KR100863313B1 - Alp spoof automatic blocking device and method - Google Patents

Abstract

The present invention creates a subscriber's IP address / MAC address database by snooping DHCP packets and ARP packets in an Ethernet-based subscriber network so that a malicious user performs an ARP spoofing attack to pee a well-being user's packet or paralyzes the subscriber network. The present invention relates to an ARP spoofing automatic blocking device and method for automatically blocking the induction.

The ARP spoof automatic blocking apparatus of the present invention includes a switching module for transmitting a packet coming from the subscriber network to the upper network or a higher network or a self-generated packet to the subscriber network; By snooping the DHCP packet coming from the subscriber or from the upper network to the subscriber network through the snooping database and switching module that stores the MAC address and IP address, DHCP authentication and ARP temporary authentication information of the subscriber in the subscriber network. Record the subscriber's MAC address and IP address as an authenticated entry in the snooping database, classify only the ARP request packet among the ARP packets coming from the subscriber, and extract the source MAC address and the source IP address of the packet and temporarily And a network snooping module that writes to the snooping database as an authenticated entry and automatically blocks after detecting an ARP spoofing attack based on the information in the snooping database.

ARP, spoofing, spoofing, snooping, snoofing, DHCP, GARP

Description

Apparatus and Method for automatically blocking spoofing by address resolution protocol

1 is a general ARP packet format diagram,

2 is a configuration diagram of an exemplary access network;

3 is a view for explaining a gateway attack method using a conventional ARP in the access network configuration of FIG.

4 is a view for explaining a L2 switch attack method using a conventional ARP in the access network configuration of FIG.

5 is a view for explaining a subscriber attack method using a conventional ARP in the access network configuration of FIG.

6 is a block diagram of an Ethernet switch having an ARP spoofing attack blocking function of the present invention;

7 is a GARP packet format used to restore the subscriber network in the present invention,

8 is a view for explaining a method for defending against ARP spoofing attack in a switch in the access network configuration of FIG.

9 is a view for explaining a method for defending against ARP spoofing attack in a switch in the access network configuration of FIG.

10 to 13 are diagrams for explaining various defense methods against subscriber attack in the access network configuration of FIG.

*** Explanation of symbols for the main parts of the drawing ***

10: switching module, 20: network snooping module,

30: Snooping Database

The present invention relates to a device and method for automatically blocking ARP spoofing, and in particular, by snooping DHCP packets and ARP packets in an Ethernet-based subscriber network and generating a subscriber's IP address / MAC address database, The present invention relates to an ARP spoofing automatic blocking device and method for automatically blocking a bona fide user's packet or inducing a paralysis of a subscriber network by performing an attack.

As is well known, a malicious attacker can change the ARP table of other subscribers or switch devices of a subscriber network through an ARP spoofing attack. Due to this change, packets from other subscribers and switch devices are incorrectly introduced to the attacker, and the attacker can try various hacks by looking at the packets. An attacker can also disrupt network services to specific subscribers through ARP spoofing. In addition, communication devices on the same subnet can be made incapable of communication so that network operators can be suspended.

Specifically, ARP (Address Resolution Protocol) is a protocol used to find a MAC address of a counterpart user having a specific IP address on an Ethernet network, and is basically an authentication method for a user generating a packet. Don't have

1 is a general ARP packet format diagram. As shown in FIG. 1, the ARP packet has a total of 28 bytes. Specifically, the ARP packet is composed of an Ethernet destination address and an Ethernet destination address, followed by a hardware type, a higher protocol type, a hardware address length, a protocol address length, and an OP (operation). ) Code, sender Ethernet address, sender IP address, target Ethernet address, and destination IP address information are configured in succession.

Thus, malicious subscribers can use this to send ARP spoofing packets that the MAC address for an IP address that is not intentionally assigned to them is theirs. The other subscribers who receive these malicious ARP packets send all packets destined for the attacked IP address to the malicious subscribers.Then, the malicious subscribers who receive these packets can see the contents of the packets and steal their personal contents to hack them. Used for malicious purposes. Malicious subscribers can also make the network unavailable to other subscribers and communication managers by not sending packets back to them.

2 is a block diagram of an exemplary access network. As shown in Fig. 2, a typical access network for connecting subscribers to a backbone communication network, for example, is a L3 (Layer 3) switch at the upper end of a gateway (the term 'router' for convenience of explanation) is mixed. And L2 (Layer 2) switches (Ethernet switches or switching hubs) are placed in this gateway, and a plurality of subscribers (hereinafter simply referred to as 'subscribers') are placed in these L2 switches. . In the example of FIG. 2, the IP address '10 .1.1.254 'is assigned to the gateway F, and the IP addresses '10 .1.1.251' and '10 .1.1.252 'are assigned to the two L2 switches D and E, respectively. The three subscribers (A), (B), and (C) are assigned IP addresses of '10 .1.1.10 ', '10 .1.1.20', and '10 .1.1.30 ', respectively.

Hereinafter, various attack methods using ARP will be described in detail with reference to the network configuration of FIG. 2.

A. Gateway Attack

3 is a diagram illustrating a conventional method for attacking a gateway using ARP in the access network configuration of FIG. 2, and assumes that an attacker is an IP address subscriber A of '10 .1.1.10 '. In this configuration, the attack of the gateway connecting the subscriber network and the upper network is performed as follows.

(a1) The attacker uses DHCP (Dynamic Host Configuration Protocol) to find out the IP address of the gateway (F) of the subscriber network.

(a2) The attacker attempts an ARP request on the IP address thus obtained to find out the MAC address of the gateway (F).

(a3) The attacker creates a new ARP response packet by combining the IP address of the gateway (F) found through the steps (a1) and (a2) with the attacker's MAC address.

(a4) The attacker sends the ARP response packet generated in (a3) targeting the IP and MAC addresses of other subscribers (B) and (C) in the subscriber network.

(a5) Upon receiving the ARP response packet sent by the attacker, the other subscribers B and C update the MAC address corresponding to the IP address of the gateway F.

(a6) The destination MAC address of the Ethernet header of all packets that subscribers (B) and (C) intends to send to the upper network through the gateway (F) becomes the attacker's MAC address. All packets in (C) are forwarded to the attacker.

(a7) After the attacker steals the contents of the received packet, the attacker can send the packet back to the gateway F or discard it according to the attacker's intention. At this time, if the packet is discarded, the network service for subscribers B and C that sent the packet is stopped.

B. Switch Attack

FIG. 4 is a diagram illustrating a conventional L2 switch attack method using ARP in the access network configuration of FIG. 2, and assumes that an attacker is a subscriber (A). In this configuration, the attack on the L2 switch present in the subscriber network is performed as follows.

(b1) The attacker makes an ARP request for all IP addresses of the subscriber network subnet to find out the IP address and MAC address of the L2 switch (D) in the subscriber network.

(b2) The attacker finds out the IP address of the gateway (F) of the subscriber network using DHCP.

(b3) The attacker attempts to ARP a request for the IP address of the gateway (F) thus found to find out the MAC address of the gateway (F).

(b4) The attacker combines the IP address of the L2 switch (D) found in (b1) and its MAC address and uses it as the sender's IP address and MAC address, and the IP of the gateway (F) found in (b2). Create and send an ARP reply packet that uses the address as the destination address.

(b5) When the gateway (F) receives the ARP spoofing attack packet generated in (b4), the MAC address corresponding to the attacked L2 switch (D) IP address in the ARP table of the gateway (F) is the MAC address of the L2 switch (D). Is changed to the attacker's MAC address, and all packets sent through the gateway (F) to the L2 switch (D) are sent to the attacker.

(b6) After attacking the contents of the received packet, the attacker can try to hack the switch by finding the connection ID and password of the L2 switch. In addition, if the attacker does not send the received packet back to the L2 switch (D), the subscriber network manager cannot communicate with the L2 switch (D), causing a problem in that the subscriber network cannot be managed.

C. Subscriber Attack

FIG. 5 is a diagram illustrating a conventional method of attacking a subscriber using ARP in the access network configuration of FIG. 2, and assumes that an attacker is a subscriber (A). The attack on another subscriber in the subscriber network is carried out as follows.

(c1) The attacker makes an ARP request for all IP addresses in the subscriber network subnet and learns the IP address and MAC address of another subscriber in the subscriber network.

(c2) The attacker creates an ARP response packet that uses the IP address of the subscriber (C) as the target of the IP address found in (c1) and the attacker's own MAC address as the sender address, and the other subscribers and the gateway (F). To).

(c3) The gateway (F) and other subscribers receiving the ARP response packet generated in (c2) have a MAC address corresponding to the IP address of the subscriber (C) to be attacked, and the MAC address of the target subscriber (C) to be attacked. The ARP table is updated to be the attacker's MAC address, and the Ethernet destination MAC address of all packets to be delivered to the target subscriber C later is changed to the attacker's MAC address. If the MAC address is changed in this way, all packets to be delivered to the target subscriber (C) are then delivered to the attacker.

(c4) The attacker can steal all the contents of the received packets, obtain the personal information of the target subscriber, and use it for later hacking. In addition, if the attacker does not retransmit the received packets to the target subscriber (C), the target subscriber experiences a disruption of the network service.

As described above, the L2 Ethernet switch and the L3 Ethernet / IP switches installed in the existing subscriber network do not check the ARP packets existing in the network. There is no way to protect subscribers and network from malicious users' ARP spoofing attack.

1. Damage to subscribers

As such, problems that may occur when an attacker who performs an ARP spoofing attack appear in a subscriber network used by many subscribers are as follows.

1) Invasion of privacy and the resulting financial damages

As mentioned above, an attacker can change the ARP table of gateways and switches belonging to a subscriber network through an ARP spoofing attack. At this time, if the MAC address corresponding to the specific subscriber's IP address is changed to the attacker's MAC address, the attacker can steal all packets destined for the target subscriber. And through this sneak attacker can find out the ID and password of the transaction through the Internet and try to hack later. In addition, if such a hack is successful, the target subscriber may be damaged from a small amount of mental damage to a large amount of financial damage.

2) Damage due to communication service disconnection

If the attacker of the ARP spoofing attack does not re-send the packet coming to the target subscriber, the target subscriber experiences a disconnection of the network service. This can be judged as financial damage because it violates the service level agreement with the telecommunications company as well as the problem of not being able to use the target subscriber at the time of attack.

2. Damage to carrier investment

Carriers operating subscriber networks suffer the following damages when an ARP spoofing attack occurs on the subscriber network.

1) Compensation for Damages to Subscribers

From the subscriber's point of view of paying for the subscriber's network, the carrier can claim the damage caused by using the network. With only one attacker, all subscribers in a single subnet can suffer from financial disruption or theft of personal information, causing huge financial damage to carriers.

2) Impossible to manage switch that composes subscriber network

If an attacker makes an ARP spoofing attack on a gateway and an L2 switch in a subscriber network, the telecommunications company cannot access equipment such as a switch of the telecommunication company existing in the network. In addition, attempts to gain access can cause an attacker to steal the username and password to gain access to the switches.

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and by generating a subscriber's IP address / MAC address database by snooping DHCP packets and ARP packets in an Ethernet-based subscriber network, a malicious user performs an ARP spoofing attack in good faith. An object of the present invention is to provide an ARP spoof automatic blocking apparatus and method for automatically blocking a user's packet or inducing paralysis of a subscriber network.

It is another object of the present invention to provide an ARP spoof automatic blocking apparatus and method for preventing an ARP spoofing attack and at the same time restoring an attacked subscriber network to its original state using GARP (Gratuitous ARP) technology.

ARP spoofing automatic blocking device of the present invention for achieving the above object is a switching module for transmitting a packet from the subscriber network to the upper network or a higher network or self-generated packet to the subscriber network; By snooping DHCP packets coming from the subscriber or from the upper network to the subscriber network through the snooping database and switching module that store the MAC address and IP address, DHCP authentication, and ARP temporary authentication information of the subscriber in the subscriber network. Record the subscriber's MAC address and IP address as an authenticated entry in the snooping database, classify only the ARP request packet among the ARP packets coming from the subscriber, and extract the source MAC address and the source IP address of the packet and temporarily And a network snooping module that writes to the snooping database as an authenticated entry and automatically blocks after detecting an ARP spoofing attack based on the information in the snooping database.

In the above-described configuration, the spoof automatic blocking device may be implemented as an L2 switch or an L3 switch.

Meanwhile, the automatic spoofing blocking method of the present invention snoops a DHCP packet flowing from a subscriber through a switching module of an L2 switch or an L3 switch or a subscriber network from an upper network to a subscriber network, and stores the MAC address and IP address of the subscriber in a snooping database. (A) recording as an authenticated entry; (B) extracting only the ARP request packet from the ARP packets coming from the subscriber and extracting the sender MAC address and the sender IP address of the packet and writing them into the snooping database as temporary authentication entries for the subscriber; and the incoming ARP packets. (C) automatically detecting the ARP spoofing attack after searching the snooping database.

In the above configuration, for an entry authenticated by DHCP in step (a), the entry is maintained for a DHCP lease time, and if there is no DHCP update operation later, the entry is recorded as an unauthenticated state, and (b) For an entry that is temporarily authenticated by the ARP request in step), when the ARP timeout passes more than a predetermined level, an ARP request is made for the entry, and when an ARP response to the ARP request is received, the entry is temporarily saved. If no response is received for a certain period of time, the entry is recorded as an unauthenticated state, and the entry recorded as the unauthenticated state is completely deleted from the snooping database after a predetermined time elapses.

In the case of (c), in case of ARP packet introduced from a higher network than a packet coming from a port connected to a subscriber, the packet is trusted and passed.

Meanwhile, in the step (c), if the incoming ARP packet is an ARP packet from the subscriber and the corresponding ARP packet is an ARP request, the IP address is queried from the snooping database and the entry is obtained by DHCP. In the case of the authenticated state, comparing the source MAC address of the incoming packet with the MAC address of the snooping database entry, determining that the attack is not the same in case of the same, and determining that the attack is not the same (e2a). .

In addition to the subscriber, a gateway is added to the snooping database as an entry, and the subscriber gateway information included in the DHCP offer and the Ack packet is extracted to find an entry having a corresponding IP address among the entries in the snooping database, and the entry is a gateway. If the subscriber network manager explicitly enters the IP address of the subscriber gateway using the console of the switch, the entry of the snooping database is found with the corresponding information, and the gateway entry is additionally recorded in the entry.

On the other hand, in the step (c), if the incoming ARP packet is an ARP packet from the subscriber and the ARP packet is an ARP request, the IP address is queried to the snooping database to record that there is an entry and a gateway to the entry. If it is, it checks again that the port information of the corresponding entry and the current port of the ARP packet are correct, and if it is determined that it is not an attack, if it is different, the method includes determining that it is an attack (e2b).

In the step (c), if the incoming ARP packet is an ARP packet from the subscriber and the corresponding ARP packet is an ARP request, the IP address of the switch is assigned to the port to which the ARP packet is introduced, and the IP address and source of the switch are transmitted. If the IP address is the same, it compares the MAC address of the switch and the sender MAC address again and determines that the attack is not the same.

In step (c), if the incoming ARP packet is an ARP packet coming from a subscriber and the ARP packet is an ARP request, there is an entry received by searching the snooping database with the corresponding IP address and the MAC address is empty. (00: 00: 00: 00: 00: 00) If it is recorded that the gateway is in the corresponding entry or the temporary authentication status is set, the MAC address of the snooping database entry is compared with the sender MAC address of the incoming ARP packet. If it is the same, it is determined that it is not an attack, but if it is not the same, it includes the step of determining that it is an attack (e2d).

However, even if the MAC address of the snooping database entry and the source MAC address of the incoming ARP packet are not identical, the entry of the snooping database is temporarily authenticated, and the subscriber network administrator explicitly states "ARP Move by ARP request." Is allowed, the MAC address of the corresponding entry is changed to the source MAC address of the incoming ARP packet without being considered an attack.

In step (c), if the incoming ARP packet is an ARP packet introduced from the subscriber and the corresponding ARP packet is an ARP response, the (e2a) to (e2e) for the source IP address and the source MAC address of the ARP packet. And performing all the steps to determine whether to attack, and performing all of the steps (e2a) to (e2d) on the target IP address and the target MAC address (e3).

The ARP spoofing packet flows into the GARP packet using the MAC address of the sender as the MAC address of the snooping database entry used to determine the attack and the IP address of the snooping database entry used to determine the attack. And sending out a specified number of times for a specified number of times.

Hereinafter, with reference to the accompanying drawings will be described in detail with respect to ARP spoofing automatic blocking device and method according to a preferred embodiment of the present invention.

Figure 6 is a block diagram of a switch device having an automatic blocking function of the ARP spoofing of the present invention. As shown in FIG. 6, the switch having the ARP spoofing automatic blocking function of the present invention has a switching module 10 that transmits a packet flowing from a subscriber network to a higher network or a higher network or a self-generated packet to a subscriber network. ; Ingress from subscribers or through the snooping database 30 and switching module 10, which stores MAC and IP addresses, DHCP authentication, and ARP temporary authentication information for subscribers of the subscriber network Snooping the DHCP packet and recording the subscriber's MAC address and IP address as an authenticated entry in the snooping database 30, and classifying only the ARP Request packet among the ARP packets coming from the subscriber, The network snooping module 20 which extracts the address and the source IP address and writes it to the snooping database 30 as a temporary authenticated entry for the subscriber, and detects and blocks the ARP spoofing attack based on the information of the snooping database 30. It can be made, including).

In the above-described configuration, the switching module may be implemented with a conventional switching module in the switch equipment. On the other hand, the network snooping module 20 has a CPU mounted therein so that various operations can be performed. On the other hand, the snooping database 30 for the subscriber's IP address / MAC address can be built by the following process.

(c1) By snooping the DHCP packet flowing from the subscriber and the DHCP packet flowing from the upper network to the subscriber, the MAC address and IP address of the subscriber are recorded in the snooping database 30 as an authenticated entry.

(c2) After classifying only ARP Request packets among ARP packets coming from the subscriber, the source MAC address and source IP address of the packet are extracted and recorded in the snooping database 30 as an entry temporarily authenticated for the subscriber. do.

(c3) If an entry authenticated by DHCP is maintained for a DHCP lease time, the entry is marked as unauthenticated if there is no DHCP renewal in the future.

(c4) Since there is no DHCP update operation as shown in (c3) for an entry temporarily authenticated by an ARP request, when the ARP timeout passes by a certain amount, for example, 1/2 or more, Make an ARP request. When an ARP Response to the request is received, the entry is temporarily stored as an authorized entry, and if no response is received for a certain period of time, the entry is marked as unauthenticated.

(c5) The entry marked as unauthenticated is completely deleted from the snooping database 30 after a predetermined time, for example, two minutes.

Meanwhile, a router (gateway) may be added as an entry to the snooping database 30 constructed by the above method. The process is as follows.

(d1) Extract the subscriber gateway information included in the DHCP Offer and Ack packets to find the entry with the corresponding IP address among the entries in the snooping database 30, and determine whether the entry is a gateway, that is, whether it is a router or not. Record additionally.

(d2) When the subscriber network manager explicitly enters the IP address of the subscriber gateway using the console of the switch, the subscriber finds an entry in the snooping database 30 with the corresponding information, and adds the gateway to the entry. Record it.

(d3) When performing the steps (d1) and (d2), if there is no corresponding IP information in the snooping database 30, the next time an entry for the corresponding IP address is added, it indicates whether or not the entry is a gateway.

As described above, the snooping database 30 constructed in accordance with the present invention adds / deletes subscribers in real time, and snoops DHCP packets and ARP packets according to the settings of the subscriber network manager, and is automatically changed according to the subscriber network situation. . Table 1 below shows an example of the snooping database 30 thus constructed.

MAC address IP address port router certification temporary 00: 90: a3: 12: 02: 11 10.1.1.1 GigabitEthernet1 / 1 ■ ■ □ 00: 00: 17: 23: ab: de 10.1.1.100 FastEthernet 2/1 □ ■ ■ 00: 00: 17: 23: ab: dd 10.1.1.101 FastEthernet 2/21 □ ■ □ 00: 00: 17: 23: ab: dc 10.1.1.102 FastEthernet 2/3 □ ■ ■

Meanwhile, when the ARP packet is introduced, the switches of the subscriber network determine the ARP spoofing attack by the following process by the snooping database constructed by the above process.

(e1) In case of ARP packet coming from higher network, not packet from port connected to subscriber, it trusts and passes the packet.

(e2) If the ARP packet is from the subscriber and the ARP packet is an ARP request, the following checks are performed for the source IP address and the source MAC address of the ARP packet.

(e2a) If the IP address is retrieved from the snooping database and the entry exists, and the entry is authenticated by DHCP, the attack is performed when the MAC address of the incoming packet is compared with the MAC address of the snooping database entry. If it is not the same, it is determined to be an attack.

(e2b) If the IP address is searched in the snooping database, and if there is an entry and the router status is set in the entry, it checks again that the port information of the entry and the incoming port of the current ARP packet are correct. On the other hand, if it is different, it is considered an attack.

(e2c) If the switch's IP address is assigned to the port to which the ARP packet flows and the switch's IP address and the sender's IP address are the same, the switch's MAC address is compared with the sender's MAC address. On the other hand, if it is not the same, the attack is considered.

(e2d) The snooping database is searched by the corresponding IP address and there is an entry received and the MAC address is not empty (00: 00: 00: 00: 00: 00) and the gateway status is set or the temporary authentication status is not set. If it is set, the MAC address of the snooping database entry and the source MAC address of the incoming ARP packet are compared to determine that it is not an attack.

(e2e) However, even if the MAC address of the snooping database entry and the source MAC address of the incoming ARP packet are not identical in step (e2d), the entry of the snooping database is in the temporary authentication state and the subscriber network manager explicitly states " If ARP Move is allowed by ARP request ", the MAC address of the corresponding entry is changed to the source MAC address of the incoming ARP packet without being determined as an attack.

(e3) If the ARP packet is from the subscriber and the corresponding ARP packet is an ARP response, it is determined whether the attack is performed by performing steps (e2a) to (e2e) for both the source IP address and the source MAC address of the ARP packet, Further, all steps (e2a) to (e2d) are performed on the target IP address and the target MAC address to determine whether an attack is made.

When performing the inspection on the ARP packet introduced to the subscriber network through the above process, the ARP spoofing attack from the malicious subscriber in the subscriber network can be filtered out. If the incoming ARP packet is determined to be an ARP spoofing attack, the subscriber network manager is notified through the network management platform (EMS / NMS: Element Management System / Network Management System). Perform restoration of the switch lower subscriber network.

7 is a GARP packet format diagram used to restore a subscriber network in the present invention. If the MAC address exists in the entry of the snooping database used when determining the attack, the subscriber network manager sends the GARP packet as shown in FIG. 7 for the designated number of times to the port where the attack ARP packet is introduced. In FIG. 7, 'macA' and 'ipA' indicate MAC addresses and IP addresses of snooping database entries used to determine an attack, respectively.

Hereinafter, a process of operating the ARP spoofing attack detection and network restoration method described above with respect to the three ARP spoofing attack methods mentioned in the prior art will be described.

F. Response to Gateway Attacks

Gateway attack can be attacked and defended according to the distribution of switches that constitute the subscriber network. The first method is defense at the L2 Ethernet switch between the gateway and the subscriber, and the second method is defense at the gateway, the L3 Ethernet switch.

FIG. 8 is a diagram illustrating a method for defending against an ARP spoofing attack at a gateway in the access network configuration of FIG. 2, and assumes that an attacker is a subscriber (A).

First, the defense method in the L2 switch will be described.

(f1a) As described above, in the L2 switch D, the subscriber network manager may explicitly input the IP address of the upper gateway F and the port to which the corresponding gateway F belongs to the snooping database. The entry may be configured as a router and may not have a MAC address.

(f1b) The attacker sends an ARP response packet using the IP address of the gateway (F) and the attacker's own MAC address as a source address for the attack. The L2 switch (D) performs snooping because the packet is ARP. do.

(f1c) The ARP packet snooped by the L2 switch D is a response packet, and since the source IP address is present in the snooping database entry, the L2 switch D, as mentioned above, is used to determine the incoming ARP packet. In this case, the ports in the subscriber direction and the ports of the upper gateway F are naturally different from each other, and thus are determined to be attacks.

(f1d) If the attack is determined and the MAC address is registered in the corresponding snooping database entry, the L2 switch (D) is the gateway of both the source address and the destination address to restore the subscribers and switches already attacked by the packet. It generates GARP packet inputting normal IP address and MAC address of (F).

(f1e) Subordinate subscribers (B), (C) and L2 switches (E) that have received the GARP packet, normally restore the MAC address corresponding to the gateway (F) IP address of the ARP table.

In the above-described method, defense may be performed in the L2 switch, but if the subscriber is directly connected to the L3 Ethernet / IP switch, which is the gateway, or the L2 switch is a switch that does not have the function of the present invention, the gateway F may perform the defense. Direct ARP spoofing attack defense is performed, which is described below.

(f2a) The IP address of the gateway (F) means the IP address of the internal interface of the L3 Ethernet / IP switch, which is the gateway (F) of the subscriber network, and the normal MAC address corresponding to the IP address is the MAC address of the corresponding interface.

(f2b) The attacker sends an ARP response packet using the IP address of the gateway F and the attacker's own MAC address as a source address for the attack. When the packet flows into the gateway F, the gateway F enters the Since the packet is an ARP packet, it snoops and checks the packet.

(f2c) Since the packet is an ARP response packet and the source IP address is an IP address present on the interface of the L3 Ethernet / IP switch that is the gateway F snooping the packet, the gateway (F) is the source MAC address and the MAC of the interface. Compare addresses.

(f2d) By the way, since this packet is an ARP packet for spoofing attack, of course, the source MAC address and the interface MAC address do not coincide. Accordingly, the gateway F determines this as an ARP spoofing attack, and the spoofing attack has already occurred. In order to restore the subordinate subscriber network, the GARP packet is transmitted by using the IP address and MAC address of the corresponding interface of the gateway (F) as a source address and a destination address.

G. Response to Switch Attacks

There are two ways to attack a switch (L2 switch) that is not a gateway (F) in the subscriber network. The first is when an attacker connects to the underside of the target switch, and the second is when the attacker This is the case where the gateway F is connected from a place irrelevant to the switch to be attacked.

FIG. 9 is a diagram illustrating a method for defending against an ARP spoofing attack in a switch in the access network configuration of FIG. 2, assuming that an attacker is a subscriber (A), and an ARP spoofing attack defense for each case will be described. FIG.

(g1) When the attacker A accesses the gateway F through the attack target switch, defense may be performed through the above-described steps (f2a) to (f2d). That is, the IP address in the sender address of the ARP spoofing attack packet sent by the attacker will be the same as the interface IP address of the switch that snooped the ARP packet, so the sender MAC address does not match the MAC address of the interface. Determining this as an attack, discards the packet and performs restoration work for the lower subscriber network.

(g2) When an attacker connects to a gateway regardless of the target switch

(g2a) The attacker sends an ARP request packet to all IP addresses in the subnet of the subscriber network to search for the initial attack target.

(g2b) The attack target switch receiving the ARP request packet generated in (g2a) sends an ARP response packet for the request. At this time, the gateway F between the attacker and the target switch snoops the corresponding ARP response packet, adds a new entry to the snooping database as described above, and the entry shows a temporary authentication state.

(g2c) The attacker receives the ARP response packet from the target switch and sends the ARP response packet using the switch's IP address, which is the source IP address of the response packet, and the attacker's own MAC address.

(g2d) When the ARP spoofing attack packet created in (g2c) enters the gateway F, the gateway F determines that the ARP packet is a response packet and that an entry having the sender's IP address of the packet exists in the snooping database. Since the temporary authentication status is set in the above, when the MAC address of the corresponding entry is compared with the source MAC address of the ARP response packet, it is naturally not the same. Accordingly, the packet is discarded and the GARP packet is transmitted to protect the lower subscriber network.

(g2e) Later, when the gateway (F) passes half of the timeout of the snooping database entry for the switch's IP address and MAC address, it makes an ARP request for the switch again.

(g2f) In step (g2d), the switch receiving the ARP responds with an ARP response, and the timeout of the entry in the snooping database of the gateway F receiving the response is updated.

(g2g) The steps of (g2d) and (g2f) cannot be changed by the attacker in the middle because the switch continues during normal operation.

H. Response to Subscriber Attacks

When an attacker attacks another subscriber in the subscriber network, the attacker can defend in two ways, depending on the type of the target subscriber. In the second case, the target subscriber sets the IP address statically.

10 to 13 are diagrams for explaining various defense methods against subscriber attack in the access network configuration of FIG. 2, and assume that the subscriber A is an attacker. In each case, in the state where an entry is made in the snooping database according to the snooping database update method described above, it is possible to defend through the second method of the above-described switch defense, that is, (g2a) to (g2h).

The present invention can be applied to both a dynamic IP allocation network for allocating IPs to subscribers using DHCP and a static IP allocation network for statically assigning IPs to subscriber stations.

The apparatus and method for automatically blocking ARP spoofing of the present invention is not limited to the above-described embodiments, and various modifications can be made within the scope of the technical idea of the present invention.

When using the L2 Ethernet switch and the L3 Ethernet / IP switch in which the ARP spoofing automatic blocking device and method of the present invention as described above are implemented, the telecommunications companies may experience various damages in subscriber network operation, that is, personal privacy, financial or mental damage. And any damages caused by the carrier's reparation or inability to manage the subscriber network can be automatically avoided.Thus, the operator can protect the investment in the subscriber network, and all subscribers using the subscriber network are protected from hacking and communication loss. Can be free.

Claims (13)

delete delete (A) snooping a DHCP packet coming from a subscriber through a switching module of an L2 switch or an L3 switch or from an upper network to a subscriber network and recording the MAC address and IP address of the subscriber as an authenticated entry in a snooping database; ; (B) extracting only the ARP request packet from the ARP packets coming from the subscriber and extracting the sender MAC address and the sender IP address of the packet and writing them into the snooping database as temporary authentication entries for the subscriber; and the incoming ARP packets. In the method for automatically blocking ARP spoofing comprising the step of (c) automatically blocking after searching the snooping database to detect an ARP spoofing attack, For the entry authenticated by DHCP in step (a), the entry is maintained for a DHCP lease time, and if there is no DHCP update operation later, the entry is recorded as unauthenticated. For an entry temporarily authenticated by the ARP request in step (b), an ARP request is made for the entry when the ARP timeout passes for a predetermined level or more, and upon receipt of an ARP response to the ARP request, the newly authenticated temporarily Save it as an entry and log the entry as unauthenticated if there is no response for a certain period of time. And automatically deleting the entry recorded in the unauthenticated state from the snooping database after a predetermined time elapses. delete The method of claim 3, wherein ARP spoofing automatic blocking method characterized in that for the ARP packet introduced from the upper network other than the packet coming from the port connected to the subscriber in step (c) to trust and pass the packet. The method of claim 3, wherein In the step (c), if the incoming ARP packet is an ARP packet from the subscriber and the corresponding ARP packet is an ARP request, If the IP address is retrieved from the snooping database and there is an entry, and the entry is authenticated by DHCP, the MAC address of the incoming packet is compared with the MAC address of the snooping database entry. In contrast, if it is not the same, the ARP spoofing automatic blocking method comprising the step (e2a) to determine that the attack. The method of claim 6, In addition to subscribers, gateways are added as entries to the snooping database. Extracts the subscriber gateway information included in the DHCP offer and Ack packet, finds an entry with the corresponding IP address among the entries in the snooping database, and further records that the entry is a gateway, When the subscriber network manager explicitly inputs the IP address of the subscriber gateway using the console of the switch, ARP spoofing, which has the corresponding information, finds an entry in the snooping database, and records whether the gateway is added to the entry. Auto shut off method. The method of claim 3, wherein In the step (c), if the incoming ARP packet is an ARP packet from the subscriber and the corresponding ARP packet is an ARP request, If the IP address is queried to the snooping database and an entry is found and the entry is a gateway, the port information of the entry and the incoming port of the current ARP packet are checked again to determine that it is not an attack. ARP spoofing automatic blocking method characterized in that it comprises a step (e2b) to determine that the attack if different. The method of claim 3, wherein In the step (c), if the incoming ARP packet is an ARP packet from the subscriber and the corresponding ARP packet is an ARP request, If the switch's IP address is assigned to the port where the ARP packet is introduced, and the switch's IP address and the sender's IP address are the same, the MAC address of the switch and the sender's MAC address are compared again. If not, the ARP spoofing automatic blocking method comprising the step of determining that the attack (e2c). The method of claim 3, wherein In the step (c), if the incoming ARP packet is an ARP packet from the subscriber and the corresponding ARP packet is an ARP request, If there is an entry received by searching the snooping database with the corresponding IP address, the MAC address is not empty (00: 00: 00: 00: 00: 00), and the entry is recorded as a gateway or a temporary authentication state is set. And comparing the MAC address of the snooping database entry with the source MAC address of the incoming ARP packet to determine that it is not an attack if it is the same, and if it is not the same, determining that it is an attack (e2d). How to automatically block ARP spoofing. The method of claim 10, Even if the MAC address of the snooping database entry and the source MAC address of the incoming ARP packet are not identical, the snooping database entry is temporarily authenticated and the subscriber network administrator explicitly allows "ARP Move by ARP request." &Quot; (e2e) " changing the MAC address of the entry to the source MAC address of the incoming ARP packet without determining that it is an attack. The method according to any one of claims 6, 8, 9, 10, and 11, In the step (c), if the incoming ARP packet is an ARP packet introduced from a subscriber and the corresponding ARP packet is an ARP response, Perform all of the steps (e2a) to (e2e) for the source IP address and the source MAC address of the ARP packet to determine whether to attack, and for the target IP address and the target MAC address (e2a) to (e2d). And determining (e3) whether or not the attack is performed by performing all of the steps of the ARP spoofing automatic blocking method. The method according to any one of claims 6, 8, 9, 10, The ARP spoofing packet flows from the GARP, where the sender's MAC address is the MAC address of the snooping database entry used to determine the attack, and the sender's IP address is the IP address of the snooping database entry used to determine the attack. ARP spoofing automatic blocking method comprising the step of flowing to the port for a specified number of times.

Images