[go: up one dir, main page]

WO2024169097A1 - Packet sending method, device, and computer-readable storage medium - Google Patents

Packet sending method, device, and computer-readable storage medium Download PDF

Info

Publication number
WO2024169097A1
WO2024169097A1 PCT/CN2023/101870 CN2023101870W WO2024169097A1 WO 2024169097 A1 WO2024169097 A1 WO 2024169097A1 CN 2023101870 W CN2023101870 W CN 2023101870W WO 2024169097 A1 WO2024169097 A1 WO 2024169097A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
target host
mac address
host
dhcp
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CN2023/101870
Other languages
French (fr)
Chinese (zh)
Inventor
林宁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Publication of WO2024169097A1 publication Critical patent/WO2024169097A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2596Translation of addresses of the same type other than IP, e.g. translation from MAC to MAC addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/45Network directories; Name-to-address mapping
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • the embodiments of the present application relate to the field of data communication technology, and in particular to a message sending method, device, and computer-readable storage medium.
  • the main purpose of the embodiments of the present application is to provide a message sending method, device and computer-readable storage medium, which can realize the MAC address drift requirement of the correct host.
  • an embodiment of the present application provides a message sending method, the message sending method comprising:
  • a static MAC address is generated based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward the message to the target host.
  • an embodiment of the present application further provides a message sending device, the message sending device comprising:
  • An acquisition module wherein the acquisition module is used to acquire an authentication link establishment message in response to the target host being offline, and determine whether the authentication link establishment message belongs to the target host, wherein the authentication link establishment message carries a port number of a target port;
  • a sending module wherein the sending module is used to send a feedback message to the target host through the target port when the authentication link establishment message belongs to the target host;
  • a generating module the generating module is used to generate a DHCP relationship table based on the authentication link establishment message
  • the generating module is further used to generate a static MAC address based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward the message to the target host.
  • an embodiment of the present application also provides a message sending device, which includes: a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the computer program is executed by the processor, the message sending method as described above is implemented.
  • an embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the message sending method as described above is implemented.
  • the embodiment of the present application proposes a message sending method, device and computer-readable storage medium, which overcomes the technical defect in the related art that the device cannot realize the correct host port migration during the process of continuous attack.
  • the embodiment of the present application obtains an authentication link establishment message and determines whether the authentication link establishment message belongs to the target host, wherein the authentication link establishment message carries the port number of the target port; when the authentication link establishment message belongs to the target host, a feedback message is sent to the target host through the target port; through the above message sending and receiving process, the current device can know that the target host has a MAC address drift requirement, so it can generate a DHCP relationship table based on the authentication link establishment message; and then generate a static MAC address based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward the message to the target host, thereby completing the MAC address drift of the target host.
  • the embodiment of the present application does not access the MAC address table of the current device during the authentication and chain establishment process, but directly replies to the authentication message through the port that receives the authentication request, thereby ensuring the successful authentication of the correct host. Even if the current device is attacked by a message from a non-target host, resulting in an incorrect MAC address being recorded in the MAC address table, since the target port for sending the feedback message is not the incorrect port corresponding to the incorrect MAC address, the current device can still successfully send the feedback message to the target host, thereby completing the authentication and chain establishment and realizing the MAC address drift requirement of the target host.
  • FIG1 is a flow chart of an embodiment of a message sending method provided by the present application.
  • FIG2 is a schematic diagram of an application scenario of an embodiment of a message sending method provided by the present application.
  • FIG3 is a schematic diagram of an application scenario of another embodiment of a message sending method provided by the present application.
  • FIG4 is a schematic structural diagram of an embodiment of a message sending device provided by the present application.
  • FIG5 is a schematic structural diagram of an embodiment of a message sending device provided in the present application.
  • references to “one embodiment” or “some embodiments” described in the specification of the embodiments of the present application mean that one or more embodiments of the embodiments of the present application include specific features, structures or characteristics described in conjunction with the embodiment.
  • the statements “in one embodiment”, “in some embodiments”, “in some other embodiments”, “in some other embodiments”, etc. that appear in different places in this specification do not necessarily refer to the same embodiment, but mean “one or more but not all embodiments", unless otherwise specifically emphasized in other ways.
  • the terms “including”, “comprising”, “having” and their variations all mean “including but not limited to”, unless otherwise specifically emphasized in other ways.
  • the device creates a relationship table of IP (Internet Protocol), MAC address (Media Access Control Address, also known as LAN address, Ethernet address or physical address), and port.
  • IP Internet Protocol
  • MAC address Media Access Control Address, also known as LAN address, Ethernet address or physical address
  • port When the IP, MAC address, and corresponding port of the received message are not recorded in this table, the message will be discarded through ACL (Access Control Lists) or other means, making it impossible for the device to carry out normal business communications.
  • ACL Access Control Lists
  • this method has the following defects: although the device can judge and discard the spoofed message through the corresponding table of IP, MAC address and port formed by DHCP when receiving the host spoofed message, the MAC address of this spoofed message has been learned on the device hardware, and the learned MAC address is the same as the MAC address learned by the original correct host. Since the MAC address learning port of the spoofed message is different from the port where the MAC address of the correct host is learned, the MAC address of the correct host will drift.
  • the traffic of the correct host will be interrupted, because the downlink data will be sent to the port that receives the spoofed message in a short time, until the correct host sends the message data again so that the device can learn the correct MAC address. Therefore, once the device is continuously attacked by the host spoofed message, although the spoofed host cannot go online for normal communication, it will cause the correct host to have continuous traffic jitter problems.
  • the embodiments of the present application provide a message sending method, apparatus, device and computer-readable storage medium.
  • the device encounters a continuous attack of DHCP host spoofing messages, in addition to using the correspondence table of IP, MAC and port to discard the message of the abnormal IP, the MAC address of the correct host is written as a static MAC address according to the relationship table generated by DHCP to prevent the MAC address from drifting; when the correct host needs to drift the MAC address, in response to the host being offline, the CPU deletes the host-related information from the DHCP relationship table and refreshes the DHCP relationship table in real time.
  • the refresh of the DHCP relationship table is processed first, and a static MAC address is generated based on the new DHCP relationship table.
  • the device can send a message to the correct host based on the static MAC address, that is, the MAC address drift of the correct host is achieved.
  • the message sending method, device, equipment and computer-readable storage medium provided in the embodiments of the present application are The following embodiments are used to illustrate the method for sending a message.
  • FIG 1 is a flow chart of a message sending method provided in an embodiment of the present application.
  • the message sending method can be applied to a message sending device.
  • the message sending method provided in this embodiment includes steps S10 to S40.
  • Step S10 in response to the target host being offline, obtaining an authentication link building message and determining whether the authentication link building message belongs to the target host, wherein the authentication link building message carries the port number of the target port.
  • the execution subject can be a terminal device such as a router or a switch that can communicate with the network side.
  • each step in this embodiment can be executed by the CPU protocol side in the terminal device; the target host can be regarded as the original correct host that has completed DHCP protocol authentication and established a connection relationship with the current device before step S10.
  • MAC address drift refers to the process in which the target host goes offline from the port where it has completed DHCP protocol authentication and established a connection relationship with the current device, then goes online from a new port, and re-establishes a connection with the current device. From the perspective of the target host, it can also be regarded as a port migration process. However, in this process, the target host will not inform the device of prompt information about the port migration requirement, but the device can obtain the port migration intention of the target host based on the authentication link establishment message resent after the target host goes offline.
  • the current device when a message is detected that the target host is offline, the current device will continue to listen to external authentication and link establishment messages, and after obtaining the authentication and link establishment messages, determine whether it belongs to the correct host that was previously offline, or a spoofing attack message from the network.
  • the port of the target host before it goes offline is recorded as Port1
  • the target port at which the current device receives the authentication link establishment message is recorded as Port3. If the authentication link establishment message is confirmed to be correct, it means that the target host is the correct host that was previously offline, and the current device can learn that the target host's port migration intention is to migrate from Port1 to Port3.
  • the message sending method further includes:
  • Step S11 deleting the relationship entry of the target host in the DHCP relationship table.
  • the CPU can delete the correct host-related IP, MAC, and port information from the DHCP relationship table according to the DHCP protocol, or delete the DHCP relationship table; at the same time, delete the MAC address recorded in the MAC table.
  • Step S20 when the authentication link establishment message belongs to the target host, The target port sends a feedback message to the target host.
  • the current device when it is confirmed that the authentication link establishment message does belong to the correct host that was previously offline, the current device can establish a connection relationship with the target host based on the DHCP protocol. It should be noted that when the CPU sends a feedback message to the target host, it directly confirms the target port through the port number of the target port carried in the authentication link establishment message, and does not access the MAC table stored in the hardware chip of the current device. This is because after the target host is offline, the current device may be attacked by a spoofing message, and then mistakenly write the MAC address of the spoofing attack host into the MAC table.
  • the target host cannot receive the message; therefore, the CPU directly confirms the target port of the target host based on the port number of the target port carried in the authentication link establishment message, and sends a feedback message to the target host through the target port to ensure that the target host can receive the feedback message, thereby avoiding the spoofing attack host interfering with the authentication link establishment between the current device and the target host.
  • the feedback message may include an ACK (Acknowledge character) so that the target host knows that the authentication and link establishment with the current device has been successful.
  • ACK Acknowledge character
  • the message transmission and reception between the current device and the target host may be one time or multiple times, so that the current device can completely collect the identity information of the target host for establishing the DHCP relationship table.
  • Step S30 Generate a DHCP relationship table based on the authentication link establishment message.
  • the CPU can obtain the IP, MAC address of the target host and the port number of the target port used to send and receive messages from the authentication link establishment message sent by the target host. After obtaining this information, a DHCP relationship table can be established based on this information according to the DHCP protocol. In the DHCP relationship table, there is a corresponding relationship between the IP, MAC address and port of the target host.
  • Step S40 Generate a static MAC address based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward the message to the target host.
  • the MAC address of the target host still needs to be recorded in the MAC table of the current device chip.
  • the MAC address of the target host can be written into the MAC table in the form of a static MAC address.
  • the device when the device is in a DHCP network application, the device generates a DHCP relationship table according to relevant technologies, and finds the relevant MAC address in the device MAC address table based on the correspondence between the MAC and the port in the DHCP relationship table, and converts it into a static MAC address (a static MAC table entry with the correspondence between the MAC address and the port can also be directly issued to the device.
  • the static MAC table entry can directly cover the dynamic MAC address, which may appear in hardware as a direct overwriting of all entries or as a replacement of the MAC address export); after the static MAC address is generated, a static MAC address table entry is directly formed on the device with the port where the correct host is located and the MAC address of the correct host.
  • the port where the correct host is located and the MAC address of the correct host are directly formed into a static MAC address table entry on the device.
  • the device encounters a host spoofing message attack (the MAC address and IP address of the spoofed host are consistent with the MAC address of the correct host, but the port to which the message is sent is inconsistent)
  • the device will automatically obtain the MAC address of the spoofed host, but because the dynamic MAC address cannot overwrite the static MAC address when writing into the MAC address table, the device will not learn the MAC address of the port where the spoofed message is located, so that the correct host MAC address will not drift, and therefore will not interfere with the correct host traffic.
