three layers of exit of the network, or on the port of the switch / router, the system is deployed in series, the present invention There is no limit to the specific deployment position of the system, whether deploying a local area network security system using the defense ARP spoofing and network scanning of the present invention in any location of the LAN, is the scope of the present invention.
[0049]The principles and work processes of the LAN safety protection system and method of defense ARP spoof and network scan are described in conjunction with the accompanying drawings.
[0050]Such asfigure 1 As shown, the defense ARP spoofing and network scanning of the present invention includes a management unit (1), a packet processing unit (2), a host information unit (3), camouflage host unit (4), scan detection unit (5), scanning response unit (6), dynamic update unit (7), network traffic confusing unit (8) and day to unit (9); said management unit (1) is connected to said packet processing unit (2 ), The camouflage host unit (4), the dynamic update unit (7), and the network traffic, confusing unit (8), the packet processing unit (2) connected to the host information unit (3) and The scan detection unit (5) is coupled to the camouflage host unit (4), the camouflage host unit (4) connected to the scan detection unit (5), the scan The response unit (6) and the network traffic are confusing unit (8), the scan detecting unit (5) connected to the packet processing processing unit (2) and the scan response unit (6), the scan response The unit (6) is connected to the data packet processing unit (2) and the log unit (9), the dynamic update unit (7) connected to the camouflage host unit (4), the network traffic confusing unit ( 8) Connect to the packet processing unit (2).
[0051]The management unit (1) is configured to manage information, configure the IP network segment assigned to the host in the local area network; configure the creation of the camouflage host unit (4). Basic network element information, including but not limited to false IP addresses, false MAC address ranges, false operating system types, versions, false open port ranges, etc., configure the Dynamic Update Unit (7) Configuration The time interval of the host dynamically updated; the policy is configured to confuse traffic, including but not limited to, the ARP packet confusion, the NBNS (NetBIOS Name Service) data package confused, DNS packet confusion HTTP packet confusion, etc.
[0052]The packet processing unit (2) is used to process network communication data packets, including packet transceiver modules (21), DHCP processing module (22), host information generating module (23), and ARP processing modules (24):
[0053]The data packet transceiver module (21) performs the transmission and reception operation of the packet, transmitting the packet to the local area network or the external network according to the different addresses of the data packet.
[0054]The DHCP processing module (22) processes the DHCP packet, and the IP address of the host computer is allocated to the IP network segment configured in the local area network, and the default gateway IP is modified to the IP address of the host, which is configured to the local area network. The IP address obtained by any two hosts obtained in the LAN is different network segments. In order to narrative, the DHCP server is assigned to the host's IP address called external IP (Outer_IP), the default gateway IP assigned to the host is called an external gateway (Outer_Gateway_ip) ), The DHCP processing module (22) modified IP assigned to the host as internal IP (INNER_IP), the default gateway IP assigned to the host is called an internal gateway (Inner_gateway_ip), the DHCP processing module (22) Notifying the host information generating module (23) to generate real host information. When the host DHCP lease in the domain network expires, the DHCP processing module (22) updates the default gateway IP assigned to the host while notifies the host information generating module (23) update the corresponding real host information.
[0055]The host information generating module (23) receives the notification sent by the DHCP processing module (22), generating / updating the true host information for each local network host, the real host information including, but not limited to, Outer_IP, outer_gateway_ip, inner_ip, inner_mac, inner_gateway_ip, inner_gateway_mac (which inner_mac real MAC address of the hosts in the LAN card, inner_gateway_mac is inner_gateway_ip corresponding internal gateway MAC, is seen by the host's own LAN gateway MAC address, MAC is generated false ), The generated / updated real host information will be stored in the host information unit (3).
[0056]The ARP processing module (24) is used to process the ARP request for the host learning gateway MAC in the domain network and the external gateway or external network host learning LAN internal host MAC ARP request: When the host is sent to the ARP learning gateway Mac, the host The internal gateway Mac (Inner_gateway_mac) returns the host of the LAN; when the external gateway or the external gateway hosts the ARP request LAN's Mac's Mac, the host's real Mac (INNER_MAC) is returned to the external gateway or the outer network host.
[0057]The host information unit (3) is used to store real host information within a local area network, which is generated by the host information generating module (23) of the packet processing unit (2), which can be used to guide the assignee host unit. (4) Generate a camouflage host. When a new real host information is generated or updated, the host information unit (3) notifies the camouflage host unit (4) check whether the host IP and the corresponding default gateway IP appear in the camouflage host, if it appears, IP is removed from the camouflage host.
[0058]The camouflage host unit (4) is randomly selecting multiple IP addresses to generate a camouflage host (camouflage host) within the network segment where the host information unit (3) is provided in the local area network provided by the host information unit (3). IP cannot conflict with the default gateway IP of the real host or the real host), the camouflage host unit (4), according to the configuration issued by the management unit (1), including but not limited to false IP addresses , False MAC address, false operating system types, and versions, false open ports and other information. Further, the camouflage host unit (4) periodically regenerates a new camouflage host based on the update information transmitted by the dynamic update unit (7), and realizes a dynamic network environment.
