A user authentication method and apparatus

By generating and managing node information entries on the authentication server, marking untrusted user devices, and allowing network devices to terminate or discard their authentication requests, the problem of attackers frequently consuming resources for authentication in PPPoE networking is solved, thus improving the reliability and security of network authentication.

CN116506168BActive Publication Date: 2026-07-14NEW H3C TECH CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
NEW H3C TECH CO LTD
Filing Date
2023-04-19
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

In PPPoE networking, attackers can impersonate clients and engage in frequent authentication interactions, leading to resource consumption of authentication servers and network devices, affecting the online time of normal users, and once the authentication information is cracked, attackers can access the enterprise's internal network, causing information security incidents.

Method used

The authentication server generates node information entries to record the username, MAC address, and number of unmatched entries. If the number of unmatched entries exceeds a preset value, it is marked as untrusted and the network device is notified to terminate or discard the authentication request. The network device performs anti-attack processing based on the marking.

Benefits of technology

It effectively interrupts attackers' authentication sessions, prevents brute-force attacks, improves the reliability of network authentication, and avoids resource consumption and potential security threats to the authentication server.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116506168B_ABST
    Figure CN116506168B_ABST
Patent Text Reader

Abstract

The specification provides a user authentication method and device, and relates to the technical field of communication. A user authentication method applied to an authentication server comprises the following steps: receiving an authentication request sent by a network device; if a username and a password received do not match a username and a password stored by the authentication server, generating a node information table item marked as a to-be-authenticated state; if the number of times of mismatch in a node information table item exceeds a preset value, marking the node information table item as an untrusted state, recording an anti-attack enabling mark in the node information table item, and sending the node information table item to the network device, so that the network device terminates an authentication session corresponding to an authentication request matching a username or a MAC address in the node information table item, or discards the authentication request matching the username or the MAC address in the node information table. Through the above method, the reliability of network authentication can be improved.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This specification relates to the field of communication technology, and in particular to a user authentication method and apparatus. Background Technology

[0002] With the development of network technology, users' demand for network security is also gradually increasing. In PPPoE (Point-to-Point Protocol over Ethernet) networking, client authentication is achieved through authentication interaction between the client, network devices (also known as PPPoE servers), and authentication servers. After authentication, the client can access the enterprise's internal network.

[0003] However, in current applications, attackers can impersonate clients to initiate authentication with network devices and achieve brute-force attacks through more frequent authentication interactions. This process consumes a large amount of resources between the authentication server and network devices, affecting the online time of normal users. Furthermore, once the authentication information is cracked, attackers can access the enterprise's internal network, thereby causing information security incidents. Therefore, how to quickly identify attacks and cut off the brute-force attack process is a problem that urgently needs to be solved by those skilled in the art. Summary of the Invention

[0004] To overcome the problems existing in related technologies, this specification provides a user authentication method and apparatus.

[0005] In conjunction with a first aspect of the embodiments described herein, this application provides a user authentication method applied to an authentication server, comprising:

[0006] Receive authentication requests sent by network devices, wherein the authentication requests shall at least include the username, password and the media access control MAC address of the user device;

[0007] If the received username and password do not match the username and password stored in the node, a node information table entry marked as pending authentication is generated. The node information table entry records the received username, MAC address, number of mismatches, and status information.

[0008] If the number of unmatched entries in a node information table exceeds a preset value, the node information table entry is marked as untrusted, an anti-attack flag is recorded in the node information table entry, and the node information table entry is sent to the network device so that the network device terminates the authentication session corresponding to the authentication request that matches the username or MAC address in the node information table entry, or discards the authentication request that matches the username or MAC address in the node information table entry.

[0009] Optionally, after receiving the authentication request sent by the network device based on the authentication session, the method further includes:

[0010] If the received username and password match the username and password stored in the device, a node information entry marked as trusted is generated and sent to the network device so that the network device can forward the data packets sent by the user device based on the node information entry.

