CN102244651A - Method for preventing attack of illegal neighbor discovery protocol message and access equipment - Google Patents
Method for preventing attack of illegal neighbor discovery protocol message and access equipment Download PDFInfo
- Publication number
- CN102244651A CN102244651A CN2010101758441A CN201010175844A CN102244651A CN 102244651 A CN102244651 A CN 102244651A CN 2010101758441 A CN2010101758441 A CN 2010101758441A CN 201010175844 A CN201010175844 A CN 201010175844A CN 102244651 A CN102244651 A CN 102244651A
- Authority
- CN
- China
- Prior art keywords
- message
- address
- main frame
- list item
- mac address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method for preventing an attack of an illegal neighbor discovery (ND) protocol message and access equipment. The method comprises the following steps that: access equipment receives a DAD message that is sent by a host and is directed at a local link address or a router solicitation (RS) message of an unspecified source IP address, wherein the RS message is sent by the host, and an MAC address of the host is extracted from the message; the access equipment determines a prefix that is distributed to the host, a global unicast IPv6 address of the host is generated by using the prefix and the MAC address, and safety items including the global unicast IPv6 address and the MAC address of the host are established; the access equipment receives an ND protocol message sent by any host; if the message is discovered as being neither the DAD message nor the RS message of the unspecified source IP address, the message matches the established safety items one by one; if the matching is done, the message is received; if not, the message is refused. According to the invention, an attack of an illegal ND protocol message can be prevented without adding any configuration.
Description
Technical field
The present invention relates to the message transmissions technical field, be specifically related to prevent that illegal neighbours from finding the method and the access device of (ND, Neighbor Discovery) protocol message aggression.
Background technology
At present, IPv6 is an Internet Protocol next generation, has solved the problem of IPv4 address scarcity.Compare with IPv4, IPv6 supports the heading of succinct regular length, built-in fail safe, and better service quality (QoS, Quality of Service) is supported and the mobility support.The ND agreement also provides functions such as address resolution, router discovery, the unreachable detection of neighbours, duplicate address detection as the IPV6 basic agreement.The ND protocol massages becomes the object that the assailant forges easily, is used to attack.
Attack pattern mainly contains following several:
One, the assailant utilizes the counterfeit gateway of NS/NA message, and other user of the same network segment makes the message that these users are mail to gateway be sent to the assailant under the deception gateway.The flow process that counterfeit gateway is attacked is as shown in Figure 1:
Step 101: assailant A sends multicast neighbor request (NS to other user as: validated user B by access device, Neighbor Solicitation) message, the source medium access control (MAC of NS message, Media Access Control) address is the MAC Address of assailant A, and source IP address is the IP address of gateway.
Step 102: user B receives the NS message, searches the ND list item corresponding with the source IP address of this message, if do not find, then according to the source IP address of message, source MAC etc., sets up new ND list item; If find, but the source MAC of MAC Address in the ND list item and NS message is inconsistent, then upgrades MAC Address in this ND list item with the source MAC in the message.
Step 103: user B will send message to gateway, send a clean culture NS message earlier and carry out the unreachable detection of neighbours, the purpose IP address of this message is the IP address of gateway, the MAC Address of the assailant A in the ND list item that target MAC (Media Access Control) address is then learnt for user B.
Step 104:NS message is sent to assailant A, and assailant A replys neighbor advertisement (NA, Neighbor Advertisement) message to user B.
Step 105: user B receives the NA message, and then corresponding ND list item is set to reachable state, and after this, the message that user B mails to gateway all can be intercepted and captured by victim A.
Two, the assailant utilizes the counterfeit validated user of NS/NA message, the MAC Address of other this validated user of user in the deception gateway or the same network segment is upgraded, make gateway or other user mail to all packed information that goes up mistake of message of this validated user, attack flow process as shown in Figure 2:
Step 201: assailant A sends multicast NS message to other user as: validated user C by access device, and the source MAC of NS message is the MAC Address of assailant A, and source IP address is the IP address of validated user B.