[0059]The scan detection unit (5) detects the data packet transmitted by the packet processing unit (2) in real time, queries the camouflage host generated by the camouflage host unit (4). If the access target is a camouflage host, it is sent to the The scanning response unit (6), otherwise it is considered to be a normal data packet to return to the packet processing unit (2) and release; in addition, the scan detection unit (5) statistically generates the camouflage host unit (4) The access situation of the camouflage host is determined as the basis for the scan behavior. When the scanning session strategy is reached, the source IP of the transmitted scan data is blocked, that is, the packet generated by the IP is discarded, the scanning seal Blocking policy, preferably, but not limited to, the number of attacks reaches the default threshold, accessed the default high-risk sensitive port, and the like.
[0060]The scan response unit (6) includes an ARP response module, an IP response module, a TCP response module, a UDP response module, queries the camouflage host generated by the camouflage host unit (4), and constructs a false response packet pair based on different protocol types. Attack traffic responds, the false response information includes, but is not limited to, false IP addresses, false MAC addresses, false operation systems, and false open ports, response packets to the packet processing unit (2), finally sent to the attacker. The processing result of the scan response unit (6) is transmitted to the log unit (9) for generating attack log information.
[0061]The dynamic update unit (7) periodically notifies the camouflage host unit (4) to regenerate the camouflage host in accordance with the dynamic update time interval issued by the management unit (1).
[0062]The network traffic confusing unit (8) transmits an overflow traffic in the camouflage host unit (4) based on the management unit (1). Attackers can't identify real hosts and camouflage hosts, thereby increasing the difficulty of implementing ARP spoofing, while snapping attackers can scan for camouflage hosts, including but not limited to ARP confusing packets, NBNS confusing packets, DNS confusion Packet, HTTP confusing packets, etc.
[0063]The log unit (9) is used to generate attack log information, including attack source IP, destination IP, destination port, protocol type, etc.
[0064]In this way, the defense ARP spoofing and network scanning of the present invention is arranged on the network. Since all hosts are in different network segments, this eliminates the ARP spoofing and ARP scan between the hosts of the network, each The default gateway IP of the host is different and dynamically updated. The false traffic generated by the false host of the host IP is confusing the attacker, which greatly defensive ARP spoofing for the gateway; within the network segment in each host Generating false hosts, when an attacker is actively scanning a local area network, it will touch these false hosts with great probability, and false hosts can be used to make real-time warning and blocking of attackers, with very low false positive rates. .
[0065]The present invention further proposes a local area network security method based on the defense ARP spoofing and network scan of the above system, including the following steps:
[0066]Step (1), configure the user network segment, generate basic network element information, network traffic confusing strategy, camouflage host dynamic update time interval;
[0067]Step (2), at the local area network internal host acquire the DHCP interaction phase of the IP address, modify the IP address and default gateway IP of the host to the host, so that the IP address obtained by each host is exclusive, that is, two hosts Both IP addresses belong to different network segments (the IP obtained by each host, the default gateway IP obtained in the same network segment);
[0068]Step (3), randomly select multiple IP addresses within the network segment in which the real host in the local area network generates a camouflage host (the IP of the host's IP cannot conflict with the real host or the real host's default gateway IP), for each camouflage Host configurations include, but not limited to, false IP addresses, false MAC addresses, false operating system types, and versions, false open ports;
[0069]Step (4) Handling the network communication data packet, queries the generated camouflage host, if the access target is not a camouflage host, it is considered to be a normal packet, otherwise it is determined as a scan traffic, based on the generated camouflage main mechanism to build a false response packet Respond to the scan packet, when the scanning segmentation policy is reached, the source IP of the transmitted scan data is blocked, that is, the packet generated by the IP is discarded, and the scanning sealing strategy is preferred, but not limited to attack. The number of times reaches the default threshold, accessed the default high-risk sensitive port, etc .;
[0070]Step (5) When the host DHCP lease in the domain network expires, updates the default gateway IP assigned to the host, and check whether the updated default gateway IP appears in the camouflage host, if it appears, the IP is from the camouflage host Remove;
[0071]Step (6) Perform dynamic update operations periodically and regenerate the new camouflage host.
[0072]Those skilled in the art can further include more information in the network properties of the camouflage host, depending on the above embodiment, depending on the specific application field of the system, but all belong to the technical concept of the present invention.
[0073]The above is merely described in the preferred embodiments of the present invention, and the technical solutions of the present invention are not limited thereto, and those skilled in the art will belong to the present invention to protect the main technical concepts of the invention. The technical category, the specific scope of protection of the present invention is subject to the claims of the claims.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Similar technology patents

Method for realizing block cipher multiple S-boxes for resisting differential power attack

ActiveCN107204841AIncrease attack difficultyIncrease the difficultyEncryption apparatus with shift registers/memoriesCryptographic attack countermeasuresDifferential methodData processing
Owner:ENG UNIV OF THE CHINESE PEOPLES ARMED POLICE FORCE

Classification and recommendation of technical efficacy words

Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products