[0011] Optionally, after generating node information entries marked as pending authentication, and before the number of unmatched entries exceeds a preset value, the process further includes:

[0012] If the received username and password match the username and password stored in the node, the node information entry is marked as trusted, the number of unmatched entries is cleared, and the node information entry is sent to the network device.

[0013] Optionally, the node information table also records the aging time;

[0014] The method also includes:

[0015] If a node information entry marked as trusted or untrusted reaches its aging time, the node information entry will be marked as pending authentication, and the anti-attack flag will be disabled.

[0016] In conjunction with a second aspect of the embodiments described herein, this application provides a user authentication method applied to a network device, comprising:

[0017] Receive authentication requests sent by user equipment based on authentication sessions, wherein the authentication requests carry at least the username, password and MAC address of the user equipment;

[0018] Send an authentication request to the authentication server so that the authentication server can authenticate the user device based on the username and password, generate a node information table entry that contains at least the username, password, number of unmatches and MAC address, and mark the node information table entry as untrusted when the number of unmatches exceeds a preset value.

[0019] Receive and record node information entries marked as untrusted by the authentication server;

[0020] If a received subsequent authentication request contains a username or MAC address recorded in a node information table entry marked as untrusted, the authentication session with the user device corresponding to the subsequent authentication request is terminated, or the authentication request matching the username or MAC address in the node information table marked as untrusted is discarded.

[0021] Optionally, after sending the authentication request to the authentication server, the following steps are also included:

[0022] Receive and record node information entries marked as trusted by the authentication server;

[0023] If the received data packet contains the username and MAC address recorded in the node information table that is marked as trusted, then the data packet is forwarded.

[0024] In conjunction with a third aspect of the embodiments described herein, this application provides a user authentication device applied to an authentication server, comprising:

[0025] The receiving unit is used to receive authentication requests sent by network devices, wherein the authentication request carries at least the username, password and MAC address of the user device;

[0026] The generation unit is used to generate a node information table entry marked as pending authentication if the received username and password do not match the username and password stored in its own database. The node information table entry records the received username, MAC address, number of times it did not match, and status information.

[0027] The anti-attack unit is used to mark a node information entry as untrusted if the number of unmatched entries in a node information table exceeds a preset value, record an enable anti-attack flag in the node information table, and send the node information table to the network device so that the network device terminates the authentication session corresponding to the authentication request that matches the username or MAC address in the node information table, or discards the authentication request that matches the username or MAC address in the node information table.

[0028] Optionally, the device may also include:

[0029] The authentication unit is used to generate a node information entry marked as trusted if the received username and password match the username and password stored in its own database, and send the generated node information entry to the network device so that the network device can forward the data packets sent by the user equipment based on the node information entry.

[0030] Optionally, the device may also include:

[0031] The clearing unit is used to mark the node information entry as trusted if the received username and password match the username and password stored in its own database, clear the number of unmatched entries, and send the node information entry to the network device.

[0032] Optionally, the node information table also records the aging time;

[0033] The device also includes:

[0034] The aging unit is used to mark a node information entry in a pending authentication state and disable the anti-attack flag if the node information entry marked as trusted or untrusted reaches its aging time.

[0035] In conjunction with the fourth aspect of the embodiments described herein, this application provides a user authentication device applied to a network device, comprising:

[0036] The receiving unit is used to receive an authentication request sent by the user equipment based on the authentication session, wherein the authentication request carries at least the username, password and MAC address of the user equipment;

[0037] The sending unit is used to send an authentication request to the authentication server so that the authentication server can authenticate the user device based on the username and password, generate a node information table entry containing at least the username, password, number of unmatches and MAC address, and mark the node information table entry as untrusted when the number of unmatches exceeds a preset value.

[0038] The receiving unit is used to receive and record node information entries marked as untrusted by the authentication server.

[0039] The anti-attack unit is used to terminate the authentication session with the user device corresponding to the subsequent authentication request, or discard the authentication request that matches the username or MAC address recorded in the node information table marked as untrusted, if the received subsequent authentication request contains a username or MAC address recorded in the node information table marked as untrusted.

[0040] Optionally, the receiving unit is also used to receive and record node information entries marked as trusted by the authentication server.