Step 202: validated user C receives the NS message, searches the ND list item corresponding with the source IP address of this message, if do not find, then according to the source IP address of message, source MAC etc., sets up new ND list item; If find, but the source MAC of MAC Address in the ND list item and message is inconsistent, then upgrades MAC Address in this ND list item with the source MAC of message.
Step 203: validated user C will send message to validated user B, sends a clean culture NS message earlier and carries out the unreachable detection of neighbours, and the source IP address of message is the IP address of user B, and source MAC then is the MAC Address of the assailant A in the ND list item of learning.
Step 204:NS message is sent to assailant A, and assailant A replys the NA message to validated user C.
Step 205: validated user C receives the NA message, and the ND list item of correspondence is set to reachable state, and after this, validated user C mails to victim A intercepting and capturing of message of validated user B.
Three, the assailant utilizes the RS/RA message, and the MAC Address of a certain validated user in the deception gateway phase same network segment is upgraded, and causes gateway that all messages are mail to the assailant, attacks flow process as shown in Figure 3:
Step 301: assailant A sends router solicitation by access device to gateway, and (RS, RouterSolicitation) message, the source IP address of RS message are the IP address of validated user B, and source MAC is the MAC Address of assailant A.
Step 302: gateway receives the RS message, searches the ND list item corresponding with the source IP address of this message, if do not find, then according to the source IP address of message, source MAC etc., sets up new ND list item; If find, but the source MAC of MAC Address in the ND list item and message is inconsistent, then upgrades MAC Address in this ND list item with the source MAC of message.
Step 303: gateway sends message to validated user B, and the purpose IP address of message is the IP address of validated user B, and target MAC (Media Access Control) address is the MAC Address of the assailant A in the ND list item, and then message is sent to assailant A.
In addition, assailant A also can forge router advertisement (RA, Router Advertisement) message, the source IP address of message is a gateway ip address, source MAC is the MAC Address of assailant A, can set up when validated user B receives the RA message or the ND list item of new gateway correspondence more, the message victim A that causes validated user B to mail to gateway intercepts and captures.
For avoiding disabled user's attack, safe ND (SeND) agreement of RFC3971 provides the mode that the ND protocol massages is encrypted, and needs to carry out encryption and decryption between the communication node and handles.The shortcoming of this method is: need encrypt relevant configuration during networking, and need in office what is the need for to want all to carry out relevant configuration on the nodes in communication, increase the complexity that the user uses.
Summary of the invention
The invention provides the method and the access device that prevent illegal ND protocol message aggression,, prevent the attack of illegal ND protocol massages to increase under the prerequisite of any configuration need not.
Technical scheme of the present invention is achieved in that
A kind ofly prevent that illegal neighbours from finding the method for ND protocol message aggression, this method comprises:
Access device receive that main frame sends at the duplicate address detection DAD message of link-local address or do not specify the router solicitation RS message of source IP address, the media access control MAC address of from message, extracting main frame;
Access device determines to distribute to the prefix of this main frame, uses the overall clean culture IPv6 address of the MAC Address generation main frame of this prefix and main frame, and foundation comprises: the overall clean culture IPv6 address of main frame and the safe list item of MAC Address;
Access device receives the ND protocol massages that arbitrary main frame is sent, if find that this message is not the DAD message, also not for not specifying the RS message of source IP address, then this message and the safe list item of having set up is mated one by one, if on the coupling, then accept this message; Otherwise, refuse this message.
Described safe list item further comprises: described DAD message or do not specify the inbound port sign and/or the virtual LAN VLAN sign of the RS message of source IP address.
Described access device is the dynamic host configuration protocol DHCP v6 client at IPv6.
Described access device determines that the prefix of distributing to this main frame comprises: access device will be configured in the prefix assignment of self and give main frame;
Perhaps, access device obtains the prefix of distributing to main frame from the router advertisement RA message that upstream plant is sent.
A kind of access device comprises:
The MAC Address extraction module: receive that main frame sends at the duplicate address detection DAD message of link-local address or do not specify the router solicitation RS message of source IP address, from message, extract the MAC Address of main frame, the MAC Address of main frame is sent to safe list item set up module;
Safe list item is set up module: the MAC Address that receives main frame, determine to distribute to the prefix of main frame, use the overall clean culture IPv6 address of the MAC Address generation main frame of this prefix and main frame, foundation and preservation comprise: the overall clean culture IPv6 address of main frame and the safe list item of MAC Address;
Filtering module: receive the ND protocol massages that arbitrary main frame is sent, if finding this message be the DAD message, also for not specifying the RS message of source IP address, the safe list item of then this message and safe list item being set up the module preservation mates one by one, if on the coupling, then accept this message; Otherwise, refuse this message.
Described MAC Address extraction module is further used for, the inbound port of described DAD message or RS message sign and VLAN identified send to safe list item and set up module,
And described safe list item is set up module and is further used for, and inbound port sign and VLAN sign that the MAC Address extraction module is sent are put into described safe list item.
Described access device is the DHCPv6 client.
Compared with prior art, among the present invention, extract the MAC Address of main frame DAD message that access device is sent from main frame or the RS message of not specifying source IP address, with this MAC Address and the IPv6 address of the prefix of distributing to main frame in conjunction with the generation main frame, use the IPv6 address of main frame and the MAC Address of main frame to set up safe list item, use this safe list item that the ND protocol massages is filtered, make the configuration that need not to increase main frame and access device can prevent the attack of illegal ND protocol massages.
Description of drawings
The flow chart that Fig. 1 utilizes the counterfeit gateway of NS/NA message to attack for existing assailant;
The flow chart that Fig. 2 utilizes the counterfeit validated user of NS/NA message to attack for existing assailant;
The flow chart that Fig. 3 utilizes the counterfeit validated user of RS/RA message to attack for existing assailant;
The method flow diagram that prevents illegal ND protocol message aggression that Fig. 4 provides for the embodiment of the invention one;
Fig. 5 is the application scenarios schematic diagram of the embodiment of the invention two;
The method flow diagram that prevents illegal ND protocol message aggression that Fig. 6 provides for the embodiment of the invention two;
The composition diagram of the access device that Fig. 7 provides for the embodiment of the invention.
Embodiment
The present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
The method flow diagram that prevents illegal ND protocol message aggression that Fig. 4 provides for the embodiment of the invention one, as shown in Figure 4, its concrete steps are as follows:
Step 401: access device receives the duplicate address detection (DAD at link-local address that main frame is sent, Duplicate Address Detection) message or do not specify the RS message of source IP address, the source MAC of recorded message, inbound port sign (ID), VLAN (VLAN, VirtualLocal Network) ID.
The unicast address of the link-local scope of interface has only one, and prefix is fixed as FE80::, mask-length is 64.After main frame is reached the standard grade, can generate a link-local address automatically, send the DAD message of the MAC Address of carrying this address and main frame then to access device, whether this address for confirmation is used by other main frame.
Step 402: access device determines to distribute to the prefix of main frame, and use the MAC Address of this prefix and main frame, generate the overall clean culture IPv6 address of main frame, and set up safe list item, safe list item comprises: the overall clean culture IPv6 address of main frame, the MAC Address of main frame.
Safe list item also can comprise: inbound port ID, VLAN ID, or the like.Here, inbound port ID, VLAN ID are the DAD message of record in the step 401 or inbound port ID, the VLAN ID of RS message.
If prefix is distributed by the upstream plant of access device, then access device is after receiving the RA message that upstream plant sends, from the RA message, obtain prefix, use this prefix to generate the overall clean culture IPv6 address of main frame, and this RA message is transmitted to main frame, so that main frame uses this prefix and the MAC Address of self to generate the overall clean culture IPv6 address of self; If access device self disposes prefix, then access device directly uses this prefix to generate the overall clean culture IPv6 address of main frame, and after receiving the RS message that main frame sends, this prefix is carried in the RA message returns to main frame, so that main frame uses this prefix and the MAC Address of self to generate the overall clean culture IPv6 address of self.Wherein, access device and main frame use the interface ID of the MAC Address generation EUI-64 form of main frame earlier when generating the overall clean culture IPv6 address of main frame, and then generate 128 main frame overall situation clean culture IPv6 address according to following form:
Wherein, N is generally 64.
Prefix has one and also has a plurality ofly, if having a plurality ofly, then respectively with the MAC Address combination of each prefix and main frame, can obtain a plurality of overall clean culture IPv6 address like this, sets up a safe list item at each IPv6 address.
Step 403: access device receives the ND protocol massages that main frame is sent, and judges whether this message is DAD message or the RS message of not specifying source IP address, if go to step 401; Otherwise, execution in step 404.
Step 404: access device mates source IP address, the source MAC of this message and each safe list item of self setting up one by one.
If be incorporated into port id, VLAN ID etc. in the safe list item, in this step, then access device mates source IP address, source MAC, inbound port ID, the VLAN ID etc. of message one by one with each safe list item of self setting up.
Step 405: on access device has judged whether that safe list item mates, if, execution in step 406; Otherwise, execution in step 407.
Step 406: access device is accepted this message, and this flow process finishes.
After access device is accepted this message, according to actual needs, message is done to transmit processing or directly handle in this locality.
Step 407: access device is refused this ND protocol massages.
Embodiment illustrated in fig. 4ly be equally applicable to application scenarios shown in Figure 5, under this scene, the flow process that prevents illegal ND protocol message aggression as shown in Figure 6:
Step 601: at the DHCP (DHCPv6 of IPv6, Dynamic HostConfiguration Protocol for IPv6) client receive that main frame sends at the DAD message of link-local address or do not specify the RS message of source IP address, the source MAC of recorded message, inbound port ID, VLAN ID.
Step 602:DHCPv6 client receives the RA message that the DHCPv6 server is sent, from this message, obtain the prefix of distributing to main frame, and use the MAC Address of this prefix and main frame, generate the overall clean culture IPv6 address of main frame, and set up safe list item, safe list item comprises: the overall clean culture IPv6 address of the MAC Address of main frame, main frame.
Safe list item also can comprise: inbound port ID, VLAN ID, or the like.Here, inbound port ID, VLAN ID are the DAD message of record in the step 601 or inbound port ID, the VLAN ID of RS message.
Step 603:DHCPv6 client receives the ND protocol massages that main frame is sent, and judges whether this message is DAD message or the RS message of not specifying source IP address, if go to step 601; Otherwise, execution in step 604.
Step 604:DHCPv6 client is mated source IP address, the source MAC of this message and each safe list item of self setting up one by one.
If be incorporated into port id, VLAN ID etc. in the safe list item, in this step, then the DHCPv6 client is mated source IP address, source MAC, inbound port ID, the VLAN ID etc. of message one by one with each safe list item of self setting up.
On step 605:DHCPv6 client has judged whether that safe list item mates, if, execution in step 606; Otherwise, execution in step 607.
Step 606:DHCPv6 client is transmitted this message, and this flow process finishes.
Step 607:DHCPv6 client is refused this ND protocol massages.
The composition diagram of the access device that Fig. 7 provides for the embodiment of the invention, as shown in Figure 7, it mainly comprises: MAC Address extraction module 71, safe list item are set up module 72 and filtering module 73, wherein:
MAC Address extraction module 71: receive that main frame sends at the DAD message of link-local address or do not specify the RS message of source IP address, from message, extract the MAC Address of main frame, the MAC Address of main frame is sent to safe list item sets up module 72.
MAC Address extraction module 71 also can send to safe list item with the MAC Address of main frame with inbound port ID, the VLAN ID of DAD message or RS message and set up module 72.
Safe list item is set up module 72: the MAC Address of the main frame that reception MAC Address extraction module 71 is sent, determine to distribute to the prefix of main frame, use the overall clean culture IPv6 address of the MAC Address generation main frame of this prefix and main frame, foundation and preservation comprise: the overall clean culture IPv6 address of main frame and the safe list item of MAC Address.
If disposed the prefix of main frame on the access device, then safe list item is set up module 72 and is directly used the MAC Address of this prefix and main frame to generate the overall clean culture IPv6 address of main frame; Otherwise safe list item is set up module 72 can extract the prefix of distributing to main frame from the RA message that upstream plant is sent.
If MAC Address extraction module 71 when sending host MAC address, is also sent inbound port ID and VLAN ID, then also inbound port ID and VLAN ID are put into safe list item.
Filtering module 73: receive the ND protocol massages that arbitrary main frame is sent, find this message for the DAD message, also for not specifying the RS message of source IP address, the safe list item of this message and safe list item being set up module 72 preservations mates one by one, if on the coupling, then accept this message; If on the coupling, then do not refuse this message.
Access device shown in Figure 7 can be the DHCPv6 client, and this moment, its upstream plant was the DHCPv6 server.
Illustrated embodiment of the present invention is applicable to that the MAC Address that adopts main frame generates the scene of the interface ID of main frame.
The above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being made, is equal to replacement, improvement etc., all should be included within the scope of protection of the invention.
Claims (7)
1. one kind prevents that illegal neighbours from finding the method for ND protocol message aggression, it is characterized in that this method comprises:
Access device receive that main frame sends at the duplicate address detection DAD message of link-local address or do not specify the router solicitation RS message of source IP address, the media access control MAC address of from message, extracting main frame;
Access device determines to distribute to the prefix of this main frame, uses the overall clean culture IPv6 address of the MAC Address generation main frame of this prefix and main frame, and foundation comprises: the overall clean culture IPv6 address of main frame and the safe list item of MAC Address;
Access device receives the ND protocol massages that arbitrary main frame is sent, if find that this message is not the DAD message, also not for not specifying the RS message of source IP address, then this message and the safe list item of having set up is mated one by one, if on the coupling, then accept this message; Otherwise, refuse this message.
2. the method for claim 1 is characterized in that, described safe list item further comprises: described DAD message or do not specify the inbound port sign and/or the virtual LAN VLAN sign of the RS message of source IP address.
3. method as claimed in claim 1 or 2 is characterized in that, described access device is the dynamic host configuration protocol DHCP v6 client at IPv6.
4. method as claimed in claim 1 or 2 is characterized in that, described access device determines that the prefix of distributing to this main frame comprises: access device will be configured in the prefix assignment of self and give main frame;
Perhaps, access device obtains the prefix of distributing to main frame from the router advertisement RA message that upstream plant is sent.
5. an access device is characterized in that, comprising:
The MAC Address extraction module: receive that main frame sends at the duplicate address detection DAD message of link-local address or do not specify the router solicitation RS message of source IP address, from message, extract the MAC Address of main frame, the MAC Address of main frame is sent to safe list item set up module;
Safe list item is set up module: the MAC Address that receives main frame, determine to distribute to the prefix of main frame, use the overall clean culture IPv6 address of the MAC Address generation main frame of this prefix and main frame, foundation and preservation comprise: the overall clean culture IPv6 address of main frame and the safe list item of MAC Address;
Filtering module: receive the ND protocol massages that arbitrary main frame is sent, if finding this message be the DAD message, also for not specifying the RS message of source IP address, the safe list item of then this message and safe list item being set up the module preservation mates one by one, if on the coupling, then accept this message; Otherwise, refuse this message.
6. access device as claimed in claim 5 is characterized in that, described MAC Address extraction module is further used for, the inbound port of described DAD message or RS message sign and VLAN are identified send to safe list item and set up module,
And described safe list item is set up module and is further used for, and inbound port sign and VLAN sign that the MAC Address extraction module is sent are put into described safe list item.
7. as claim 5 or 6 described access devices, it is characterized in that described access device is the DHCPv6 client.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010175844.1A CN102244651B (en) | 2010-05-14 | 2010-05-14 | Method for preventing attack of illegal neighbor discovery protocol message and access equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010175844.1A CN102244651B (en) | 2010-05-14 | 2010-05-14 | Method for preventing attack of illegal neighbor discovery protocol message and access equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102244651A true CN102244651A (en) | 2011-11-16 |
| CN102244651B CN102244651B (en) | 2014-04-16 |
Family
ID=44962490
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010175844.1A Active CN102244651B (en) | 2010-05-14 | 2010-05-14 | Method for preventing attack of illegal neighbor discovery protocol message and access equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102244651B (en) |
Cited By (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546429A (en) * | 2012-02-03 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring |
| CN103347102A (en) * | 2013-06-28 | 2013-10-09 | 华为技术有限公司 | Identification method and device of conflict address detection message |
| WO2014173343A1 (en) * | 2013-08-20 | 2014-10-30 | 中兴通讯股份有限公司 | Router advertisement attack prevention method, device, equipment and computer storage medium |
| CN104394241A (en) * | 2014-11-14 | 2015-03-04 | 华为技术有限公司 | Message sending method and device |
| CN102594816B (en) * | 2012-02-15 | 2015-08-19 | 神州数码网络(北京)有限公司 | A kind of method of preventing malicious neighbor learning attack and device |
| CN106470127A (en) * | 2015-08-18 | 2017-03-01 | 中兴通讯股份有限公司 | A kind of detection method of exception flow of network and system |
| CN108632400A (en) * | 2017-08-31 | 2018-10-09 | 新华三技术有限公司 | A kind of IPv6 address distribution methods and Leaf node devices |
| CN110611678A (en) * | 2019-09-24 | 2019-12-24 | 锐捷网络股份有限公司 | Method for identifying message and access network equipment |
| CN110995883A (en) * | 2019-12-04 | 2020-04-10 | 互联网域名系统北京市工程研究中心有限公司 | Method, system and storage medium for DHCPv6 fixed address configuration based on EUI-64 |
| CN112449752A (en) * | 2018-12-26 | 2021-03-05 | 华为技术有限公司 | IPv6 address configuration method and routing equipment |
| CN114465776A (en) * | 2021-12-31 | 2022-05-10 | 华为技术有限公司 | Flooding attack defense method and related device |
| US11516124B2 (en) | 2021-03-26 | 2022-11-29 | Cisco Technology, Inc. | Leveraging multicast listener discovery for discovering hosts |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7360245B1 (en) * | 2001-07-18 | 2008-04-15 | Novell, Inc. | Method and system for filtering spoofed packets in a network |
| CN101582888A (en) * | 2009-06-01 | 2009-11-18 | 杭州华三通信技术有限公司 | Method for creating neighbor discovery table item and server |
-
2010
- 2010-05-14 CN CN201010175844.1A patent/CN102244651B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7360245B1 (en) * | 2001-07-18 | 2008-04-15 | Novell, Inc. | Method and system for filtering spoofed packets in a network |
| CN101582888A (en) * | 2009-06-01 | 2009-11-18 | 杭州华三通信技术有限公司 | Method for creating neighbor discovery table item and server |
Cited By (17)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546429A (en) * | 2012-02-03 | 2012-07-04 | 神州数码网络(北京)有限公司 | Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring |
| CN102546429B (en) * | 2012-02-03 | 2016-12-14 | 神州数码网络(北京)有限公司 | The authentication method of Intra-site Automatic Tunnel Addressing Protocol based on DHCP monitoring and system |
| CN102594816B (en) * | 2012-02-15 | 2015-08-19 | 神州数码网络(北京)有限公司 | A kind of method of preventing malicious neighbor learning attack and device |
| CN103347102A (en) * | 2013-06-28 | 2013-10-09 | 华为技术有限公司 | Identification method and device of conflict address detection message |
| CN103347102B (en) * | 2013-06-28 | 2016-08-10 | 华为技术有限公司 | The recognition methods of conflict address detected message and device |
| WO2014173343A1 (en) * | 2013-08-20 | 2014-10-30 | 中兴通讯股份有限公司 | Router advertisement attack prevention method, device, equipment and computer storage medium |
| CN104394241A (en) * | 2014-11-14 | 2015-03-04 | 华为技术有限公司 | Message sending method and device |
| CN106470127A (en) * | 2015-08-18 | 2017-03-01 | 中兴通讯股份有限公司 | A kind of detection method of exception flow of network and system |
| CN108632400A (en) * | 2017-08-31 | 2018-10-09 | 新华三技术有限公司 | A kind of IPv6 address distribution methods and Leaf node devices |
| CN112449752A (en) * | 2018-12-26 | 2021-03-05 | 华为技术有限公司 | IPv6 address configuration method and routing equipment |
| CN110611678A (en) * | 2019-09-24 | 2019-12-24 | 锐捷网络股份有限公司 | Method for identifying message and access network equipment |
| CN110611678B (en) * | 2019-09-24 | 2022-05-20 | 锐捷网络股份有限公司 | Method for identifying message and access network equipment |
| CN110995883A (en) * | 2019-12-04 | 2020-04-10 | 互联网域名系统北京市工程研究中心有限公司 | Method, system and storage medium for DHCPv6 fixed address configuration based on EUI-64 |
| US11516124B2 (en) | 2021-03-26 | 2022-11-29 | Cisco Technology, Inc. | Leveraging multicast listener discovery for discovering hosts |
| US11736393B2 (en) | 2021-03-26 | 2023-08-22 | Cisco Technology, Inc. | Leveraging multicast listener discovery for discovering hosts |
| CN114465776A (en) * | 2021-12-31 | 2022-05-10 | 华为技术有限公司 | Flooding attack defense method and related device |
| CN114465776B (en) * | 2021-12-31 | 2023-09-12 | 华为技术有限公司 | Flood attack defense method and related device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102244651B (en) | 2014-04-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102244651B (en) | Method for preventing attack of illegal neighbor discovery protocol message and access equipment | |
| CN100409217C (en) | Internetwork protocol address distribution equipment and method | |
| JP4975190B2 (en) | Search method for hosts in IPv6 network | |
| US20130322438A1 (en) | System and method for identifying frames | |
| CN101997768B (en) | Method and device for uploading address resolution protocol messages | |
| US20140012967A1 (en) | System and method for supporting multicast domain name system device and service classification | |
| WO2010072096A1 (en) | Method and broadband access device for improving the security of neighbor discovery in ipv6 environment | |
| CN101662423A (en) | Method and device for achieving unicast reverse path forwarding | |
| CN101459653B (en) | Method for preventing DHCP packet attack based on Snooping technique | |
| US8438390B2 (en) | Method and system for using neighbor discovery unspecified solicitation to obtain link local address | |
| CN102546428A (en) | System and method for internet protocol version 6 (IPv6) message switching based on dynamic host configuration protocol for IPv6 (DHCPv6) interception | |
| CN102946385B (en) | A kind of preventing forges the method and apparatus discharging message and carry out attacking | |
| KR20130005973A (en) | A network security system and network security method | |
| CN102377669A (en) | Method for sending message and switch | |
| WO2017012089A1 (en) | Communication method, device and system based on data link layer | |
| CN102437946A (en) | Access control method, network access server (NAS) equipment and authentication server | |
| WO2014206152A1 (en) | Network safety monitoring method and system | |
| CN102546308A (en) | Method and system for realizing neighbor discovery proxy based on duplicate address detection (DAD) | |
| CN102546663A (en) | Method and device for preventing duplication address detection attack | |
| CN102546429A (en) | Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring | |
| CN103079229A (en) | Directional broadcast transmission method for access controller | |
| US10044672B2 (en) | IPv6 address assignment method and apparatus | |
| CN102752266A (en) | Access control method and equipment thereof | |
| CN102136985B (en) | Access method and equipment | |
| CN114422474B (en) | User IPv6 address generating method based on RADIUS server |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |