[0046]The technical solutions of the present invention will be described in detail below with reference to the accompanying drawings to understand the scope of the invention, but is not limited to the scope of the invention.
[0047]The defense ARP spoofing and network scanning of the present invention is mainly used in DHCP environments, against ARP spoofing and network scans in the LAN. First, the technological innovation principle of the present invention will be described. The basic technical idea of the present invention is that first, the DHCP interaction phase of the IP address is first obtained at the local area network, and the DHCP server is modified to the host's IP address and the default gateway IP, so that the IP address obtained by each host monoped a network segment, ie The IP addresses of the two hosts belong to different network segments (the IP obtained by the modified IP and the default gateway IP obtained in the same network segment); secondly, randomly generate more than the network segment where each host IP is located. Presented camouflage hosts (cannot conflict with host IP or host's default gateway), these camouflage main opportunities produce false traffic to confuse attackers, can attack and false responses to attackers' scan behavior; again, when host DHCP lease expires When renewal, you can dynamically update the default gateway IP assigned to the host. Since all hosts are in different network segments, this eliminates the ARP spoofing and ARP scanning between the hosts of the network, and the default gateway IP of each host is different and dynamically updated. The false host of the network segment of the host IP is generated. The traffic can confuse the attacker, which prevents the ARP spoofing for the gateway to a large extent; the false host is generated in the network segment in which each host is located, and the attacker will touch the local area network. To these false hosts, false hosts can be used to perform real-time warning and blocking of attacker scanning behavior, with a low false positive rate.
[0048]The defense ARP spoofing and network scan of the present invention can be deployed at the two or three layers of exit of the network, or on the port of the switch / router, the system is deployed in series, the present invention There is no limit to the specific deployment position of the system, whether deploying a local area network security system using the defense ARP spoofing and network scanning of the present invention in any location of the LAN, is the scope of the present invention.
[0049]The principles and work processes of the LAN safety protection system and method of defense ARP spoof and network scan are described in conjunction with the accompanying drawings.
[0050]Such asfigure 1 As shown, the defense ARP spoofing and network scanning of the present invention includes a management unit (1), a packet processing unit (2), a host information unit (3), camouflage host unit (4), scan detection unit (5), scanning response unit (6), dynamic update unit (7), network traffic confusing unit (8) and day to unit (9); said management unit (1) is connected to said packet processing unit (2 ), The camouflage host unit (4), the dynamic update unit (7), and the network traffic, confusing unit (8), the packet processing unit (2) connected to the host information unit (3) and The scan detection unit (5) is coupled to the camouflage host unit (4), the camouflage host unit (4) connected to the scan detection unit (5), the scan The response unit (6) and the network traffic are confusing unit (8), the scan detecting unit (5) connected to the packet processing processing unit (2) and the scan response unit (6), the scan response The unit (6) is connected to the data packet processing unit (2) and the log unit (9), the dynamic update unit (7) connected to the camouflage host unit (4), the network traffic confusing unit ( 8) Connect to the packet processing unit (2).
[0051]The management unit (1) is configured to manage information, configure the IP network segment assigned to the host in the local area network; configure the creation of the camouflage host unit (4). Basic network element information, including but not limited to false IP addresses, false MAC address ranges, false operating system types, versions, false open port ranges, etc., configure the Dynamic Update Unit (7) Configuration The time interval of the host dynamically updated; the policy is configured to confuse traffic, including but not limited to, the ARP packet confusion, the NBNS (NetBIOS Name Service) data package confused, DNS packet confusion HTTP packet confusion, etc.
[0052]The packet processing unit (2) is used to process network communication data packets, including packet transceiver modules (21), DHCP processing module (22), host information generating module (23), and ARP processing modules (24):
[0053]The data packet transceiver module (21) performs the transmission and reception operation of the packet, transmitting the packet to the local area network or the external network according to the different addresses of the data packet.
[0054]The DHCP processing module (22) processes the DHCP packet, and the IP address of the host computer is allocated to the IP network segment configured in the local area network, and the default gateway IP is modified to the IP address of the host, which is configured to the local area network. The IP address obtained by any two hosts obtained in the LAN is different network segments. In order to narrative, the DHCP server is assigned to the host's IP address called external IP (Outer_IP), the default gateway IP assigned to the host is called an external gateway (Outer_Gateway_ip) ), The DHCP processing module (22) modified IP assigned to the host as internal IP (INNER_IP), the default gateway IP assigned to the host is called an internal gateway (Inner_gateway_ip), the DHCP processing module (22) Notifying the host information generating module (23) to generate real host information. When the host DHCP lease in the domain network expires, the DHCP processing module (22) updates the default gateway IP assigned to the host while notifies the host information generating module (23) update the corresponding real host information.
[0055]The host information generating module (23) receives the notification sent by the DHCP processing module (22), generating / updating the true host information for each local network host, the real host information including, but not limited to, Outer_IP, outer_gateway_ip, inner_ip, inner_mac, inner_gateway_ip, inner_gateway_mac (which inner_mac real MAC address of the hosts in the LAN card, inner_gateway_mac is inner_gateway_ip corresponding internal gateway MAC, is seen by the host's own LAN gateway MAC address, MAC is generated false ), The generated / updated real host information will be stored in the host information unit (3).
[0056]The ARP processing module (24) is used to process the ARP request for the host learning gateway MAC in the domain network and the external gateway or external network host learning LAN internal host MAC ARP request: When the host is sent to the ARP learning gateway Mac, the host The internal gateway Mac (Inner_gateway_mac) returns the host of the LAN; when the external gateway or the external gateway hosts the ARP request LAN's Mac's Mac, the host's real Mac (INNER_MAC) is returned to the external gateway or the outer network host.
[0057]The host information unit (3) is used to store real host information within a local area network, which is generated by the host information generating module (23) of the packet processing unit (2), which can be used to guide the assignee host unit. (4) Generate a camouflage host. When a new real host information is generated or updated, the host information unit (3) notifies the camouflage host unit (4) check whether the host IP and the corresponding default gateway IP appear in the camouflage host, if it appears, IP is removed from the camouflage host.
[0058]The camouflage host unit (4) is randomly selecting multiple IP addresses to generate a camouflage host (camouflage host) within the network segment where the host information unit (3) is provided in the local area network provided by the host information unit (3). IP cannot conflict with the default gateway IP of the real host or the real host), the camouflage host unit (4), according to the configuration issued by the management unit (1), including but not limited to false IP addresses , False MAC address, false operating system types, and versions, false open ports and other information. Further, the camouflage host unit (4) periodically regenerates a new camouflage host based on the update information transmitted by the dynamic update unit (7), and realizes a dynamic network environment.
[0059]The scan detection unit (5) detects the data packet transmitted by the packet processing unit (2) in real time, queries the camouflage host generated by the camouflage host unit (4). If the access target is a camouflage host, it is sent to the The scanning response unit (6), otherwise it is considered to be a normal data packet to return to the packet processing unit (2) and release; in addition, the scan detection unit (5) statistically generates the camouflage host unit (4) The access situation of the camouflage host is determined as the basis for the scan behavior. When the scanning session strategy is reached, the source IP of the transmitted scan data is blocked, that is, the packet generated by the IP is discarded, the scanning seal Blocking policy, preferably, but not limited to, the number of attacks reaches the default threshold, accessed the default high-risk sensitive port, and the like.
[0060]The scan response unit (6) includes an ARP response module, an IP response module, a TCP response module, a UDP response module, queries the camouflage host generated by the camouflage host unit (4), and constructs a false response packet pair based on different protocol types. Attack traffic responds, the false response information includes, but is not limited to, false IP addresses, false MAC addresses, false operation systems, and false open ports, response packets to the packet processing unit (2), finally sent to the attacker. The processing result of the scan response unit (6) is transmitted to the log unit (9) for generating attack log information.
[0061]The dynamic update unit (7) periodically notifies the camouflage host unit (4) to regenerate the camouflage host in accordance with the dynamic update time interval issued by the management unit (1).
[0062]The network traffic confusing unit (8) transmits an overflow traffic in the camouflage host unit (4) based on the management unit (1). Attackers can't identify real hosts and camouflage hosts, thereby increasing the difficulty of implementing ARP spoofing, while snapping attackers can scan for camouflage hosts, including but not limited to ARP confusing packets, NBNS confusing packets, DNS confusion Packet, HTTP confusing packets, etc.
[0063]The log unit (9) is used to generate attack log information, including attack source IP, destination IP, destination port, protocol type, etc.
[0064]In this way, the defense ARP spoofing and network scanning of the present invention is arranged on the network. Since all hosts are in different network segments, this eliminates the ARP spoofing and ARP scan between the hosts of the network, each The default gateway IP of the host is different and dynamically updated. The false traffic generated by the false host of the host IP is confusing the attacker, which greatly defensive ARP spoofing for the gateway; within the network segment in each host Generating false hosts, when an attacker is actively scanning a local area network, it will touch these false hosts with great probability, and false hosts can be used to make real-time warning and blocking of attackers, with very low false positive rates. .
[0065]The present invention further proposes a local area network security method based on the defense ARP spoofing and network scan of the above system, including the following steps:
[0066]Step (1), configure the user network segment, generate basic network element information, network traffic confusing strategy, camouflage host dynamic update time interval;
[0067]Step (2), at the local area network internal host acquire the DHCP interaction phase of the IP address, modify the IP address and default gateway IP of the host to the host, so that the IP address obtained by each host is exclusive, that is, two hosts Both IP addresses belong to different network segments (the IP obtained by each host, the default gateway IP obtained in the same network segment);
[0068]Step (3), randomly select multiple IP addresses within the network segment in which the real host in the local area network generates a camouflage host (the IP of the host's IP cannot conflict with the real host or the real host's default gateway IP), for each camouflage Host configurations include, but not limited to, false IP addresses, false MAC addresses, false operating system types, and versions, false open ports;
[0069]Step (4) Handling the network communication data packet, queries the generated camouflage host, if the access target is not a camouflage host, it is considered to be a normal packet, otherwise it is determined as a scan traffic, based on the generated camouflage main mechanism to build a false response packet Respond to the scan packet, when the scanning segmentation policy is reached, the source IP of the transmitted scan data is blocked, that is, the packet generated by the IP is discarded, and the scanning sealing strategy is preferred, but not limited to attack. The number of times reaches the default threshold, accessed the default high-risk sensitive port, etc .;
[0070]Step (5) When the host DHCP lease in the domain network expires, updates the default gateway IP assigned to the host, and check whether the updated default gateway IP appears in the camouflage host, if it appears, the IP is from the camouflage host Remove;
[0071]Step (6) Perform dynamic update operations periodically and regenerate the new camouflage host.
[0072]Those skilled in the art can further include more information in the network properties of the camouflage host, depending on the above embodiment, depending on the specific application field of the system, but all belong to the technical concept of the present invention.
[0073]The above is merely described in the preferred embodiments of the present invention, and the technical solutions of the present invention are not limited thereto, and those skilled in the art will belong to the present invention to protect the main technical concepts of the invention. The technical category, the specific scope of protection of the present invention is subject to the claims of the claims.