  • the device deletes the static MAC address of the original host. Therefore, the message spoofing the attacking host will learn a new dynamic MAC address on the device.
  • the port of the MAC address is the port of the host spoofing message.
  • the DHCP protocol processing flow must be specially processed. Otherwise, during the DHCP authentication process, the message will be sent to the attacking port, causing the original host to be unable to go online again after being offline.
  • Specific processing measures are as follows: First, after the DHCP message receives the host authentication link-building message, it is necessary to record the sending port of this message.
  • the link can be established.
  • the CPU sends a DHCP message to establish a link with it, it will no longer query the device's MAC address table (because the content of the MAC address table at this time may be the dynamic MAC address learned by the host spoofing message), but directly send a packet to the port where the host authentication link-building message is received; then, when all DHCP link-building authentications are completed, the DHCP relationship table is formed, that is, the corresponding relationship between MAC and port in the relationship table is used to send a static MAC address to the MAC address table of the device chip.
  • This MAC address table can directly replace the dynamic MAC address of the wrong host spoofing attack message previously learned by the device; through the above processing, the DHCP relationship table can be used to send a correct host to the device.
  • Static MAC addresses can prevent the interruption of correct host traffic caused by attacks from host spoofing messages, and can also maintain correct operations when the correct host really needs to migrate its MAC address, ensuring that business traffic migrates with the correct host.
  • This embodiment provides a message sending method.
  • the CPU message sending method is modified. Even if the current router device is continuously attacked by messages from non-target hosts, resulting in a short-term MAC address learning error, it will not affect the drift process of the correct target host MAC address. Once the target host is back online, the technical solution provided by this embodiment can correct the wrong MAC address and ensure the normal service forwarding of the target host.
  • the message sending method provided by this embodiment, when the current device encounters a non-target host spoofing attack, the MAC address drift interruption anomaly will not occur, the attack source can be quickly isolated, and the DHCP service will not be abnormal. The correctness of the DHCP service can be guaranteed, the stability of the network can be improved, and the user experience can be improved.
  • the step of determining whether the authentication link establishment message belongs to the target host in the above step S10 includes:
  • Step S12 determining whether the key information carried in the authentication link establishment message is consistent with the preset key information
  • Step S121 when the key information carried in the authentication link establishment message is consistent with the preset key information, it is determined that the authentication link establishment message belongs to the target host;
  • Step S122 When the key information carried in the authentication link establishment message is inconsistent with the preset key information, it is determined that the authentication link establishment message does not belong to the target host.
  • the CPU will determine whether the authentication link establishment message is a message sent by the original correct host according to the DHCP protocol. For example, the key information carried in the message is compared with the preset key information. If the two are consistent, it means that the message comes from the original correct host and the message authentication is successful; if the two are inconsistent, it means that the message does not come from the original correct host and the message is directly discarded.
  • the above step S30 includes:
  • Step S301 determining the MAC address of the target host based on the authentication link establishment message
  • Step S302 performing DHCP protocol interaction with the target host based on the authentication link establishment message, and allocating an IP address to the target host;
  • Step S303 Generate a DHCP relationship table based on the IP address, the MAC address of the target host, and the port number of the target port.
  • the CPU can obtain the MAC address of the target host from the authentication link establishment message sent by the target host, and interact with the target host through the DHCP protocol to assign an IP address to the target host, and then establish a new DHCP relationship table based on the port number of the target port carried in the authentication link establishment message.
  • the new DHCP relationship table may contain the following relationship entries for the target host: IP 10.1.1.1, Port3, MAC1, vlan1.
  • the above step S40 includes:
  • Step S401 determining a correspondence between the MAC address of the target host and the port number of the target port based on the DHCP relationship table;
  • Step S402 Generate a static MAC address based on the MAC address of the target host, the port number of the target port, and the corresponding relationship.
  • the CPU forms a new MAC address table based on MAC1, vlan1, and Port3 in the new DHCP relationship table, and writes the new MAC address table into the chip MAC address table in the form of a static MAC address.
  • the message sending method before the above step S10, the message sending method further includes:
  • Step A upon receiving an offline notification sent by the target host, determining that the target host is in an offline state.
  • a DHCP offline message may be sent to the CPU to inform the CPU that the correct host is offline.
  • the message sending method before the above step S10, the message sending method further includes:
  • Step B when the target host is not detected based on the preset protocol detection mechanism, determine that the target host is in an offline state.
  • the target host goes offline from Port1, it is also possible not to send a DHCP offline message to the CPU.
  • the current device automatically determines whether the correct host is offline based on the DHCP protocol. If the target host is not detected based on the preset protocol detection mechanism, it obviously means that it is offline.
  • the message sending method further includes:
  • Step S50 When attacked by a message from a non-target host, the static MAC The address is written into the MAC address table of the current device, overwriting the dynamic MAC address in the MAC address table, wherein the dynamic MAC address is generated according to the message of the non-target host.
  • the MAC address learning function of the current device is continuously enabled. If the authentication and link building process between the target host and the current device is performed when the current device is attacked by a message from a non-target host, then the dynamic MAC address corresponding to the spoofed attack host must have been written into the chip MAC table of the current device. The message sending and receiving ports contained therein must be inconsistent with the ports required by the target host.
  • the current device can be a switch, which includes a CPU and a switching chip.
  • a DHCP relationship table can be formed in the CPU, and the switching chip is used to store a MAC table; the correct host (IP: 10.1.1.1, MAC1) initiates an authentication link establishment request to the CPU through Port1 and vlan1; the CPU authenticates the correct host through the DHCP protocol, and establishes a relationship with it to form a DHCP relationship table, recording the relationship between the host IP: 10.1.1.1, MAC1, Port1, and vlan1 as the location of the normal host, and then writes the corresponding relationship between MAC, Port, and vlan in the DHCP relationship table into the MAC table of the switching chip, and the writing method is static MAC, that is, in the chip MAC address table, static MAC1, vlan1, and Port1 entries are added; this When a packet from a spoofing attack host (IP: 10.1.1.1, MAC1) appears on Port2, the switch device will send a dynamic MAC address learning message and send the information including MAC1, vlan1, and Port2 to the MAC
  • the MAC table of the switching chip searches for MAC1+vlan1 to index the static MAC entry: MAC1, vlan1, and Port1. Since the indexes of MAC1+vlan1 are exactly the same and this entry is a static MAC entry, the dynamic learning MAC address is rejected. According to relevant technologies, the DHCP relationship table can issue ACL rules to discard the packets sent by the spoofing attack host. The final effect is that the packets sent by the spoofing attack host to the switch cannot be forwarded, and the wrong MAC address will not be learned to cause the MAC address of the correct host to drift.
  • the static MAC address corresponding to the correct host is used to block the device from learning the MAC address sent by the spoofing attack host.
  • the current device is continuously attacked by the message of the spoof attack host and the correct host actively drifts from Port 1 to Port 3, which can be understood in conjunction with FIG. 3.
  • the correct host goes offline from Port 1 and sends a DHCP offline message to the CPU, or does not send an offline message, and the DHCP protocol automatically determines that the correct host is offline; the CPU deletes the original correct host relationship entry from the DHCP relationship table, that is, deletes the IP address.
  • the spoofed attack host cannot complete the DHCP authentication and link establishment, the service message sent by the spoofed attack host to the device cannot be forwarded, and the device only completes the learning of the wrong MAC address; afterwards, the correct host goes online again from Port3 and re-initiates DHCP authentication to the device.
  • the device sends the DHCP message to the CPU for authentication and records the port that receives the DHCP message as Port3.
  • the CPU directly sends subsequent messages from Port3 (the correct host migrates, the original DHCP relationship table is deleted, and in the process of establishing a new DHCP relationship table, the CPU directly communicates with the verified host port without querying the MAC table), directly interacts with the correct host through the DHCP protocol, allocates an IP address, and forms a new DHCP relationship table: IP 10.1.1.1, Port3, MAC1, vlan1; MAC1, vlan1, Port3 in the new DHCP relationship table form a new MAC address table, which is written into the chip MAC address table as a static MAC address.
  • FIG. 4 is a structural schematic diagram of a message sending device provided by an embodiment of the present application.
  • the message sending device includes: an acquisition module 100, a sending module 200 and a generation module 300.
  • An acquisition module 100 wherein the acquisition module 100 is used to acquire an authentication link establishment message in response to a target host being offline, and determine whether the authentication link establishment message belongs to the target host, wherein the authentication link establishment message carries a port number of a target port;
  • a sending module 200 wherein the sending module 200 is used to send a feedback message to the target host through the target port when the authentication link establishment message belongs to the target host;
  • a generating module 300 the generating module 300 is used to generate a DHCP relationship table based on the authentication link establishment message;
  • the generating module 300 is further configured to generate a static MAC address based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward a message to the target host.
  • the message sending device provided in this embodiment and the message sending method provided in the above embodiment belong to the same inventive concept.
  • the technical details not fully described in this embodiment can be referred to any of the above embodiments, and this embodiment has the same beneficial effects as executing the message sending method.
  • the device embodiments described above are merely illustrative, and the units described as separate components may or may not be physically separated, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
  • an embodiment of the present application also provides a message sending device.
  • the above-mentioned message sending method applied to the message sending device can be executed by a message sending device.
  • the message sending device can be implemented by software and/or hardware and integrated in the message sending device.
  • the message sending device can be a router, a switch, or other terminal device that can communicate with the network side.
  • FIG. 5 is a schematic diagram of the hardware structure of a message sending device provided in an embodiment of the present application.
  • the message sending device may include: a processor 1001, such as a central processing unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005.
  • the communication bus 1002 is used to realize the connection and communication between these components.
  • the user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the user interface 1003 may also include a standard wired interface and a wireless interface.
  • the network interface 1004 may include a standard wired interface and a wireless interface (such as a wireless fidelity (Wireless-Fidelity, WI-FI) interface).
  • the memory 1005 may be a high-speed random access memory (Random Access Memory, RAM), or a stable non-volatile memory (Non-Volatile Memory, NVM), such as a disk storage.
  • RAM Random Access Memory
  • NVM Non-Volatile Memory
  • the memory 1005 may also be a storage device independent of the aforementioned processor 1001.
  • the structure shown in FIG5 does not constitute a limitation on the message sending device, and may include more or fewer components than shown in the figure, or combine certain components, or arrange components differently.
  • the memory 1005 as a storage medium may include an operating system, a data storage module, a network communication module, a user interface module, and a computer program.
  • the network interface 1004 is mainly used for data communication with other devices; the user interface 1003 is mainly used for data interaction with the user; the processing in this embodiment
  • the processor 1001 and the memory 1005 may be arranged in a message sending device.
  • the message sending device calls a computer program stored in the memory 1005 through the processor 1001, and executes a message sending method applied to the message sending device provided in any of the above embodiments.
  • the message sending device proposed in this embodiment and the message sending method applied to the message sending device proposed in the above embodiment belong to the same inventive concept.
  • the technical details not fully described in this embodiment can be referred to any of the above embodiments, and this embodiment has the same beneficial effects as executing the message sending method.
  • an embodiment of the present application also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the message sending method provided in any of the above embodiments is implemented.
  • computer storage medium includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules or other data).
  • Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, disk storage or other magnetic storage devices, or any other medium that may be used to store desired information and may be accessed by a computer.
  • communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Power Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiments of the present application relate to the technical field of data communication, and disclosed thereby are a packet sending method, a device, and a computer-readable storage medium. The packet sending method comprises: in response a target host being offline, acquiring an authenticated link-establishing packet and determining whether the authenticated link-establishing packet belongs to the target host, the authenticated link-establishing packet carrying a port number of a target port; when the authenticated link-establishing packet belongs to the target host, sending a feedback packet to the target host by means of the target port; on the basis of the authenticated link-establishing packet, generating a DHCP relationship table; and on the basis of the DHCP relationship table, generating a static MAC address, the static MAC address being used for instructing a current device to forward a packet to the target host.