[0041] The sending unit is used to forward the data packet if the received data packet contains the username and MAC address recorded in the node information table entry marked as trusted.

[0042] In conjunction with a fifth aspect of the embodiments of this specification, this application provides an authentication server, including a transceiver, a processor, and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, the processor being prompted by the machine-executable instructions to implement the method steps of any of the above.

[0043] In conjunction with a sixth aspect of the embodiments of this specification, this application provides a network device including a transceiver, a processor, and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, the processor being prompted by the machine-executable instructions to implement the method steps of any of the above.

[0044] In conjunction with the seventh aspect of the embodiments of this specification, this application provides a machine-readable storage medium storing machine-executable instructions that, when invoked and executed by a processor, cause the processor to: implement the method steps of any of the preceding claims.

[0045] The technical solutions provided by the embodiments in this specification may include the following beneficial effects:

[0046] In the embodiments described in this specification, the authentication server generates a node information table entry by matching the username and MAC address stored in its own database with the authentication request. If the number of unmatched records in a node information table entry exceeds a preset value, the node information table entry is marked as untrusted and the network device is notified. The network device then performs anti-attack processing on subsequent authentication requests based on the issued node information table entry marked as untrusted. This process either terminates the authentication session that matches the username or MAC address directly or discards the authentication request containing the username or MAC address. This intercepts the attacker's attack packets on the network device side, preventing brute-force attacks on the authentication server and improving the reliability of network authentication.

[0047] It should be understood that the above general description and the following detailed description are exemplary and explanatory only, and are not intended to limit this specification. Attached Figure Description

[0048] The accompanying drawings, which are incorporated in and form part of this specification, illustrate embodiments consistent with this specification and, together with the description, serve to explain the principles of this specification.

[0049] Figure 1 This is a flowchart of a user authentication method involved in this application, applied to an authentication server;

[0050] Figure 2 This is a network diagram applicable to one of the user authentication methods involved in this application;

[0051] Figure 3 This is a schematic diagram illustrating the processing of node information entries in a user authentication method according to an embodiment of this application.

[0052] Figure 4 This is a schematic diagram illustrating another method for processing node information entries in a user authentication method according to an embodiment of this application.

[0053] Figure 5 This is a schematic diagram illustrating another method for processing node information entries in a user authentication method according to an embodiment of this application.

[0054] Figure 6This is a flowchart of a user authentication method involved in this application, applied to a network device;

[0055] Figure 7 This is a schematic diagram of a user authentication device involved in this application, which is applied to an authentication server;

[0056] Figure 8 This is a schematic diagram of a user authentication device involved in this application, which is applied to network equipment;

[0057] Figure 9 This is a schematic diagram of the structure of an authentication server involved in this application;

[0058] Figure 10 This is a schematic diagram of the structure of a network device involved in this application. Detailed Implementation

[0059] Exemplary embodiments will now be described in detail, examples of which are illustrated in the accompanying drawings. When the following description relates to the drawings, unless otherwise indicated, the same numbers in different drawings denote the same or similar elements. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with this specification.

[0060] This application provides a user authentication method, applied to an authentication server, such as... Figure 1 As shown, it includes:

[0061] S100: Receives authentication requests sent by network devices.

[0062] like Figure 2 As shown, the network includes user equipment, network devices, and an authentication server. User equipment can include legitimate user devices as well as attackers posing as user devices. Network devices are typically gateway devices. When a user device needs authentication, it establishes an authentication session with the network device based on the PPPoE protocol, and then sends an authentication request to the authentication server through the network device via this session. The authentication request must include at least the username, password, and the user device's MAC (Media Access Control) address.

[0063] The authentication server can receive the authentication request, parse it, and obtain the various types of information it carries.

[0064] It should be noted that in the PPPoE protocol, user equipment can be referred to as a PPPoE client, and network equipment can be referred to as a PPPoE server.

[0065] A PPP (Point-to-Point) session is established between user equipment and network equipment in the following way:

[0066] The user equipment broadcasts a PADI (PPPoE Active DiscoveryInitial) message, which contains information about the type of service the user equipment wants to obtain.