Description

报文发送方法、设备及计算机可读存储介质Message sending method, device and computer readable storage medium

相关申请Related Applications

本申请要求于2023年2月13日申请的、申请号为202310155897.4的中国专利申请的优先权,其全部内容通过引用结合在本申请中。This application claims priority to Chinese patent application No. 202310155897.4 filed on February 13, 2023, the entire contents of which are incorporated by reference into this application.

技术领域Technical Field

本申请实施例涉及数据通信技术领域,尤其涉及报文发送方法、设备及计算机可读存储介质。The embodiments of the present application relate to the field of data communication technology, and in particular to a message sending method, device, and computer-readable storage medium.

背景技术Background Art

目前,在通信网络设备进行DHCP(Dynamic Host Configuration Protocol,动态主机配置协议)认证的过程中,可能遭遇主机欺骗报文攻击。相关技术中,在正确主机真正需要进行MAC地址迁移操作时,由于存在主机欺骗报文的持续攻击,因此CPU无法判定到底谁是真正的主机,最后就会导致一旦正确主机离线,则在攻击持续过程中再也无法上线的问题。At present, during the DHCP (Dynamic Host Configuration Protocol) authentication process of communication network equipment, it may encounter host spoofing message attacks. In the related technology, when the correct host really needs to perform a MAC address migration operation, due to the continuous attack of host spoofing messages, the CPU cannot determine who is the real host. Finally, once the correct host is offline, it will never be able to go online again during the attack.

发明内容Summary of the invention

本申请实施例的主要目的在于提供一种报文发送方法、设备及计算机可读存储介质,能够实现正确主机的MAC地址漂移需求。The main purpose of the embodiments of the present application is to provide a message sending method, device and computer-readable storage medium, which can realize the MAC address drift requirement of the correct host.

为实现上述目的,本申请实施例提供一种报文发送方法,所述报文发送方法包括:To achieve the above object, an embodiment of the present application provides a message sending method, the message sending method comprising:

响应于目标主机离线,获取认证建链报文并判断所述认证建链报文是否属于所述目标主机,其中,所述认证建链报文携带目标端口的端口号;In response to the target host being offline, obtaining an authentication link establishment message and determining whether the authentication link establishment message belongs to the target host, wherein the authentication link establishment message carries a port number of a target port;

在所述认证建链报文属于所述目标主机的情况下,通过所述目标端口向所述目标主机发送反馈报文;In a case where the authentication link establishment message belongs to the target host, sending a feedback message to the target host through the target port;

基于所述认证建链报文生成DHCP关系表;Generate a DHCP relationship table based on the authentication link establishment message;

基于所述DHCP关系表生成静态MAC地址,其中,所述静态MAC地址用于指示当前设备向所述目标主机转发报文。A static MAC address is generated based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward the message to the target host.

此外,为实现上述目的,本申请实施例还提供一种报文发送装置,所述报文发送装置包括: In addition, to achieve the above-mentioned purpose, an embodiment of the present application further provides a message sending device, the message sending device comprising:

获取模块,所述获取模块用于响应于目标主机离线,获取认证建链报文并判断所述认证建链报文是否属于所述目标主机,其中,所述认证建链报文携带目标端口的端口号;An acquisition module, wherein the acquisition module is used to acquire an authentication link establishment message in response to the target host being offline, and determine whether the authentication link establishment message belongs to the target host, wherein the authentication link establishment message carries a port number of a target port;

发送模块,所述发送模块用于在所述认证建链报文属于所述目标主机的情况下,通过所述目标端口向所述目标主机发送反馈报文;A sending module, wherein the sending module is used to send a feedback message to the target host through the target port when the authentication link establishment message belongs to the target host;

生成模块,所述生成模块用于基于所述认证建链报文生成DHCP关系表;A generating module, the generating module is used to generate a DHCP relationship table based on the authentication link establishment message;

所述生成模块还用于基于所述DHCP关系表生成静态MAC地址,其中,所述静态MAC地址用于指示当前设备向所述目标主机转发报文。The generating module is further used to generate a static MAC address based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward the message to the target host.

此外,为实现上述目的,本申请实施例还提供一种报文发送设备,所述报文发送设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述计算机程序被所述处理器执行时实现如上所述的报文发送方法。In addition, to achieve the above-mentioned purpose, an embodiment of the present application also provides a message sending device, which includes: a memory, a processor, and a computer program stored in the memory and executable on the processor, and when the computer program is executed by the processor, the message sending method as described above is implemented.

此外,为实现上述目的,本申请实施例还提供一种计算机可读存储介质,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如上所述的报文发送方法。In addition, to achieve the above-mentioned purpose, an embodiment of the present application further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the message sending method as described above is implemented.

本申请实施例提出一种报文发送方法、设备及计算机可读存储介质,克服了相关技术中设备在持续受到攻击的过程中无法实现正确主机的端口迁移的技术缺陷。本申请实施例在响应于目标主机离线之后,获取认证建链报文并判断认证建链报文是否属于目标主机,其中,认证建链报文携带目标端口的端口号;在认证建链报文属于目标主机的情况下,通过目标端口向目标主机发送反馈报文;通过上述报文收发的过程,当前设备就可以得知目标主机存在MAC地址漂移需求,于是能够基于认证建链报文生成DHCP关系表;再基于DHCP关系表生成静态MAC地址,其中,静态MAC地址用于指示当前设备向目标主机转发报文,进而完成目标主机的MAC地址漂移。本申请实施例在认证建链过程中不会访问当前设备的MAC地址表,而是通过接收认证请求的端口直接回复认证消息,保证了正确主机的成功认证,即使当前设备受到非目标主机的报文攻击,导致MAC地址表中记录了错误的MAC地址,由于发送反馈报文的目标端口并不是该错误的MAC地址对应的错误端口,故而当前设备依然能够成功地将反馈报文发送至目标主机,进而完成认证建链,实现目标主机的MAC地址漂移需求。 The embodiment of the present application proposes a message sending method, device and computer-readable storage medium, which overcomes the technical defect in the related art that the device cannot realize the correct host port migration during the process of continuous attack. After responding to the target host going offline, the embodiment of the present application obtains an authentication link establishment message and determines whether the authentication link establishment message belongs to the target host, wherein the authentication link establishment message carries the port number of the target port; when the authentication link establishment message belongs to the target host, a feedback message is sent to the target host through the target port; through the above message sending and receiving process, the current device can know that the target host has a MAC address drift requirement, so it can generate a DHCP relationship table based on the authentication link establishment message; and then generate a static MAC address based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward the message to the target host, thereby completing the MAC address drift of the target host. The embodiment of the present application does not access the MAC address table of the current device during the authentication and chain establishment process, but directly replies to the authentication message through the port that receives the authentication request, thereby ensuring the successful authentication of the correct host. Even if the current device is attacked by a message from a non-target host, resulting in an incorrect MAC address being recorded in the MAC address table, since the target port for sending the feedback message is not the incorrect port corresponding to the incorrect MAC address, the current device can still successfully send the feedback message to the target host, thereby completing the authentication and chain establishment and realizing the MAC address drift requirement of the target host.

附图说明BRIEF DESCRIPTION OF THE DRAWINGS

为了更清楚地说明本申请实施例或相关技术中的技术方案,下面将对实施例或相关技术描述中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本申请实施例的一部分,对于本领域普通技术人员来讲,在不付出创造性劳动的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the technical solutions in the embodiments of the present application or the related technologies, the drawings required for use in the embodiments or the related technical descriptions are briefly introduced below. Obviously, the drawings described below are only part of the embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on these drawings without paying creative work.

图1为本申请提供的一种报文发送方法一实施例的流程示意图;FIG1 is a flow chart of an embodiment of a message sending method provided by the present application;

图2为本申请提供的一种报文发送方法一实施例的应用场景示意图;FIG2 is a schematic diagram of an application scenario of an embodiment of a message sending method provided by the present application;

图3为本申请提供的一种报文发送方法另一实施例的应用场景示意图;FIG3 is a schematic diagram of an application scenario of another embodiment of a message sending method provided by the present application;

图4为本申请提供的一种报文发送装置一实施例的结构示意图;FIG4 is a schematic structural diagram of an embodiment of a message sending device provided by the present application;

图5为本申请提供的一种报文发送设备一实施例的结构示意图。FIG5 is a schematic structural diagram of an embodiment of a message sending device provided in the present application.

具体实施方式DETAILED DESCRIPTION

以下描述中,为了说明而不是为了限定,提出了诸如特定系统结构、技术之类的具体细节,以便透彻理解本申请实施例。然而,本领域的技术人员应当清楚,在没有这些具体细节的其它实施例中也可以实现本申请实施例。在其它情况中,省略对众所周知的系统、装置、电路以及方法的详细说明,以免不必要的细节妨碍本申请实施例的描述。In the following description, specific details such as specific system structures, technologies, etc. are proposed for the purpose of illustration rather than limitation, so as to provide a thorough understanding of the embodiments of the present application. However, it should be clear to those skilled in the art that the embodiments of the present application can also be implemented in other embodiments without these specific details. In other cases, detailed descriptions of well-known systems, devices, circuits, and methods are omitted to prevent unnecessary details from hindering the description of the embodiments of the present application.

虽然在流程图中示出了逻辑顺序,但是在某些情况下,可以以不同于流程图中的顺序执行所示出或描述的步骤。说明书和权利要求书及上述附图中的术语“第一”、“第二”等是用于区别类似的对象,而不必用于描述特定的顺序或先后次序。Although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than that in the flowchart. The terms "first", "second", etc. in the specification and claims and the above drawings are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence.

还应当理解,在本申请实施例说明书中描述的参考“一个实施例”或“一些实施例”等意味着在本申请实施例的一个或多个实施例中包括结合该实施例描述的特定特征、结构或特点。由此,在本说明书中的不同之处出现的语句“在一个实施例中”、“在一些实施例中”、“在其他一些实施例中”、“在另外一些实施例中”等不是必然都参考相同的实施例,而是意味着“一个或多个但不是所有的实施例”,除非是以其他方式另外特别强调。术语“包括”、“包含”、“具有”及它们的变形都意味着“包括但不限于”,除非是以其他方式另外特别强调。It should also be understood that the references to "one embodiment" or "some embodiments" described in the specification of the embodiments of the present application mean that one or more embodiments of the embodiments of the present application include specific features, structures or characteristics described in conjunction with the embodiment. Thus, the statements "in one embodiment", "in some embodiments", "in some other embodiments", "in some other embodiments", etc. that appear in different places in this specification do not necessarily refer to the same embodiment, but mean "one or more but not all embodiments", unless otherwise specifically emphasized in other ways. The terms "including", "comprising", "having" and their variations all mean "including but not limited to", unless otherwise specifically emphasized in other ways.