[0067] After receiving a PADI message, all network devices compare the requested service with the services they can provide. If they can provide the service, they unicast a PADO (PPPoE Active Discovery Offer) message in response.

[0068] Depending on the network topology, a user equipment may receive PADO messages from multiple network devices. The user equipment selects the network device corresponding to the first PADO message it receives as its own network device and unicasts a PADR (PPPoE Active Discovery Request) message.

[0069] The network device generates a unique session identifier to identify the session with the user equipment. It sends the session identifier to the user equipment by sending a PADS (PPPoE Active Discovery Session-confirmation) message. After the session is successfully established, it enters the PPPoE session phase (i.e. the authentication session in the authentication process).

[0070] Once completed, both parties in the communication will know the PPPoE session identifier and the other party's MAC address, which together determine a unique authentication session.

[0071] After the authentication session is established, PPP negotiation can be carried out, and subsequent PPP data transmission can be achieved.

[0072] At this point, an attacker can steal a legitimate user's username and a randomly generated password to initiate authentication with the authentication server. Since the username and password that can access the server are pre-stored on the authentication server, the authentication server needs to authenticate the user device that initiates the authentication request. The network device can only forward the authentication request to the authentication server. Therefore, in the process of the attacker randomly generating passwords and frequently initiating authentication requests, excessive network resources between the network device and the authentication server will be consumed, causing the authentication requests of legitimate users to be unable to be sent to the authentication server for authentication in a timely manner, thus reducing the reliability of the network.

[0073] S101. If the received username and password do not match the username and password stored in the node itself, a node information entry marked as pending authentication is generated.

[0074] The authentication server stores a number of usernames and passwords that can access the network. Upon receiving an authentication request, the authentication server searches for the received username and password in its own storage. If a match is found, it means that the user device using that username and password can access the network; otherwise, it means that the user device used an incorrect username or password.

[0075] After an authentication is performed, the authentication server generates a node information table entry, which records the received username, MAC address, number of unmatched entries, and status information.

[0076] If a username and password are matched, the status information in the generated node information table will be marked as trusted, and the number of unmatched entries will be recorded as 0.

[0077] If no username and password are matched, the status information in the generated node information table will be marked as pending authentication, and the system will continue to receive authentication requests from the user device (or attacker). Since users may enter incorrect usernames and passwords, a single incorrect username or password cannot be considered an attack, thus preventing the system from mistakenly identifying user input errors as an attack. However, the number of unmatched entries in the node information table will be incremented.

[0078] Optionally, after receiving the authentication request sent by the network device based on the authentication session in step S100, the method further includes:

[0079] S103. If the received username and password match the username and password stored in the device, a node information entry marked as trusted is generated and sent to the network device so that the network device can forward the data packets sent by the user device based on the node information entry.

[0080] like Figure 3 As shown, when the authentication server determines that user device 1 is a legitimate user device, after generating a node information entry based on information such as username, password, and MAC address, the number of unmatched entries in this node information entry is marked as 0 (indicating a correct match), and the generated node information entry is marked as trusted (denoted as node information entry 1). The trusted state indicates that the username and password have been authenticated, and the network device can allow subsequent data packets to pass.

[0081] At this point, the authentication server can send node information entry 1 to the network device, which receives and records it. The network device then sends an acknowledgment to user device 1, completing the authentication process. User device 1 can send data packets to the network device. When the network device determines that the MAC address of user device 1 matches the MAC address recorded in node information entry 1, it can forward the data packet.

[0082] Optionally, after step S101, generating node information entries marked as pending authentication, and before step S102, before the number of unmatched occurrences exceeds a preset value, the method further includes:

[0083] S104. If the received username and password match the username and password stored in the node, mark the node information entry as trusted, clear the number of unmatched entries, and send the node information entry to the network device.

[0084] like Figure 4 As shown, after a normal user device (user device 1) initiates an authentication request, the authentication server determines that user device 1 has failed authentication because the user entered the wrong username and password. It generates node information entry 2, records the username and MAC address, and marks node information entry 2 as pending authentication, incrementing the number of unmatched attempts to 1. At this point, since the authentication process is incomplete and not considered an attack, the authentication server can temporarily withhold node information entry 2. The pending authentication status indicates that the user device failed authentication this time, but the number of unmatched attempts has not exceeded a preset value, requiring the authentication server to continue authenticating subsequent authentication requests.

[0085] At this point, the network device will issue a notification that authentication failed. The user can re-enter their username and password for a second authentication, sending the new username and password along with the authentication request. The authentication server determines that the new username and password match, and authentication is successful. The authentication server updates the status information in node information table 2 to the trusted state and clears the number of unmatched attempts to zero, indicating that user device 1 has passed authentication. The subsequent steps are similar to those described in step S103 and will not be repeated here.

[0086] S102. If the number of unmatched entries in a node information table exceeds a preset value, the node information table entry is marked as untrusted, an anti-attack flag is recorded in the node information table entry, and the node information table entry is sent to the network device so that the network device terminates the authentication session corresponding to the authentication request that matches the username or MAC address in the node information table entry, or discards the authentication request that matches the username or MAC address in the node information table entry.

[0087] like Figure 5As shown, if user device 2, which initiates the authentication, is an attacker, the most likely method for user device 2 to crack the authentication is to try and find the correct password using a random password, given that it knows the username. When the authentication server fails the first authentication attempt, a node information entry 3 is generated and marked as pending authentication, with a non-match count of 1 in the node information entry 3. Subsequent attackers continue to send authentication requests, but all fail. Each time the authentication server matches a node information entry 3 based on any information in the username or MAC address, it continues to accumulate the non-match count.

[0088] When the number of unmatched entries in node information table 3 accumulates to a preset value (e.g., 5), the authentication server identifies user device 2 as an attacker, marks the status information in node information table 3 as untrusted, and enables the anti-attack policy in node information table 3, i.e., records the anti-attack flag in node information table 3. Afterwards, node information table 3 is distributed to network devices for recording.

[0089] At this point, after receiving the attacker's authentication request, the network device checks the authentication request based on the recorded node information entry 3 and processes it by terminating the authentication session or discarding the authentication request.

[0090] For example, after the network device receives node information entry 3, since the network device and user device 2 still maintain an authentication session, in order to prevent the attacker from continuing to occupy the network device's session resources, the network device can send a PADT (PPPOE Active Discovery Terminate) message to user device 2 to terminate the authentication session between user device 2 and the network device, thereby ending the current attacker's authentication attack on the authentication server as soon as possible.

[0091] Subsequently, if user equipment 2 seeks to re-establish the authentication session, when the network device receives the PADI message, it can look up the node information table entry 3 based on the MAC address in the PADI message. If the attacker continues to initiate authentication using the username or MAC address in the message, the network device can directly discard the PADI message to avoid occupying the network device's communication resources or session resources by re-establishing its authentication session, thereby further improving the reliability of the network device.

[0092] Optionally, the node information table also records the aging time;

[0093] The method also includes:

[0094] S105. If a node information entry marked as trusted or untrusted reaches its aging time, then mark the node information entry as pending authentication and disable the anti-attack flag.

[0095] After the authentication server generates node information entries marked as trusted or untrusted, an aging time can be set. Once the aging time is set, the authentication server can start a timer to keep track of the time.

[0096] If the timer reaches its aging time, it means that the node information entry has been active for a period of time, and the current network situation may have changed. For example, the attacker's attack may have stopped, or normal user equipment may have stopped sending data packets.

[0097] At this point, the authentication server can mark the node information entry as pending authentication, requiring re-authentication, and clear the anti-attack mark. It should be noted that if the node information entry is marked as trusted, then no anti-attack mark is configured. You can choose not to process it, or clear it once; this will not affect the functionality of the node information entry.

[0098] Subsequently, the authentication server can send a notification to the network device to delete the node information table entry. This will cause the network device to delete the currently stored node information table entry. For example, the notification can include the username and / or MAC address so that the network device can match the corresponding node information table entry it stores and delete it.

[0099] For node information entries marked as trusted, if the network device continues to receive data packets, such as if the number of data packets received within a set period exceeds a preset number, the network device can send a keep-alive message to the authentication server, carrying the MAC address, so that the authentication server can clear the timer of the node information entry that matches the MAC address and start timing again.

[0100] Correspondingly, this application also provides a user authentication method, applied to network devices, such as... Figure 6 As shown, it includes:

[0101] S600: Receives authentication requests sent by user equipment based on authentication sessions.

[0102] The authentication request must include at least the username, password, and the MAC address of the user's device.

[0103] S601. Send an authentication request to the authentication server so that the authentication server can authenticate the user device based on the username and password, generate a node information table entry containing at least the username, password, number of unmatches and MAC address, and mark the node information table entry as untrusted when the number of unmatches exceeds a preset value.

[0104] S602. Receive and record node information entries marked as untrusted by the authentication server.

[0105] S603. If the received subsequent authentication request contains a username or MAC address recorded in the node information table that is marked as untrusted, then terminate the authentication session with the user device corresponding to the subsequent authentication request, or discard the authentication request that matches the username or MAC address in the node information table that is marked as untrusted.

[0106] Optionally, after step S601, sending the authentication request to the authentication server, the method further includes:

[0107] S604. Receive and record the node information entries marked as trusted by the authentication server.

[0108] S605. If the received data packet contains the username and MAC address recorded in the node information table entry marked as trusted, then the data packet shall be forwarded.

[0109] The descriptions on the network device side correspond to those on the authentication server side, and will not be repeated here.

[0110] Correspondingly, this application also provides a user authentication device for use on an authentication server, such as... Figure 7 As shown, it includes:

[0111] The receiving unit is used to receive authentication requests sent by the network device, wherein the authentication request carries at least the username, password and the media access control MAC address of the user device;

[0112] The generation unit is used to generate a node information table entry marked as pending authentication if the received username and password do not match the username and password stored in its own database. The node information table entry records the received username, MAC address, number of times it did not match, and status information.

[0113] The anti-attack unit is used to mark a node information entry as untrusted if the number of unmatched entries in a node information table exceeds a preset value, record an enable anti-attack flag in the node information table, and send the node information table to the network device so that the network device terminates the authentication session corresponding to the authentication request that matches the username or MAC address in the node information table, or discards the authentication request that matches the username or MAC address in the node information table.

[0114] Optionally, the device may also include:

[0115] The authentication unit is used to generate a node information entry marked as trusted if the received username and password match the username and password stored in its own database, and send the generated node information entry to the network device so that the network device can forward the data packets sent by the user equipment based on the node information entry.

[0116] Optionally, the device may also include:

[0117] The clearing unit is used to mark the node information entry as trusted if the received username and password match the username and password stored in its own database, clear the number of unmatched entries, and send the node information entry to the network device.

[0118] Optionally, the node information table also records the aging time;

[0119] The device also includes:

[0120] The aging unit is used to mark a node information entry in a pending authentication state and disable the anti-attack flag if the node information entry marked as trusted or untrusted reaches its aging time.

[0121] Correspondingly, this application also provides a user authentication device for use in network devices, such as... Figure 8 As shown, it includes:

[0122] The receiving unit is used to receive an authentication request sent by the user equipment based on the authentication session, wherein the authentication request carries at least the username, password and MAC address of the user equipment;

[0123] The sending unit is used to send an authentication request to the authentication server so that the authentication server can authenticate the user device based on the username and password, generate a node information table entry containing at least the username, password, number of unmatches and MAC address, and mark the node information table entry as untrusted when the number of unmatches exceeds a preset value.

[0124] The recording unit is used to receive and record node information entries marked as untrusted by the authentication server.

[0125] The anti-attack unit is used to terminate the authentication session with the user device corresponding to the subsequent authentication request, or discard the authentication request that matches the username or MAC address recorded in the node information table marked as untrusted, if the received subsequent authentication request contains a username or MAC address recorded in the node information table marked as untrusted.

[0126] Optionally, the receiving unit is also used to receive and record node information entries marked as trusted by the authentication server.

[0127] The sending unit is used to forward the data packet if the received data packet contains the username and MAC address recorded in the node information table entry marked as trusted.

[0128] Correspondingly, this application also provides an authentication server, such as Figure 9 As shown, it includes a transceiver, a processor, and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, which in turn causes the processor to implement the method steps of any of the above.

[0129] Correspondingly, this application also provides a network device, such as Figure 10 As shown, it includes a transceiver, a processor, and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, which in turn causes the processor to implement the method steps of any of the above.

[0130] Correspondingly, this application also provides a machine-readable storage medium storing machine-executable instructions, which, when called and executed by a processor, cause the processor to implement the method steps of any of the above-mentioned authentication servers or network devices.

[0131] The technical solutions provided by the embodiments in this specification may include the following beneficial effects:

[0132] In the embodiments described in this specification, the authentication server generates a node information table entry by matching the username and MAC address stored in its own database with the authentication request. If the number of unmatched records in a node information table entry exceeds a preset value, the node information table entry is marked as untrusted and the network device is notified. The network device then performs anti-attack processing on subsequent authentication requests based on the issued node information table entry marked as untrusted. This process either terminates the authentication session that matches the username or MAC address directly or discards the authentication request containing the username or MAC address. This intercepts the attacker's attack packets on the network device side, preventing brute-force attacks on the authentication server and improving the reliability of network authentication.

[0133] It should be understood that this specification is not limited to the precise structure described above and shown in the accompanying drawings, and various modifications and changes can be made without departing from its scope.

[0134] The above description is only a preferred embodiment of this specification and is not intended to limit this specification. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of this specification shall be included within the scope of protection of this specification.

Claims

1. A user authentication method, characterized in that, Applied to authentication servers, including: Receive an authentication request sent by a network device, wherein the authentication request carries at least a username, a password and the media access control MAC address of the user device; If the received username and password do not match the username and password stored in the system, a node information entry marked as pending authentication is generated. The node information entry records the received username, MAC address, number of unmatches, and status information. After the node information entry marked as pending authentication is generated, and before the number of unmatches exceeds a preset value, the node information entry in the pending authentication state will not be sent out. If the number of unmatched entries in a node information table exceeds a preset value, the node information table entry is marked as untrusted, an anti-attack flag is recorded in the node information table entry, and the node information table entry is sent to the network device so that the network device terminates the authentication session corresponding to the authentication request that matches the username or MAC address in the node information table entry, or discards the authentication request that matches the username or MAC address in the node information table entry.

2. The method according to claim 1, characterized in that, After receiving the authentication request sent by the network device based on the authentication session, it also includes: If the received username and password match the username and password stored in the network device, a node information entry marked as trusted is generated and sent to the network device so that the network device can forward data packets sent by the user equipment based on the node information entry.

3. The method according to claim 1, characterized in that, After generating node information entries marked as pending authentication, and before the number of unmatched entries exceeds a preset value, the following steps are also included: If the received username and password match the username and password stored in the node, the node information entry is marked as trusted, the number of unmatched entries is cleared, and the node information entry is sent to the network device.

4. The method according to any one of claims 1-3, characterized in that, The node information table also records the aging time; The method further includes: If a node information entry marked as trusted or untrusted reaches its aging time, the node information entry is marked as pending authentication, and the anti-attack flag is disabled.

5. A user authentication method, characterized in that, Applied to network devices, including: Receive an authentication request sent by a user equipment based on an authentication session, wherein the authentication request carries at least a username, a password, and the MAC address of the user equipment; The authentication request is sent to the authentication server so that the authentication server authenticates the user device based on the username and password, and generates a node information table entry containing at least the username, password, number of unmatches and MAC address. After the node information table entry marked as pending authentication is generated, and before the number of unmatches exceeds a preset value, the node information table entry in the pending authentication state is not issued, and when the number of unmatches of the node information table entry exceeds the preset value, the node information table entry is marked as untrusted. Receive and record the node information entries marked as untrusted sent by the authentication server; If a received subsequent authentication request contains a username or MAC address recorded in a node information entry marked as untrusted, the authentication session with the user device corresponding to the subsequent authentication request is terminated, or the authentication request matching the username or MAC address in a node information entry marked as untrusted is discarded.

6. The method according to claim 5, characterized in that, After sending the authentication request to the authentication server, the process also includes: Receive and record the node information entries marked as trusted by the authentication server. If the received data packet contains the username and MAC address recorded in the node information table entry marked as trusted, then the data packet is forwarded.

7. A user authentication device, characterized in that, Applied to authentication servers, including: A receiving unit is configured to receive an authentication request sent by a network device, wherein the authentication request carries at least a username, a password, and the MAC address of the user device; The generation unit is used to generate a node information table entry marked as pending authentication if the received username and password do not match the username and password stored in its own database. The node information table entry records the received username, MAC address, number of unmatches, and status information. After the node information table entry marked as pending authentication is generated, and before the number of unmatches exceeds a preset value, the node information table entry in the pending authentication state is not sent out. An anti-attack unit is used to mark a node information entry as untrusted if the number of unmatched entries in a node information entry exceeds a preset value, record an enable anti-attack flag in the node information entry, and send the node information entry to the network device so that the network device terminates the authentication session corresponding to the authentication request that matches the username or MAC address in the node information entry, or discards the authentication request that matches the username or MAC address in the node information entry.

8. The apparatus according to claim 7, characterized in that, Also includes: The authentication unit is configured to generate a node information entry marked as trusted if the received username and password match the username and password stored in its own database, and send the generated node information entry to the network device so that the network device can forward data packets sent by the user equipment based on the node information entry.

9. The apparatus according to claim 7, characterized in that, Also includes: The clearing unit is used to mark the node information entry as trusted if the received username and password match the username and password stored in its own database, clear the number of unmatched entries, and send the node information entry to the network device.

10. The apparatus according to any one of claims 7-9, characterized in that, The node information table also records the aging time; The device further includes: An aging unit is used to mark a node information entry in a pending authentication state and disable the anti-attack flag if the node information entry marked as trusted or untrusted reaches its aging time.

11. A user authentication device, characterized in that, Applied to network devices, including: The receiving unit is configured to receive an authentication request sent by a user equipment based on an authentication session, wherein the authentication request carries at least a username, a password, and the MAC address of the user equipment. The sending unit is configured to send the authentication request to the authentication server so that the authentication server authenticates the user device based on the username and password, and generates a node information table entry containing at least the username, password, number of unmatches and MAC address. After the node information table entry marked as pending authentication is generated, and before the number of unmatches exceeds a preset value, the node information table entry in the pending authentication state is not sent out, and when the number of unmatches of the node information table entry exceeds the preset value, the node information table entry is marked as untrusted. The receiving unit is used to receive and record the node information entries marked as untrusted by the authentication server. The anti-attack unit is used to terminate the authentication session with the user device corresponding to the subsequent authentication request if the received subsequent authentication request contains a username or MAC address recorded in the node information table entry marked as untrusted, or to discard the authentication request that matches the username or MAC address in the node information table entry marked as untrusted.

12. The apparatus according to claim 11, characterized in that, The receiving unit is also used to receive and record node information entries marked as trusted by the authentication server. The sending unit is configured to forward the data packet if the received data packet contains the username and MAC address recorded in the node information table entry marked as trusted.

13. An authentication server, characterized in that, The method includes a transceiver, a processor, and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, the processor invoking the executable instructions in the machine-readable storage medium to implement the steps of the method according to any one of claims 1-4.

14. A network device, characterized in that, The method includes a transceiver, a processor, and a machine-readable storage medium storing machine-executable instructions that can be executed by the processor, the processor invoking the executable instructions in the machine-readable storage medium to implement the steps of the method according to any one of claims 5 or 6.

15. A machine-readable storage medium, characterized in that, The device stores machine-executable instructions that are invoked and executed by a processor to implement the steps of the method described in any one of claims 1-4 or 5, 6.