目前,在通信网络设备进行DHCP认证的过程中,可能遭遇主机欺骗攻击,一般情况下,通信网络设备在遭遇DHCP主机欺骗攻击的时候,相关技 术对于DHCP主机欺骗攻击的防范方案如下:At present, in the process of DHCP authentication of communication network equipment, it may encounter host spoofing attack. Generally speaking, when communication network equipment encounters DHCP host spoofing attack, relevant technologies The prevention scheme for DHCP host spoofing attack is as follows:

设备根据DHCP的地址分配情况,创建一个IP(Internet Protocol,网际互连协议)、MAC地址(Media Access ControlAddress,媒体存取控制位址,也称为局域网地址,以太网地址或物理地址)、端口的关系表,当收到的报文的IP、MAC地址、对应的端口不在这个表的记录内容中时,则通过ACL(Access Control Lists,访问控制列表)或者其他的手段丢弃此报文,使其无法进行正常的业务通信。According to the address allocation of DHCP, the device creates a relationship table of IP (Internet Protocol), MAC address (Media Access Control Address, also known as LAN address, Ethernet address or physical address), and port. When the IP, MAC address, and corresponding port of the received message are not recorded in this table, the message will be discarded through ACL (Access Control Lists) or other means, making it impossible for the device to carry out normal business communications.

然而此方法存在以下缺陷:虽然在收到主机欺骗报文的时候,设备可以通过DHCP形成的IP、MAC地址、端口的对应表进行判断并且丢弃欺骗报文,然而在设备硬件上,此欺骗报文的MAC地址已经进行了学习,而学习到的MAC地址与原正确的主机所学习的MAC地址是一样的,由于欺骗报文的MAC地址学习端口与正确的主机的MAC地址学习的端口不同,因此会导致正确的主机的MAC地址出现漂移的现象,而一旦出现MAC地址漂移的问题,就会导致正确主机的流量出现中断,因为下行数据在短时间内会被发往接收欺骗报文的端口,直至正确主机再次发送报文数据使设备学习到正确的MAC地址为止。因此,一旦设备受到主机欺骗报文的持续攻击,虽然欺骗主机无法上线正常通信,却会导致正确主机出现持续性的流量抖动问题。However, this method has the following defects: although the device can judge and discard the spoofed message through the corresponding table of IP, MAC address and port formed by DHCP when receiving the host spoofed message, the MAC address of this spoofed message has been learned on the device hardware, and the learned MAC address is the same as the MAC address learned by the original correct host. Since the MAC address learning port of the spoofed message is different from the port where the MAC address of the correct host is learned, the MAC address of the correct host will drift. Once the MAC address drift problem occurs, the traffic of the correct host will be interrupted, because the downlink data will be sent to the port that receives the spoofed message in a short time, until the correct host sends the message data again so that the device can learn the correct MAC address. Therefore, once the device is continuously attacked by the host spoofed message, although the spoofed host cannot go online for normal communication, it will cause the correct host to have continuous traffic jitter problems.

此外,在相关技术中,如果正确主机需要进行MAC地址漂移,但由于存在主机欺骗报文的持续攻击,CPU无法判定到底谁才是真正的主机,最后会导致一旦正确主机离线,在攻击持续过程中就再也无法上线的问题。In addition, in the related technology, if the correct host needs to drift the MAC address, but due to the continuous attack of host spoofing messages, the CPU cannot determine who the real host is. Finally, once the correct host goes offline, it will never be able to go online again during the attack.

基于此,本申请实施例提供了一种报文发送方法、装置、设备及计算机可读存储介质,在设备在遭遇DHCP主机欺骗报文持续攻击的时候,除了使用IP、MAC、端口的对应关系表丢弃异常IP的报文以外,还会根据DHCP生成的关系表,将正确的主机的MAC地址写为静态MAC地址,以预防此MAC地址出现漂移;当正确主机需要进行MAC地址漂移的时候,响应于主机离线,CPU将主机相关信息从DHCP关系表中删除,并实时刷新DHCP关系表,在正确主机重新上线之后,先行处理DHCP关系表的刷新,并且基于新的DHCP关系表生成静态MAC地址,设备基于该静态MAC地址即可向正确主机发送报文,即实现了正确主机的MAC地址漂移。Based on this, the embodiments of the present application provide a message sending method, apparatus, device and computer-readable storage medium. When the device encounters a continuous attack of DHCP host spoofing messages, in addition to using the correspondence table of IP, MAC and port to discard the message of the abnormal IP, the MAC address of the correct host is written as a static MAC address according to the relationship table generated by DHCP to prevent the MAC address from drifting; when the correct host needs to drift the MAC address, in response to the host being offline, the CPU deletes the host-related information from the DHCP relationship table and refreshes the DHCP relationship table in real time. After the correct host is back online, the refresh of the DHCP relationship table is processed first, and a static MAC address is generated based on the new DHCP relationship table. The device can send a message to the correct host based on the static MAC address, that is, the MAC address drift of the correct host is achieved.

本申请实施例提供的报文发送方法、装置、设备及计算机可读存储介质, 具体通过如下实施例进行说明,首先描述本申请实施例中的报文发送方法。The message sending method, device, equipment and computer-readable storage medium provided in the embodiments of the present application are The following embodiments are used to illustrate the method for sending a message.

参照图1,图1为本申请实施例提供的一种报文发送方法的流程示意图,该报文发送方法可以应用于报文发送设备,如图1所示,本实施例提供的报文发送方法包括步骤S10至S40。Refer to Figure 1, which is a flow chart of a message sending method provided in an embodiment of the present application. The message sending method can be applied to a message sending device. As shown in Figure 1, the message sending method provided in this embodiment includes steps S10 to S40.

步骤S10,响应于目标主机离线,获取认证建链报文并判断所述认证建链报文是否属于所述目标主机,其中,所述认证建链报文携带目标端口的端口号。Step S10, in response to the target host being offline, obtaining an authentication link building message and determining whether the authentication link building message belongs to the target host, wherein the authentication link building message carries the port number of the target port.

本实施例中,执行主体可以是路由器、交换机等能够与网络侧通信的终端设备,具体地,可以由该终端设备中的CPU协议侧执行本实施例中的各个步骤;目标主机可以视为在步骤S10之前与当前设备完成了DHCP协议认证并建立了连接关系的原正确主机,MAC地址漂移指的是目标主机从与当前设备完成了DHCP协议认证并建立了连接关系的端口处离线,再从新的端口上线,并重新与当前设备建立连接的过程,从目标主机的角度来看,也可以视为是一个端口迁移的过程,但在此过程中,目标主机并不会告知设备关于端口迁移需求的提示信息,但是设备能够基于目标主机离线后重新发送的认证建链报文获知到目标主机的端口迁移意图。In this embodiment, the execution subject can be a terminal device such as a router or a switch that can communicate with the network side. Specifically, each step in this embodiment can be executed by the CPU protocol side in the terminal device; the target host can be regarded as the original correct host that has completed DHCP protocol authentication and established a connection relationship with the current device before step S10. MAC address drift refers to the process in which the target host goes offline from the port where it has completed DHCP protocol authentication and established a connection relationship with the current device, then goes online from a new port, and re-establishes a connection with the current device. From the perspective of the target host, it can also be regarded as a port migration process. However, in this process, the target host will not inform the device of prompt information about the port migration requirement, but the device can obtain the port migration intention of the target host based on the authentication link establishment message resent after the target host goes offline.

作为一种示例,在监测到目标主机已经离线的消息的情况下,当前设备会持续监听来自外部的认证建链报文,并在获取到认证建链报文之后,判断其是属于之前离线的正确主机,还是来自网络中的欺骗攻击报文。As an example, when a message is detected that the target host is offline, the current device will continue to listen to external authentication and link establishment messages, and after obtaining the authentication and link establishment messages, determine whether it belongs to the correct host that was previously offline, or a spoofing attack message from the network.

作为一种示例,本实施例中,将目标主机离线前的端口记为Port1,将当前设备接收认证建链报文的目标端口记为Port3,那么在认证建链报文确认无误的情况下,说明目标主机就是之前离线的正确主机,当前设备就能够获知到目标主机的端口迁移意图是从Port1迁移至Port3。As an example, in this embodiment, the port of the target host before it goes offline is recorded as Port1, and the target port at which the current device receives the authentication link establishment message is recorded as Port3. If the authentication link establishment message is confirmed to be correct, it means that the target host is the correct host that was previously offline, and the current device can learn that the target host's port migration intention is to migrate from Port1 to Port3.

在一些可行的实施例中,在上述步骤S10中响应于目标主机离线的步骤之后,所述报文发送方法还包括:In some feasible embodiments, after the step of responding to the target host being offline in the above step S10, the message sending method further includes:

步骤S11,删除所述DHCP关系表中所述目标主机的关系条目。Step S11, deleting the relationship entry of the target host in the DHCP relationship table.

作为一种示例,在获知目标主机离线之后,CPU可以根据DHCP协议将正确的主机相关的IP、MAC、端口信息从DHCP关系表中删除,也可以删除DHCP关系表;同时,删除MAC表中记录的MAC地址。As an example, after learning that the target host is offline, the CPU can delete the correct host-related IP, MAC, and port information from the DHCP relationship table according to the DHCP protocol, or delete the DHCP relationship table; at the same time, delete the MAC address recorded in the MAC table.

步骤S20,在所述认证建链报文属于所述目标主机的情况下,通过所述目 标端口向所述目标主机发送反馈报文。Step S20, when the authentication link establishment message belongs to the target host, The target port sends a feedback message to the target host.

本实施例中,在确认了认证建链报文确实属于之前离线的正确主机的情况下,当前设备就可以基于DHCP协议与目标主机建立连接关系,需要注意的是,CPU向目标主机发送反馈报文时是直接通过认证建链报文携带的目标端口的端口号确认的目标端口,并没有访问当前设备的硬件芯片中存储的MAC表,这是因为,在目标主机离线之后,当前设备可能会由于遭受到欺骗报文攻击,进而错误地将欺骗攻击主机的MAC地址写入了MAC表,如果反馈报文的发送是基于MAC表获取到的错误端口进行发送,那么目标主机就无法收到该报文;因此,CPU直接根据认证建链报文携带的目标端口的端口号确认目标主机的目标端口,在通过该目标端口向目标主机发送反馈报文即可确保目标主机能够收到该反馈报文,避免欺骗攻击主机干扰当前设备与目标主机之间的认证建链。In this embodiment, when it is confirmed that the authentication link establishment message does belong to the correct host that was previously offline, the current device can establish a connection relationship with the target host based on the DHCP protocol. It should be noted that when the CPU sends a feedback message to the target host, it directly confirms the target port through the port number of the target port carried in the authentication link establishment message, and does not access the MAC table stored in the hardware chip of the current device. This is because after the target host is offline, the current device may be attacked by a spoofing message, and then mistakenly write the MAC address of the spoofing attack host into the MAC table. If the feedback message is sent based on the wrong port obtained from the MAC table, the target host cannot receive the message; therefore, the CPU directly confirms the target port of the target host based on the port number of the target port carried in the authentication link establishment message, and sends a feedback message to the target host through the target port to ensure that the target host can receive the feedback message, thereby avoiding the spoofing attack host interfering with the authentication link establishment between the current device and the target host.

作为一种示例,反馈报文中可以包括ACK(Acknowledge character,确认字符),使得目标主机获知已与当前设备认证建链成功。As an example, the feedback message may include an ACK (Acknowledge character) so that the target host knows that the authentication and link establishment with the current device has been successful.

作为一种示例,当前设备和目标主机之间的报文收发可以是一次也可以是多次,目的是为了让当前设备能够完整采集到用于建立DHCP关系表的目标主机的身份信息。As an example, the message transmission and reception between the current device and the target host may be one time or multiple times, so that the current device can completely collect the identity information of the target host for establishing the DHCP relationship table.

步骤S30,基于所述认证建链报文生成DHCP关系表。Step S30: Generate a DHCP relationship table based on the authentication link establishment message.

本实施例中,在确认了目标主机身份无误后,CPU能够从目标主机发送的认证建链报文中获取到目标主机的IP、MAC地址以及用于收发报文的目标端口的端口号,在获取到这些信息之后,就可以根据DHCP协议基于这些信息之间建立DHCP关系表,在DHCP关系表中,目标主机的IP、MAC地址和端口之间存在对应关系。In this embodiment, after confirming that the identity of the target host is correct, the CPU can obtain the IP, MAC address of the target host and the port number of the target port used to send and receive messages from the authentication link establishment message sent by the target host. After obtaining this information, a DHCP relationship table can be established based on this information according to the DHCP protocol. In the DHCP relationship table, there is a corresponding relationship between the IP, MAC address and port of the target host.

步骤S40,基于所述DHCP关系表生成静态MAC地址,其中,所述静态MAC地址用于指示当前设备向所述目标主机转发报文。Step S40: Generate a static MAC address based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward the message to the target host.

虽然生成DHCP关系表之后,当前设备和目标主机之间的认证建链就已经完成,但是为了保证正常的报文收发业务流程,还是需要将目标主机的MAC地址记录到当前设备芯片的MAC表中,同时,为了避免目标主机的MAC地址受到欺骗攻击主机的影响,可以将目标主机的MAC地址以静态MAC地址的形式写入到MAC表中。 Although the authentication and link establishment between the current device and the target host is completed after the DHCP relationship table is generated, in order to ensure the normal message sending and receiving business process, the MAC address of the target host still needs to be recorded in the MAC table of the current device chip. At the same time, in order to prevent the MAC address of the target host from being affected by the spoofing attack host, the MAC address of the target host can be written into the MAC table in the form of a static MAC address.

作为一种示例,当设备处于DHCP网络应用的时候,设备按照相关技术生成DHCP关系表,并根据此DHCP关系表中的MAC、端口的对应关系,在设备MAC地址表中找到相关的MAC地址,并将其转为静态MAC地址(亦可直接对设备下发此MAC地址与端口的对应关系的静态MAC表项,静态MAC表项可以直接覆盖动态MAC地址,在硬件中可能表现为直接的表项全部覆盖,也可能表现为MAC地址出口的替换);当静态MAC地址生成之后,即将正确的主机所在的端口与正确的主机的MAC地址直接在设备上形成静态MAC地址表项。As an example, when the device is in a DHCP network application, the device generates a DHCP relationship table according to relevant technologies, and finds the relevant MAC address in the device MAC address table based on the correspondence between the MAC and the port in the DHCP relationship table, and converts it into a static MAC address (a static MAC table entry with the correspondence between the MAC address and the port can also be directly issued to the device. The static MAC table entry can directly cover the dynamic MAC address, which may appear in hardware as a direct overwriting of all entries or as a replacement of the MAC address export); after the static MAC address is generated, a static MAC address table entry is directly formed on the device with the port where the correct host is located and the MAC address of the correct host.

作为一种示例,当静态MAC地址生成之后,即将正确的主机所在的端口与正确的主机的MAC地址直接在设备上形成静态MAC地址表项。此时,如果设备遭遇主机欺骗报文攻击(欺骗主机的MAC地址、IP地址均与正确主机的MAC地址一致,但报文上送的端口是不一致的),则设备上会自动获得欺骗主机的MAC地址,但是由于动态MAC地址在写入MAC地址表的时候,无法覆盖静态MAC地址,导致设备不会学习欺骗报文所在的端口的MAC地址,使得正确的主机MAC地址不会出现漂移动作,因此不会对正确的主机流量产生干扰。As an example, after the static MAC address is generated, the port where the correct host is located and the MAC address of the correct host are directly formed into a static MAC address table entry on the device. At this time, if the device encounters a host spoofing message attack (the MAC address and IP address of the spoofed host are consistent with the MAC address of the correct host, but the port to which the message is sent is inconsistent), the device will automatically obtain the MAC address of the spoofed host, but because the dynamic MAC address cannot overwrite the static MAC address when writing into the MAC address table, the device will not learn the MAC address of the port where the spoofed message is located, so that the correct host MAC address will not drift, and therefore will not interfere with the correct host traffic.

作为一种示例,在原主机离线的过程中,由于设备删除了原主机的静态MAC地址,因此,欺骗攻击主机的报文会在设备上学习到新的动态MAC地址,MAC地址的端口为主机欺骗报文端口,此时,必须对DHCP协议处理流程进行特殊处理,否则,DHCP认证过程中,将会把报文发往攻击端口,导致原主机离线后再也无法上线。具体的处理措施如下:首先,DHCP报文收到主机认证建链报文后,需要记录此报文的上送端口,如果此报文认证通过(说明此时设备CPU收到的报文是正确的主机发来的DHCP建链报文),可以进行建链,则CPU发送DHCP报文与之建链时,不再查询设备的MAC地址表(因为此时MAC地址表的内容可能是主机欺骗报文学习的动态MAC地址),而直接对此主机认证建链报文收到的端口发包;然后,当全部DHCP建链认证完成之后,DHCP关系表形成,即使用关系表中的MAC和端口的对应关系,下发静态MAC地址到设备芯片的MAC地址表中,此MAC地址表即可将设备之前学习到的错误的主机欺骗攻击报文的动态MAC地址直接替换;通过以上处理,就可以借助DHCP关系表,对设备下发一个正确主机的 静态MAC地址,来避免主机欺骗报文的攻击导致正确主机流量中断,且在正确主机真正需要进行MAC地址迁移时,也能继续保持正确的操作,保证业务流量跟随正确的主机进行迁移。As an example, when the original host is offline, the device deletes the static MAC address of the original host. Therefore, the message spoofing the attacking host will learn a new dynamic MAC address on the device. The port of the MAC address is the port of the host spoofing message. At this time, the DHCP protocol processing flow must be specially processed. Otherwise, during the DHCP authentication process, the message will be sent to the attacking port, causing the original host to be unable to go online again after being offline. Specific processing measures are as follows: First, after the DHCP message receives the host authentication link-building message, it is necessary to record the sending port of this message. If the message authentication passes (indicating that the message received by the device CPU at this time is the correct DHCP link-building message sent by the host), the link can be established. When the CPU sends a DHCP message to establish a link with it, it will no longer query the device's MAC address table (because the content of the MAC address table at this time may be the dynamic MAC address learned by the host spoofing message), but directly send a packet to the port where the host authentication link-building message is received; then, when all DHCP link-building authentications are completed, the DHCP relationship table is formed, that is, the corresponding relationship between MAC and port in the relationship table is used to send a static MAC address to the MAC address table of the device chip. This MAC address table can directly replace the dynamic MAC address of the wrong host spoofing attack message previously learned by the device; through the above processing, the DHCP relationship table can be used to send a correct host to the device. Static MAC addresses can prevent the interruption of correct host traffic caused by attacks from host spoofing messages, and can also maintain correct operations when the correct host really needs to migrate its MAC address, ensuring that business traffic migrates with the correct host.

本实施例提供了一种报文发送方法,在正确的目标主机出现MAC地址漂移的过程中,对CPU报文发送方式进行了修改,即使当前的路由器设备由于持续受到非目标主机的报文攻击,导致会出现短暂的MAC地址学习错误,但不会对正确的目标主机MAC地址漂移过程造成影响,一旦目标主机重新上线,基于本实施例提供的技术方案就可以修正错误的MAC地址,保障目标主机的正常业务转发。通过实施本实施例提供的报文发送方法,使得当前设备在遭遇非目标主机欺骗攻击的时候,不会出现MAC地址漂移的断流异常,能够迅速隔断攻击源,且不会造成DHCP的业务出现异常,可以保证DHCP的业务正确性,提升网络的稳定性,提升用户体验。This embodiment provides a message sending method. When the MAC address of the correct target host drifts, the CPU message sending method is modified. Even if the current router device is continuously attacked by messages from non-target hosts, resulting in a short-term MAC address learning error, it will not affect the drift process of the correct target host MAC address. Once the target host is back online, the technical solution provided by this embodiment can correct the wrong MAC address and ensure the normal service forwarding of the target host. By implementing the message sending method provided by this embodiment, when the current device encounters a non-target host spoofing attack, the MAC address drift interruption anomaly will not occur, the attack source can be quickly isolated, and the DHCP service will not be abnormal. The correctness of the DHCP service can be guaranteed, the stability of the network can be improved, and the user experience can be improved.

在一些可行的实施例中,上述步骤S10中判断所述认证建链报文是否属于所述目标主机的步骤,包括:In some feasible embodiments, the step of determining whether the authentication link establishment message belongs to the target host in the above step S10 includes:

步骤S12,判断所述认证建链报文携带的密钥信息与预设密钥信息是否一致;Step S12, determining whether the key information carried in the authentication link establishment message is consistent with the preset key information;

步骤S121,在所述认证建链报文携带的密钥信息与预设密钥信息一致的情况下,判断所述认证建链报文属于所述目标主机;Step S121, when the key information carried in the authentication link establishment message is consistent with the preset key information, it is determined that the authentication link establishment message belongs to the target host;

步骤S122,在所述认证建链报文携带的密钥信息与预设密钥信息不一致的情况下,判断所述认证建链报文不属于所述目标主机。Step S122: When the key information carried in the authentication link establishment message is inconsistent with the preset key information, it is determined that the authentication link establishment message does not belong to the target host.

本实施例中,CPU会根据DHCP协议判断认证建链报文是否是由原正确主机发送的报文,例如将报文中携带的密钥信息和预设密钥信息进行比对,若二者一致,则说明报文是来自于原正确主机,此报文认证通过;若二者不一致,则说明报文不是来自于原正确主机,直接丢弃此报文。In this embodiment, the CPU will determine whether the authentication link establishment message is a message sent by the original correct host according to the DHCP protocol. For example, the key information carried in the message is compared with the preset key information. If the two are consistent, it means that the message comes from the original correct host and the message authentication is successful; if the two are inconsistent, it means that the message does not come from the original correct host and the message is directly discarded.

在一些可行的实施例中,上述步骤S30,包括:In some feasible embodiments, the above step S30 includes:

步骤S301,基于所述认证建链报文确定所述目标主机的MAC地址;Step S301, determining the MAC address of the target host based on the authentication link establishment message;

步骤S302,基于所述认证建链报文与所述目标主机进行DHCP协议交互,为所述目标主机分配IP地址;Step S302, performing DHCP protocol interaction with the target host based on the authentication link establishment message, and allocating an IP address to the target host;

步骤S303,基于所述IP地址、所述目标主机的MAC地址和所述目标端口的端口号生成DHCP关系表。 Step S303: Generate a DHCP relationship table based on the IP address, the MAC address of the target host, and the port number of the target port.

本实施例中,在确认了目标主机身份无误后,CPU能够从目标主机发送的认证建链报文中获取到目标主机的MAC地址,并与目标主机进行DHCP协议交互,为目标主机分配IP地址,再结合认证建链报文携带的目标端口的端口号,建立新的DHCP关系表。In this embodiment, after confirming that the identity of the target host is correct, the CPU can obtain the MAC address of the target host from the authentication link establishment message sent by the target host, and interact with the target host through the DHCP protocol to assign an IP address to the target host, and then establish a new DHCP relationship table based on the port number of the target port carried in the authentication link establishment message.

作为一种示例,新的DHCP关系表中可包含目标主机的如下关系条目:IP 10.1.1.1、Port3、MAC1、vlan1。As an example, the new DHCP relationship table may contain the following relationship entries for the target host: IP 10.1.1.1, Port3, MAC1, vlan1.

在一些可行的实施例中,上述步骤S40,包括:In some feasible embodiments, the above step S40 includes:

步骤S401,基于所述DHCP关系表确定所述目标主机的MAC地址和所述目标端口的端口号的对应关系;Step S401, determining a correspondence between the MAC address of the target host and the port number of the target port based on the DHCP relationship table;

步骤S402,基于所述目标主机的MAC地址、所述目标端口的端口号以及所述对应关系生成静态MAC地址。Step S402: Generate a static MAC address based on the MAC address of the target host, the port number of the target port, and the corresponding relationship.

作为一种示例,本实施例中,CPU基于新的DHCP关系表中的MAC1、vlan1、Port3形成新的MAC地址表,并将新的MAC地址表以静态MAC地址的方式写入芯片MAC地址表中。As an example, in this embodiment, the CPU forms a new MAC address table based on MAC1, vlan1, and Port3 in the new DHCP relationship table, and writes the new MAC address table into the chip MAC address table in the form of a static MAC address.

在一些可行的实施例中,在上述步骤S10之前,所述报文发送方法还包括:In some feasible embodiments, before the above step S10, the message sending method further includes:

步骤A,在接收到所述目标主机发送的离线通知的情况下,判断所述目标主机处于离线状态。Step A: upon receiving an offline notification sent by the target host, determining that the target host is in an offline state.

作为一种示例,目标主机从Port1离线后,可以向CPU发送DHCP离线消息,告知CPU正确主机已离线。As an example, after the target host goes offline from Port 1, a DHCP offline message may be sent to the CPU to inform the CPU that the correct host is offline.

在一些可行的实施例中,在上述步骤S10之前,所述报文发送方法还包括:In some feasible embodiments, before the above step S10, the message sending method further includes:

步骤B,在基于预设的协议检测机制未检测到所述目标主机的情况下,判断所述目标主机处于离线状态。Step B: when the target host is not detected based on the preset protocol detection mechanism, determine that the target host is in an offline state.

作为一种示例,目标主机从Port1离线后,也可以不向CPU发送DHCP离线消息,由当前设备根据DHCP协议自动判断正确主机是否离线,在基于预设的协议检测机制未检测到目标主机的情况下,显然说明其已离线。As an example, after the target host goes offline from Port1, it is also possible not to send a DHCP offline message to the CPU. The current device automatically determines whether the correct host is offline based on the DHCP protocol. If the target host is not detected based on the preset protocol detection mechanism, it obviously means that it is offline.

在一些可行的实施例中,在上述步骤S40之后,所述报文发送方法还包括:In some feasible embodiments, after the above step S40, the message sending method further includes:

步骤S50,在受到非所述目标主机的报文攻击的情况下,将所述静态MAC 地址写入当前设备的MAC地址表,覆盖所述MAC地址表中的动态MAC地址,其中,所述动态MAC地址为根据所述非所述目标主机的报文生成。Step S50: When attacked by a message from a non-target host, the static MAC The address is written into the MAC address table of the current device, overwriting the dynamic MAC address in the MAC address table, wherein the dynamic MAC address is generated according to the message of the non-target host.

本实施例中,当前设备的MAC地址学习功能是持续启用的,如果目标主机与当前设备的认证建链过程是在当前设备受到非所述目标主机的报文攻击的情况下进行的,那么当前设备的芯片MAC表中必然已经写入了与欺骗攻击主机对应的动态MAC地址,其中包含的报文收发端口肯定与目标主机所需要用到的端口不一致,因此,为了保障业务流量跟随正确主机进行迁移,就需要在重新建立了DHCP关系表之后,基于该DHCP关系表将目标主机的MAC地址和端口号等信息关联起来以静态MAC地址的形式写入到芯片MAC表中,覆盖MAC表中与欺骗攻击主机对应的动态MAC地址。In this embodiment, the MAC address learning function of the current device is continuously enabled. If the authentication and link building process between the target host and the current device is performed when the current device is attacked by a message from a non-target host, then the dynamic MAC address corresponding to the spoofed attack host must have been written into the chip MAC table of the current device. The message sending and receiving ports contained therein must be inconsistent with the ports required by the target host. Therefore, in order to ensure that the business traffic migrates with the correct host, it is necessary to associate the MAC address and port number of the target host and other information based on the DHCP relationship table after re-establishing the DHCP relationship table, and write them into the chip MAC table in the form of a static MAC address, overwriting the dynamic MAC address corresponding to the spoofed attack host in the MAC table.

作为一种示例,在上述实施例的步骤S10之前,原正确主机与当前设备进行DHCP认证的场景可以结合图2进行理解,由图2可知,当前设备可以是交换机,其包括CPU和交换芯片,CPU中可以形成DHCP关系表,交换芯片用于存储MAC表;正确主机(IP:10.1.1.1、MAC1)通过Port1、vlan1向CPU发起认证建链请求;CPU通过DHCP协议认证正确主机,并与之建立关系,形成DHCP关系表,记录主机IP:10.1.1.1,MAC1,Port1,vlan1的关系为正常主机所在位置,再将DHCP关系表中的MAC、Port、vlan的对应关系写入交换芯片的MAC表中,写入方式为静态MAC,即芯片MAC地址表中,增加静态MAC1、vlan1、Port1的条目;此时,如果Port2出现来自欺骗攻击主机(IP:10.1.1.1、MAC1)的报文,则交换机设备会上送动态MAC地址学习消息,将包含MAC1、vlan1、Port2的信息上送至交换芯片的MAC表中,交换芯片MAC表查找MAC1+vlan1索引到静态MAC条目:MAC1、vlan1、Port1,由于MAC1+vlan1的索引完全一致,且此条目为静态MAC条目,因此拒绝动态学习MAC地址写入,按照相关技术,DHCP关系表可以下发ACL规则丢弃欺骗攻击主机发送的报文,最终效果即欺骗攻击主机发送至交换机的报文无法被转发,且不会学习错误的MAC地址造成正确主机的MAC地址发生漂移现象,实现了使用与正确主机对应的静态MAC地址阻隔设备学习欺骗攻击主机发送的MAC地址。As an example, before step S10 of the above embodiment, the scenario in which the original correct host performs DHCP authentication with the current device can be understood in conjunction with Figure 2. As can be seen from Figure 2, the current device can be a switch, which includes a CPU and a switching chip. A DHCP relationship table can be formed in the CPU, and the switching chip is used to store a MAC table; the correct host (IP: 10.1.1.1, MAC1) initiates an authentication link establishment request to the CPU through Port1 and vlan1; the CPU authenticates the correct host through the DHCP protocol, and establishes a relationship with it to form a DHCP relationship table, recording the relationship between the host IP: 10.1.1.1, MAC1, Port1, and vlan1 as the location of the normal host, and then writes the corresponding relationship between MAC, Port, and vlan in the DHCP relationship table into the MAC table of the switching chip, and the writing method is static MAC, that is, in the chip MAC address table, static MAC1, vlan1, and Port1 entries are added; this When a packet from a spoofing attack host (IP: 10.1.1.1, MAC1) appears on Port2, the switch device will send a dynamic MAC address learning message and send the information including MAC1, vlan1, and Port2 to the MAC table of the switching chip. The MAC table of the switching chip searches for MAC1+vlan1 to index the static MAC entry: MAC1, vlan1, and Port1. Since the indexes of MAC1+vlan1 are exactly the same and this entry is a static MAC entry, the dynamic learning MAC address is rejected. According to relevant technologies, the DHCP relationship table can issue ACL rules to discard the packets sent by the spoofing attack host. The final effect is that the packets sent by the spoofing attack host to the switch cannot be forwarded, and the wrong MAC address will not be learned to cause the MAC address of the correct host to drift. The static MAC address corresponding to the correct host is used to block the device from learning the MAC address sent by the spoofing attack host.

作为一种示例,在上述实施例中,当前设备持续受到欺骗攻击主机的报文攻击且正确主机主动从Port1漂移到Port3的情景可结合图3进行理解,由 图3可知,正确主机从Port1离线,向CPU发送DHCP离线消息,或不发送离线消息,由DHCP协议自动判断正确主机离线;CPU从DHCP关系表中删除原正确主机的关系条目,即删除IP 10.1.1.1、Port1、MAC1、vlan1,同时,删除MAC表中静态MAC地址MAC1、vlan1、Port1;由于攻击报文持续,因此,在静态MAC地址被删除后,交换机设备会立刻学习到错误的欺骗攻击主机的动态MAC地址MAC1、vlan1、Port2,但由于欺骗攻击主机无法完成DHCP认证建链,因此欺骗攻击主机向设备发送的业务报文无法转发,设备仅完成了错误的MAC地址学习;之后,正确主机从Port3重新上线,重新向设备发起DHCP认证,设备将DHCP报文送往CPU并进行认证,并记录收到DHCP报文的端口为Port3,认证通过后,CPU直接将后续报文从Port3发送(正确主机出现迁移,原DHCP关系表删除,建立新DHCP关系表的过程中,CPU直接与通过验证的主机端口通信,不查询MAC表),直接与正确主机进行DHCP协议交互,分配IP地址,并形成新的DHCP关系表:IP 10.1.1.1、Port3、MAC1、vlan1;新的DHCP关系表中的MAC1、vlan1、Port3形成新的MAC地址表,以静态MAC地址的方式写入芯片MAC地址表中,由于静态MAC地址可以直接覆盖动态MAC地址,因此最终,正确的主机MAC地址MAC1、vlan1、Port3将直接覆盖设备之前错误学习到的MAC1、vlan1、Port2,使得最终的业务保持正常。本实施例完整地阐述了整个攻击持续过程中,设备如何对欺骗攻击主机发送的报文进行防护,且不影响正确主机的MAC地址漂移过程的全部步骤。As an example, in the above embodiment, the current device is continuously attacked by the message of the spoof attack host and the correct host actively drifts from Port 1 to Port 3, which can be understood in conjunction with FIG. 3. As shown in Figure 3, the correct host goes offline from Port 1 and sends a DHCP offline message to the CPU, or does not send an offline message, and the DHCP protocol automatically determines that the correct host is offline; the CPU deletes the original correct host relationship entry from the DHCP relationship table, that is, deletes the IP address. 10.1.1.1, Port1, MAC1, vlan1, and at the same time, delete the static MAC address MAC1, vlan1, and Port1 in the MAC table; because the attack message continues, after the static MAC address is deleted, the switch device will immediately learn the wrong dynamic MAC address MAC1, vlan1, and Port2 of the spoofed attack host. However, because the spoofed attack host cannot complete the DHCP authentication and link establishment, the service message sent by the spoofed attack host to the device cannot be forwarded, and the device only completes the learning of the wrong MAC address; afterwards, the correct host goes online again from Port3 and re-initiates DHCP authentication to the device. The device sends the DHCP message to the CPU for authentication and records the port that receives the DHCP message as Port3. After the authentication is passed, the CPU directly sends subsequent messages from Port3 (the correct host migrates, the original DHCP relationship table is deleted, and in the process of establishing a new DHCP relationship table, the CPU directly communicates with the verified host port without querying the MAC table), directly interacts with the correct host through the DHCP protocol, allocates an IP address, and forms a new DHCP relationship table: IP 10.1.1.1, Port3, MAC1, vlan1; MAC1, vlan1, Port3 in the new DHCP relationship table form a new MAC address table, which is written into the chip MAC address table as a static MAC address. Since the static MAC address can directly cover the dynamic MAC address, the correct host MAC address MAC1, vlan1, Port3 will eventually directly cover the MAC1, vlan1, Port2 that the device has learned incorrectly before, so that the final service remains normal. This embodiment fully explains how the device protects against the messages sent by the spoofed attack host during the entire attack process without affecting all steps of the MAC address drift process of the correct host.

此外,本申请实施例还提供一种报文发送装置,参照图4,图4为本申请一实施例提供的一种报文发送装置的结构示意图,如图4所示,本实施例中,报文发送装置包括:获取模块100、发送模块200和生成模块300。In addition, an embodiment of the present application also provides a message sending device. Referring to Figure 4, Figure 4 is a structural schematic diagram of a message sending device provided by an embodiment of the present application. As shown in Figure 4, in this embodiment, the message sending device includes: an acquisition module 100, a sending module 200 and a generation module 300.

获取模块100,所述获取模块100用于响应于目标主机离线,获取认证建链报文并判断所述认证建链报文是否属于所述目标主机,其中,所述认证建链报文携带目标端口的端口号;An acquisition module 100, wherein the acquisition module 100 is used to acquire an authentication link establishment message in response to a target host being offline, and determine whether the authentication link establishment message belongs to the target host, wherein the authentication link establishment message carries a port number of a target port;

发送模块200,所述发送模块200用于在所述认证建链报文属于所述目标主机的情况下,通过所述目标端口向所述目标主机发送反馈报文;A sending module 200, wherein the sending module 200 is used to send a feedback message to the target host through the target port when the authentication link establishment message belongs to the target host;

生成模块300,所述生成模块300用于基于所述认证建链报文生成DHCP关系表; A generating module 300, the generating module 300 is used to generate a DHCP relationship table based on the authentication link establishment message;

所述生成模块300还用于基于所述DHCP关系表生成静态MAC地址,其中,所述静态MAC地址用于指示当前设备向所述目标主机转发报文。The generating module 300 is further configured to generate a static MAC address based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward a message to the target host.

本实施例提供的报文发送装置与上述实施例提供的报文发送方法属于同一发明构思,未在本实施例中详尽描述的技术细节可参见上述任意实施例,并且本实施例具备与执行报文发送方法相同的有益效果。The message sending device provided in this embodiment and the message sending method provided in the above embodiment belong to the same inventive concept. The technical details not fully described in this embodiment can be referred to any of the above embodiments, and this embodiment has the same beneficial effects as executing the message sending method.

以上所描述的装置实施例仅仅是示意性的,其中作为分离部件说明的单元可以是或者也可以不是物理上分开的,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。The device embodiments described above are merely illustrative, and the units described as separate components may or may not be physically separated, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

此外,本申请实施例还提供一种报文发送设备,上述应用于报文发送设备的报文发送方法可以由报文发送装置执行,该报文发送装置可以通过软件和/或硬件的方式实现,并集成在报文发送设备中,该报文发送设备可以为路由器、交换机等可与网络侧通信的终端设备。In addition, an embodiment of the present application also provides a message sending device. The above-mentioned message sending method applied to the message sending device can be executed by a message sending device. The message sending device can be implemented by software and/or hardware and integrated in the message sending device. The message sending device can be a router, a switch, or other terminal device that can communicate with the network side.

参照图5,图5为本申请一实施例提供的一种报文发送设备的硬件结构示意图。如图5所示,报文发送设备可以包括:处理器1001,例如中央处理器(Central Processing Unit,CPU),通信总线1002、用户接口1003,网络接口1004,存储器1005。其中,通信总线1002用于实现这些组件之间的连接通信。用户接口1003可以包括显示屏(Display)、输入单元比如键盘(Keyboard),用户接口1003还可以包括标准的有线接口、无线接口。网络接口1004可以包括标准的有线接口、无线接口(如无线保真(Wireless-Fidelity,WI-FI)接口)。存储器1005可以是高速的随机存取存储器(Random Access Memory,RAM),也可以是稳定的非易失性存储器(Non-Volatile Memory,NVM),例如磁盘存储器。存储器1005还可以是独立于前述处理器1001的存储设备。Referring to FIG. 5 , FIG. 5 is a schematic diagram of the hardware structure of a message sending device provided in an embodiment of the present application. As shown in FIG. 5 , the message sending device may include: a processor 1001, such as a central processing unit (CPU), a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Among them, the communication bus 1002 is used to realize the connection and communication between these components. The user interface 1003 may include a display screen (Display), an input unit such as a keyboard (Keyboard), and the user interface 1003 may also include a standard wired interface and a wireless interface. The network interface 1004 may include a standard wired interface and a wireless interface (such as a wireless fidelity (Wireless-Fidelity, WI-FI) interface). The memory 1005 may be a high-speed random access memory (Random Access Memory, RAM), or a stable non-volatile memory (Non-Volatile Memory, NVM), such as a disk storage. The memory 1005 may also be a storage device independent of the aforementioned processor 1001.

本领域技术人员可以理解,图5中示出的结构并不构成对报文发送设备的限定,可以包括比图示更多或更少的部件,或者组合某些部件,或者不同的部件布置。如图5所示,作为一种存储介质的存储器1005中可以包括操作系统、数据存储模块、网络通信模块、用户接口模块以及计算机程序。Those skilled in the art will appreciate that the structure shown in FIG5 does not constitute a limitation on the message sending device, and may include more or fewer components than shown in the figure, or combine certain components, or arrange components differently. As shown in FIG5, the memory 1005 as a storage medium may include an operating system, a data storage module, a network communication module, a user interface module, and a computer program.

在图5所示的报文发送设备中,网络接口1004主要用于与其他设备进行数据通信;用户接口1003主要用于与用户进行数据交互;本实施例中的处理 器1001、存储器1005可以设置在报文发送设备中,报文发送设备通过处理器1001调用存储器1005中存储的计算机程序,并执行上述任一实施例提供的应用于报文发送设备的报文发送方法。In the message sending device shown in FIG5 , the network interface 1004 is mainly used for data communication with other devices; the user interface 1003 is mainly used for data interaction with the user; the processing in this embodiment The processor 1001 and the memory 1005 may be arranged in a message sending device. The message sending device calls a computer program stored in the memory 1005 through the processor 1001, and executes a message sending method applied to the message sending device provided in any of the above embodiments.

本实施例提出的报文发送设备与上述实施例提出的应用于报文发送设备的报文发送方法属于同一发明构思,未在本实施例中详尽描述的技术细节可参见上述任意实施例,并且本实施例具备与执行报文发送方法相同的有益效果。The message sending device proposed in this embodiment and the message sending method applied to the message sending device proposed in the above embodiment belong to the same inventive concept. The technical details not fully described in this embodiment can be referred to any of the above embodiments, and this embodiment has the same beneficial effects as executing the message sending method.

此外,本申请实施例还提供一种计算机可读存储介质,该计算机可读存储介质可以为非易失性计算机可读存储介质,该计算机可读存储介质上存储有计算机程序,该计算机程序被处理器执行时实现上述任一实施例提供的报文发送方法。In addition, an embodiment of the present application also provides a computer-readable storage medium, which may be a non-volatile computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the message sending method provided in any of the above embodiments is implemented.

本领域普通技术人员可以理解,上文中所公开方法中的全部或某些步骤、系统可以被实施为软件、固件、硬件及其适当的组合。某些物理组件或所有物理组件可以被实施为由处理器,如中央处理器、数字信号处理器或微处理器执行的软件,或者被实施为硬件,或者被实施为集成电路,如专用集成电路。这样的软件可以分布在计算机可读介质上,计算机可读介质可以包括计算机存储介质(或非暂时性介质)和通信介质(或暂时性介质)。如本领域普通技术人员公知的,术语计算机存储介质包括在用于存储信息(诸如计算机可读指令、数据结构、程序模块或其他数据)的任何方法或技术中实施的易失性和非易失性、可移除和不可移除介质。计算机存储介质包括但不限于RAM、ROM、EEPROM、闪存或其他存储器技术、CD-ROM、数字多功能盘(DVD)或其他光盘存储、磁盒、磁带、磁盘存储或其他磁存储装置、或者可以用于存储期望的信息并且可以被计算机访问的任何其他的介质。此外,本领域普通技术人员公知的是,通信介质通常包含计算机可读指令、数据结构、程序模块或者诸如载波或其他传输机制之类的调制数据信号中的其他数据,并且可包括任何信息递送介质。It will be appreciated by those skilled in the art that all or some of the steps and systems in the disclosed method above may be implemented as software, firmware, hardware and appropriate combinations thereof. Some physical components or all physical components may be implemented as software executed by a processor, such as a central processing unit, a digital signal processor or a microprocessor, or may be implemented as hardware, or may be implemented as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on a computer-readable medium, which may include a computer storage medium (or a non-transitory medium) and a communication medium (or a temporary medium). As known to those skilled in the art, the term computer storage medium includes volatile and non-volatile, removable and non-removable media implemented in any method or technology for storing information (such as computer-readable instructions, data structures, program modules or other data). Computer storage media include, but are not limited to, RAM, ROM, EEPROM, flash memory or other memory technologies, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tapes, disk storage or other magnetic storage devices, or any other medium that may be used to store desired information and may be accessed by a computer. Furthermore, it is well known to those skilled in the art that communication media typically embodies computer readable instructions, data structures, program modules, or other data in a modulated data signal such as a carrier wave or other transport mechanism, and may include any information delivery media.

以上是对本申请实施例的较佳实施进行了具体说明,但本申请实施例并不局限于上述实施方式,熟悉本领域的技术人员在不违背本申请实施例精神的前提下还可作出种种的等同变形或替换,这些等同的变形或替换均包含在本申请实施例权利要求所限定的范围内。 The above is a specific description of the preferred implementation of the embodiments of the present application, but the embodiments of the present application are not limited to the above-mentioned implementation methods. Technical personnel familiar with the field can also make various equivalent modifications or substitutions without violating the spirit of the embodiments of the present application. These equivalent modifications or substitutions are all included in the scope defined by the claims of the embodiments of the present application.

Claims (10)

一种报文发送方法,其中,所述报文发送方法包括:A message sending method, wherein the message sending method comprises: 响应于目标主机离线,获取认证建链报文并判断所述认证建链报文是否属于所述目标主机,其中,所述认证建链报文携带目标端口的端口号;In response to the target host being offline, obtaining an authentication link establishment message and determining whether the authentication link establishment message belongs to the target host, wherein the authentication link establishment message carries a port number of a target port; 在所述认证建链报文属于所述目标主机的情况下,通过所述目标端口向所述目标主机发送反馈报文;In a case where the authentication link establishment message belongs to the target host, sending a feedback message to the target host through the target port; 基于所述认证建链报文生成DHCP关系表;Generate a DHCP relationship table based on the authentication link establishment message; 基于所述DHCP关系表生成静态MAC地址,其中,所述静态MAC地址用于指示当前设备向所述目标主机转发报文。A static MAC address is generated based on the DHCP relationship table, wherein the static MAC address is used to instruct the current device to forward the message to the target host. 如权利要求1所述的报文发送方法,其中,所述判断所述认证建链报文是否属于所述目标主机的步骤,包括:The message sending method according to claim 1, wherein the step of determining whether the authentication link establishment message belongs to the target host comprises: 判断所述认证建链报文携带的密钥信息与预设密钥信息是否一致;Determine whether the key information carried in the authentication link establishment message is consistent with the preset key information; 在所述认证建链报文携带的密钥信息与预设密钥信息一致的情况下,判断所述认证建链报文属于所述目标主机;When the key information carried in the authentication link establishment message is consistent with the preset key information, determining that the authentication link establishment message belongs to the target host; 在所述认证建链报文携带的密钥信息与预设密钥信息不一致的情况下,判断所述认证建链报文不属于所述目标主机。When the key information carried in the authentication link establishment message is inconsistent with the preset key information, it is determined that the authentication link establishment message does not belong to the target host. 如权利要求1所述的报文发送方法,其中,在所述响应于目标主机离线的步骤之后,所述报文发送方法还包括:The message sending method according to claim 1, wherein, after the step of responding to the target host being offline, the message sending method further comprises: 删除所述DHCP关系表中所述目标主机的关系条目。The relationship entry of the target host in the DHCP relationship table is deleted. 如权利要求1所述的报文发送方法,其中,所述基于所述认证建链报文生成DHCP关系表的步骤,包括:The message sending method according to claim 1, wherein the step of generating a DHCP relationship table based on the authentication link establishment message comprises: 基于所述认证建链报文确定所述目标主机的MAC地址;Determine the MAC address of the target host based on the authentication link establishment message; 基于所述认证建链报文与所述目标主机进行DHCP协议交互,为所述目标主机分配IP地址;Performing DHCP protocol interaction with the target host based on the authentication link establishment message to allocate an IP address to the target host; 基于所述IP地址、所述目标主机的MAC地址和所述目标端口的端口号生成DHCP关系表。A DHCP relationship table is generated based on the IP address, the MAC address of the target host, and the port number of the target port. 如权利要求4所述的报文发送方法,其中,所述基于所述DHCP关系表生成静态MAC地址的步骤,包括:The message sending method according to claim 4, wherein the step of generating a static MAC address based on the DHCP relationship table comprises: 基于所述DHCP关系表确定所述目标主机的MAC地址和所述目标端口 的端口号的对应关系;Determine the MAC address of the target host and the target port based on the DHCP relationship table The correspondence between the port numbers; 基于所述目标主机的MAC地址、所述目标端口的端口号以及所述对应关系生成静态MAC地址。A static MAC address is generated based on the MAC address of the target host, the port number of the target port, and the corresponding relationship. 如权利要求1所述的报文发送方法,其中,在所述响应于目标主机离线的步骤之前,所述报文发送方法还包括:The message sending method according to claim 1, wherein before the step of responding to the target host being offline, the message sending method further comprises: 在接收到所述目标主机发送的离线通知的情况下,判断所述目标主机处于离线状态。When receiving the offline notification sent by the target host, it is determined that the target host is in an offline state. 如权利要求1所述的报文发送方法,其中,在所述响应于目标主机离线的步骤之前,所述报文发送方法还包括:The message sending method according to claim 1, wherein before the step of responding to the target host being offline, the message sending method further comprises: 在基于预设的协议检测机制未检测到所述目标主机的情况下,判断所述目标主机处于离线状态。When the target host is not detected based on the preset protocol detection mechanism, it is determined that the target host is in an offline state. 如权利要求1至7中任一项所述的报文发送方法,其中,在所述基于所述DHCP关系表生成静态MAC地址的步骤之后,所述报文发送方法还包括:The message sending method according to any one of claims 1 to 7, wherein after the step of generating a static MAC address based on the DHCP relationship table, the message sending method further comprises: 在受到非所述目标主机的报文攻击的情况下,将所述静态MAC地址写入当前设备的MAC地址表,覆盖所述MAC地址表中的动态MAC地址,其中,所述动态MAC地址为根据所述非所述目标主机的报文生成。In the case of being attacked by a message from a non-target host, the static MAC address is written into the MAC address table of the current device to overwrite the dynamic MAC address in the MAC address table, wherein the dynamic MAC address is generated according to the message from the non-target host. 一种报文发送设备,其中,所述报文发送设备包括:存储器、处理器及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述计算机程序被所述处理器执行时实现如权利要求1至8中任一项所述的报文发送方法。A message sending device, wherein the message sending device comprises: a memory, a processor, and a computer program stored in the memory and executable on the processor, wherein the computer program, when executed by the processor, implements the message sending method according to any one of claims 1 to 8. 一种计算机可读存储介质,其中,所述计算机可读存储介质上存储有计算机程序,所述计算机程序被处理器执行时实现如权利要求1至8中任一项所述的报文发送方法。 A computer-readable storage medium, wherein a computer program is stored on the computer-readable storage medium, and when the computer program is executed by a processor, the message sending method according to any one of claims 1 to 8 is implemented.
PCT/CN2023/101870 2023-02-13 2023-06-21 Packet sending method, device, and computer-readable storage medium Ceased WO2024169097A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202310155897.4 2023-02-13
CN202310155897.4A CN118488035A (en) 2023-02-13 2023-02-13 Message sending method, device and computer readable storage medium

Publications (1)

Publication Number Publication Date
WO2024169097A1 true WO2024169097A1 (en) 2024-08-22

Family

ID=92192630

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2023/101870 Ceased WO2024169097A1 (en) 2023-02-13 2023-06-21 Packet sending method, device, and computer-readable storage medium

Country Status (2)

Country Link
CN (1) CN118488035A (en)
WO (1) WO2024169097A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119402860A (en) * 2024-10-29 2025-02-07 新华三技术有限公司 A message processing method and device
CN119583108A (en) * 2024-11-05 2025-03-07 深圳供电局有限公司 Data interaction method, device, computer equipment, readable storage medium and program product

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101026A1 (en) * 2002-12-24 2006-05-11 Hajime Fukushima Communication model, signal, method, and device for confirming reachability in network where host reachability is accomplished by relating static identifier to dynamic address
US7516487B1 (en) * 2003-05-21 2009-04-07 Foundry Networks, Inc. System and method for source IP anti-spoofing security
US7523485B1 (en) * 2003-05-21 2009-04-21 Foundry Networks, Inc. System and method for source IP anti-spoofing security
CN102244866A (en) * 2011-08-18 2011-11-16 杭州华三通信技术有限公司 Portal verifying method and access controller
US20140130044A1 (en) * 2012-11-07 2014-05-08 Huawei Technologies Co., Ltd. Method, Device, and System for Migrating Configuration Information During Live Migration of Virtual Machine

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20060101026A1 (en) * 2002-12-24 2006-05-11 Hajime Fukushima Communication model, signal, method, and device for confirming reachability in network where host reachability is accomplished by relating static identifier to dynamic address
US7516487B1 (en) * 2003-05-21 2009-04-07 Foundry Networks, Inc. System and method for source IP anti-spoofing security
US7523485B1 (en) * 2003-05-21 2009-04-21 Foundry Networks, Inc. System and method for source IP anti-spoofing security
CN102244866A (en) * 2011-08-18 2011-11-16 杭州华三通信技术有限公司 Portal verifying method and access controller
US20140130044A1 (en) * 2012-11-07 2014-05-08 Huawei Technologies Co., Ltd. Method, Device, and System for Migrating Configuration Information During Live Migration of Virtual Machine

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN119402860A (en) * 2024-10-29 2025-02-07 新华三技术有限公司 A message processing method and device
CN119583108A (en) * 2024-11-05 2025-03-07 深圳供电局有限公司 Data interaction method, device, computer equipment, readable storage medium and program product

Also Published As

Publication number Publication date
CN118488035A (en) 2024-08-13

Similar Documents

Publication Publication Date Title
US8782789B2 (en) System and method for detecting address resolution protocol (ARP) spoofing
EP3678335B1 (en) Method and device for detecting communication connection
CN101816166B (en) Router detection
US11038658B2 (en) Deceiving attackers in endpoint systems
US9258266B2 (en) Host detection by top of rack switch devices in data center environments
US20200287869A1 (en) Network access controller operation
WO2024169097A1 (en) Packet sending method, device, and computer-readable storage medium
EP3451592B1 (en) Packet transmission between vxlan domains
US11228558B2 (en) Method and apparatus for isolating transverse communication between terminal devices in intranet
CN100563149C (en) A kind of DHCP listening method and device thereof
US9246939B2 (en) Preventing neighbor-discovery based denial of service attacks
CN108667695A (en) Backup method and device for BRAS transfer control separation
JP2012257251A (en) Node device preventing overflow of pending table in network system of name board, and device and method of preventing overflow
US12015587B2 (en) Methods for updating route, access device, and convergence device
CN107241313B (en) Method and device for preventing MAC flooding attack
US8855113B2 (en) Link state identifier collision handling
WO2013013481A1 (en) Access authentication method, device, server and system
EP2466796A1 (en) User access method, system and access server, access device
CN103117930A (en) Method and device for detecting static route configuration
CN112003959A (en) Automatic issuing method and device for route origin authorization
US20200314129A1 (en) Network route leakage detection
US20220263821A1 (en) Systems and methods for changing a supplicant from one virtual local area network to another using a change of authorization message
CN113315652B (en) A method, system, device and medium for optimizing switch access control
US20240022602A1 (en) Method and Apparatus for Route Verification and Data Sending, Device, and Storage Medium
US20110216770A1 (en) Method and apparatus for routing network packets and related packet processing circuit

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23922223

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE