CN108430063B - Method and equipment for monitoring ARP spoofing in wireless local area network - Google Patents
Method and equipment for monitoring ARP spoofing in wireless local area network Download PDFInfo
- Publication number
- CN108430063B CN108430063B CN201810331311.4A CN201810331311A CN108430063B CN 108430063 B CN108430063 B CN 108430063B CN 201810331311 A CN201810331311 A CN 201810331311A CN 108430063 B CN108430063 B CN 108430063B
- Authority
- CN
- China
- Prior art keywords
- mac address
- address information
- wireless
- current
- local area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/12—Detection or prevention of fraud
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/10—Mapping addresses of different types
- H04L61/103—Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The purpose of the present application is to provide a method for monitoring ARP spoofing in a wireless local area network, which specifically includes: taking the current MAC address information of gateway equipment of a wireless network where a wireless terminal is positioned as reference MAC address information; detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner; and if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network. The method for monitoring ARP spoofing does not need to acquire the highest authority of the wireless terminal, is wide in applicability and simple to operate, and improves the use experience of users.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a technique for monitoring ARP spoofing in a wireless local area network.
Background
Because the wireless network uses open media to transmit data signals by using common electromagnetic waves as carriers, two communication parties are not connected by cables. The risk of data transmission is greatly increased if the transmission link does not take appropriate encryption protection. Even if a security mechanism related to authentication and encryption is added in a wireless network, security risks, such as ARP spoofing, exist corresponding to users in the same wireless local area network.
The existing detection aiming at ARP spoofing mainly detects an ARP data packet at the bottom layer of a wireless terminal or detects whether the data packet is a corresponding data packet of a legal request or not, but the methods generally need to acquire the highest authority of the wireless terminal, and the process operation is complex and is not suitable for vast wireless terminal users.
Disclosure of Invention
It is an object of the present application to provide a method and apparatus for monitoring ARP spoofing in a wireless local area network.
According to one aspect of the present application, there is provided a method for monitoring ARP spoofing in a wireless local area network at a wireless terminal, the method comprising:
taking current MAC address information of gateway equipment of a wireless network where a wireless terminal is located as reference MAC address information, wherein the wireless terminal is accessed into the wireless network through wireless connection with a wireless access point;
detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner;
and if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network.
According to another aspect of the present application, there is provided a method for monitoring ARP spoofing in a wireless local area network at a wireless terminal, the method comprising:
when other equipment sharing an MAC address does not exist in a wireless local area network where a wireless terminal is located, acquiring current MAC address information of the gateway equipment, wherein the wireless terminal is accessed to the wireless network through wireless connection with a wireless access point;
sending a request about MAC address information of the wireless access point to a corresponding server, and receiving the MAC address information of the wireless access point returned by the server based on the request;
and if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network.
According to an aspect of the present application, there is provided an apparatus for monitoring ARP spoofing in a wireless local area network at a wireless terminal, the apparatus comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform:
taking current MAC address information of gateway equipment of a wireless network where a wireless terminal is located as reference MAC address information, wherein the wireless terminal is accessed into the wireless network through wireless connection with a wireless access point;
detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner;
and if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network.
According to an aspect of the present application, there is provided an apparatus for monitoring ARP spoofing in a wireless local area network at a wireless terminal, the apparatus comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform:
when other equipment sharing an MAC address does not exist in a wireless local area network where a wireless terminal is located, acquiring current MAC address information of the gateway equipment, wherein the wireless terminal is accessed to the wireless network through wireless connection with a wireless access point;
sending a request about MAC address information of the wireless access point to a corresponding server, and receiving the MAC address information of the wireless access point returned by the server based on the request;
and if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network.
According to an aspect of the application, there is provided a computer-readable medium comprising instructions that, when executed, cause a system to:
taking current MAC address information of gateway equipment of a wireless network where a wireless terminal is located as reference MAC address information, wherein the wireless terminal is accessed into the wireless network through wireless connection with a wireless access point;
detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner;
and if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network.
According to an aspect of the application, there is provided a computer-readable medium comprising instructions that, when executed, cause a system to:
when other equipment sharing an MAC address does not exist in a wireless local area network where a wireless terminal is located, acquiring current MAC address information of the gateway equipment, wherein the wireless terminal is accessed to the wireless network through wireless connection with a wireless access point;
sending a request about MAC address information of the wireless access point to a corresponding server, and receiving the MAC address information of the wireless access point returned by the server based on the request;
and if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network.
Compared with the prior art, the method and the device monitor whether ARP spoofing exists in the current wireless local area network by detecting whether the gateway MAC address information of the wireless local area network connected with the wireless terminal changes and whether two pieces of IP address information share the gateway MAC address information in the current local ARP cache table. The method for monitoring ARP spoofing does not need to acquire the highest authority of the wireless terminal, is wide in applicability and simple to operate, and improves the use experience of users. In addition, the method reduces the probability of false alarm and improves the success rate of detecting ARP spoofing by requesting the gateway MAC address information from the server.
Drawings
Other features, objects and advantages of the present application will become more apparent upon reading of the following detailed description of non-limiting embodiments thereof, made with reference to the accompanying drawings in which:
fig. 1 illustrates a system topology for monitoring ARP spoofing in a wireless local area network by a wireless terminal according to one embodiment of the present application;
fig. 2 illustrates a flow diagram of a method for monitoring ARP spoofing in a wireless local area network by a wireless terminal according to one embodiment of the present application;
fig. 3 shows a flow diagram of a method for monitoring ARP spoofing in a wireless local area network by a wireless terminal according to another embodiment of the present application.
The same or similar reference numbers in the drawings identify the same or similar elements.
Detailed Description
The present application is described in further detail below with reference to the attached figures.
In a typical configuration of the present application, the terminal, the device serving the network, and the trusted party each include one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device.
The device referred to in this application includes, but is not limited to, a user device, a network device, or a device formed by integrating a user device and a network device through a network. The user equipment includes, but is not limited to, any mobile electronic product, such as a smart phone, a tablet computer, etc., capable of performing human-computer interaction with a user (e.g., human-computer interaction through a touch panel), and the mobile electronic product may employ any operating system, such as an android operating system, an iOS operating system, etc. The network device includes an electronic device capable of automatically performing numerical calculation and information processing according to a preset or stored instruction, and hardware thereof includes, but is not limited to, a microprocessor, an Application Specific Integrated Circuit (ASIC), a Programmable Logic Device (PLD), a Field Programmable Gate Array (FPGA), a Digital Signal Processor (DSP), an embedded device, and the like. The network device includes but is not limited to a computer, a network host, a single network server, a plurality of network server sets or a cloud of a plurality of servers; here, the Cloud is composed of a large number of computers or web servers based on Cloud Computing (Cloud Computing), which is a kind of distributed Computing, one virtual supercomputer consisting of a collection of loosely coupled computers. Including, but not limited to, the internet, a wide area network, a metropolitan area network, a local area network, a VPN network, a wireless Ad Hoc network (Ad Hoc network), etc. Preferably, the device may also be a program running on the user device, the network device, or a device formed by integrating the user device and the network device, the touch terminal, or the network device and the touch terminal through a network.
Of course, those skilled in the art will appreciate that the foregoing is by way of example only, and that other existing or future devices, which may be suitable for use in the present application, are also encompassed within the scope of the present application and are hereby incorporated by reference.
In the description of the present application, "a plurality" means two or more unless specifically limited otherwise.
Fig. 1 shows a typical scenario of the present application, in which a wireless terminal obtains Media Access Control (MAC) address information of a gateway device through communication between the gateway device and a server, and determines whether ARP spoofing exists in a current local area network. The following embodiments are described with reference to the wireless routing device, but it should be understood by those skilled in the art that the embodiments are also applicable to gateway devices such as other professional devices. The following embodiments are described in terms of a mobile terminal (e.g., a mobile phone, a PAD, etc.), a PC terminal, etc., and it should be understood by those skilled in the art that the embodiments are also applicable to other wireless terminals, such as a PC terminal, etc. The mobile terminal includes a non-highest-authority mobile terminal (such as a mobile phone, a PAD, and the like), such as a mobile terminal of a non-root-authority android system, a mobile terminal of an IOS system that does not cross prison, and the like.
Fig. 2 illustrates a method for monitoring ARP spoofing in a wireless local area network by a wireless terminal according to an aspect of the present application, the method including step S11, step S12, and step S13. In step S11, the wireless terminal uses the current MAC address information of the gateway device of the wireless network where the wireless terminal is located as the reference MAC address information, where the wireless terminal accesses the wireless network through the wireless connection with the wireless access point; in step S12, the wireless terminal performs a delay check to determine whether the current MAC address information of the gateway device is the same as the reference MAC address information; in step S13, if the current MAC address information of the gateway device is different from the reference MAC address information, the wireless terminal determines that ARP spoofing exists in the wireless local area network.
Specifically, in step S11, the wireless terminal accesses the wireless network through a wireless connection with the wireless access point, using the current MAC address information of the gateway device of the wireless network in which the mobile terminal is located as the reference MAC address information. The MAC address information of the gateway device comprises MAC address information corresponding to the wireless routing device connected with the current wireless terminal. For example, a user holds a mobile terminal (e.g., a mobile phone), and the mobile terminal establishes a wireless connection with a wireless access point of a certain wireless routing device. The mobile terminal inquires a current ARP cache table, determines MAC address information corresponding to an IP address corresponding to a current gateway, and takes the gateway MAC address information as reference MAC address information, wherein the ARP cache table stores the corresponding relation between the IP of equipment which is in communication relation with the current mobile terminal and the MAC address information; for another example, the mobile terminal broadcasts an ARP request frame containing the IP address information of the gateway device in the wireless local area network, receives an ARP reply frame containing the MAC address information corresponding to the IP address information and returned by another device, and uses the MAC address information as the reference MAC address information.
In step S12, the wireless terminal performs a delay check to determine whether the current MAC address information of the gateway device is the same as the reference MAC address information. For example, the mobile terminal waits for a period of time, such as a delay of one or two seconds or several minutes, and the mobile terminal acquires the MAC address information corresponding to the current gateway device again and compares whether the current MAC address information is the same as the reference MAC address information.
In step S13, if the current MAC address information of the gateway device is different from the reference MAC address information, the wireless terminal determines that ARP spoofing exists in the wireless local area network. For example, if the current MAC address information of the gateway device is different from the reference MAC address information, the mobile terminal determines that one mapping relationship between the current MAC address and the reference MAC address is the mapping relationship between the IP and the MAC address broadcasted by the attacker, and determines that ARP spoofing exists in the current local area network.
For example, the user holds a mobile terminal, the mobile terminal establishes wireless connection with a wireless access point of the wireless routing device, the current IP address allocated by the wireless access point is IP0, and the MAC address information of the wireless routing device is MAC 0. The mobile terminal checks that the MAC address information corresponding to the current IP0 is MAC1 in the current local ARP cache table, and takes the MAC1 as a reference MAC address; for another example, the mobile terminal broadcasts an ARP request frame of the IP address information IP0 of the gateway in the wireless lan, and receives an ARP reply frame containing the MAC address MAC1 corresponding to the IP0 returned by another device, and uses the MAC1 as the reference MAC address. Then, after a period of time, the mobile terminal broadcasts the IP0 in the current local ARP cache table or in the wireless lan to obtain the MAC address information corresponding to the current IP0 as MAC2, and compares whether the MAC2 and the MAC1 are the same. If the MAC2 and the MAC1 acquired by the mobile terminal are different MAC address information, the mobile terminal determines that ARP spoofing exists in the current wireless local area network.
In some embodiments, the method further comprises step S14 (not shown) and step S15 (not shown). In step S14, if the current MAC address information of the gateway device is the same as the reference MAC address information, the wireless terminal detects whether there is another device sharing an MAC address with the gateway device in an address cache table of the wireless terminal; in step S15, if yes, the wireless terminal determines that ARP spoofing exists in the wireless lan. For example, if the current MAC address information acquired by the mobile terminal and the reference MAC address information are the same MAC address information, the mobile terminal detects whether there are IP addresses of two devices corresponding to the gateway MAC address information in the current ARP cache table; if the ARP spoofing exists, the mobile terminal determines that the ARP spoofing exists in the current wireless local area network.
For example, the mobile terminal detects that the obtained MAC2 and MAC1 are the same MAC address information, and the mobile terminal detects whether two different IP addresses correspond to MAC2 in the local ARP cache table; if the ARP spoofing exists, the mobile terminal determines that the ARP spoofing exists in the current wireless local area network.
In some embodiments, in step S15, if yes, the wireless terminal sends a request for MAC address information of the wireless access point to a corresponding server, and receives the MAC address information of the wireless access point returned by the server based on the request; and if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network. For example, if the mobile terminal detects that the IP addresses of two devices correspond to the gateway MAC address information in the current ARP cache table, the mobile terminal sends a request of the MAC address information of the wireless access point to a corresponding server through the wireless connection of the wireless access point, where the request includes a BSSID of the wireless access point, where the BSSID includes the MAC address information of the wireless access point or other information generated based on the MAC address information of the wireless access point; the server receives the request and sends the MAC address information of the wireless access point to the mobile terminal. And the mobile terminal receives the MAC address information returned by the server, compares the MAC address information with the current MAC address information, and determines that ARP spoofing exists in the current wireless local area network if the MAC address information is different from the current MAC address information.
For example, the mobile terminal detects that two different IP addresses correspond to the MAC2 in the local ARP cache table, the mobile terminal sends a request for acquiring the MAC address corresponding to the wireless access point to the server, wherein the request includes the BSSID corresponding to the wireless access point, the server receives the request, queries the database for MAC address information MAC0 corresponding to the BSSID, and returns the correspondence between the IP0 and the MAC0 to the mobile terminal. The mobile terminal receives the corresponding relation between the IP0 and the MAC0, compares whether the MAC0 is the same as the MAC2, and if the MAC0 and the MAC2 are different MAC address information, the mobile terminal determines that ARP spoofing exists in the current wireless local area network.
In some embodiments, in step S15, if the current MAC address information of the gateway device is the same as the MAC address information of the wireless access point, the method returns to step S12. For example, if the MAC address information returned by the server is the same as the current MAC address information, the mobile terminal determines that the current wireless local area network has been subjected to ARP spoofing, or if one piece of MAC address information shared by two IPs in the foregoing steps is false, the current network has not been subjected to ARP spoofing, and the mobile terminal reacquires the current gateway MAC address information and monitors whether ARP spoofing exists.
For example, the mobile terminal receives the feedback information including the gateway MAC address information MAC0 returned by the server, and compares the MAC0 with the MAC 2. If the MAC0 is the same as the MAC2, the mobile terminal determines that the current wireless local area network has been subjected to ARP spoofing, or the information that two IPs share one MAC address in the previous steps is false, the current network does not suffer from ARP spoofing, and obtains the current gateway MAC address again, and further monitors whether the current wireless local area network has ARP spoofing.
In some embodiments, the method further comprises step S16 (not shown). In step S16, no other device sharing a MAC address with the gateway device exists in the address cache table of the wireless terminal, and the process returns to step S12. For example, the mobile terminal queries in the local ARP cache table, determines that there is no other device sharing the MAC address with the gateway device, and the mobile terminal re-acquires the current gateway MAC address information and monitors whether there is ARP spoofing.
For example, the mobile terminal detects that the obtained MAC2 and the obtained MAC1 are the same MAC address information, the mobile terminal detects that two different IP addresses do not exist in the local ARP cache table and correspond to the MAC2, the mobile terminal reacquires the current gateway MAC address, and further monitors whether ARP spoofing exists in the current wireless local area network.
In some embodiments, in step S13, if the current MAC address information of the gateway device is different from the reference MAC address information, the wireless terminal sends a request for MAC address information of the wireless access point to a corresponding server, and receives the MAC address information of the wireless access point returned by the server based on the request; and if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network. For example, the mobile terminal determines that the current MAC address information of the gateway device is different from the reference MAC address information, and sends a request about the MAC address information of the wireless access point to the server, wherein the request includes BSSID corresponding to the wireless access point; the server receives the request, inquires MAC address information corresponding to the BSSID in a database, and returns the MAC address information to the mobile terminal; and the mobile terminal receives the MAC address information, compares the MAC address with a reference MAC address and a current MAC address, and determines that ARP spoofing exists in the current wireless local area network if the MAC address information and the reference MAC address are the same MAC address or different from the current MAC address information.
In some embodiments, in step S13, if the current MAC address information of the gateway device is the same as the MAC address information of the wireless access point, the wireless terminal updates the MAC address information of the wireless access point determined as the reference MAC address information, and returns to step S12. For example, the mobile terminal compares the MAC address information returned by the server with the current MAC address information, and if the MAC address information is the same as the current MAC address, the mobile terminal reacquires the current gateway MAC address information and monitors whether ARP spoofing exists.
For example, the mobile device detects that the obtained MAC2 and MAC1 are different MAC address information, the mobile terminal sends a request for obtaining a MAC address corresponding to the wireless access point to the server, wherein the request includes BSSID corresponding to the wireless access point, the server receives the request, queries a database for MAC address information MAC0 corresponding to the BSSID, and returns the correspondence between the IP0 and the MAC0 to the mobile terminal. The mobile terminal receives the corresponding relation between the IP0 and the MAC0, compares whether the MAC0 is the same as the MAC2 or the MAC1, and determines that ARP spoofing exists in the current wireless local area network if the MAC0 is different from the address information of the current MAC2 or the MAC1 is the same; if the MAC0 is the same as the MAC2, the mobile terminal determines that the current wireless local area network has been subjected to ARP spoofing, or the information that the MAC1 and the MAC2 are different MAC addresses in the previous steps is false, the current network does not suffer from ARP spoofing, and obtains the current gateway MAC address again to further monitor whether the current wireless local area network has ARP spoofing.
Fig. 3 illustrates a method for monitoring ARP spoofing in a wireless local area network by a wireless terminal according to another aspect of the present application, the method including step S21, step S22, and step S23. In step S21, when there is no other device sharing the MAC address with the gateway device in the wireless local area network where the wireless terminal is located, the wireless terminal obtains the current MAC address information of the gateway device, where the wireless terminal accesses the wireless network through the wireless connection with the wireless access point; in step S22, the wireless terminal sends a request for MAC address information of the wireless access point to a corresponding server, receives MAC address information of the wireless access point returned by the server based on the request; in step S23, if the current MAC address information of the gateway device is different from the MAC address information of the wireless access point, the wireless terminal determines that ARP spoofing exists in the wireless local area network. For example, a user holds a mobile terminal (e.g., a mobile phone), and the mobile terminal establishes a wireless connection with a wireless access point of a wireless routing device. The mobile terminal inquires a current ARP cache table, the current ARP cache table does not have IP addresses of two devices corresponding to the gateway MAC address information, and the mobile terminal acquires the MAC address information of a current wireless access point; then, the mobile terminal sends a request of MAC address information of the wireless access point to a corresponding server through wireless connection of the wireless access point, wherein the request comprises BSSID of the wireless access point, and the BSSID comprises the MAC address information of the wireless access point or other information generated based on the MAC address information of the wireless access point; the server receives the request and sends the MAC address information of the wireless access point to the mobile terminal. And the mobile terminal receives the MAC address information returned by the server, compares the MAC address information with the current MAC address information, and determines that ARP spoofing exists in the current wireless local area network if the MAC address information is different from the current MAC address information.
For example, the user holds a mobile terminal, the mobile terminal establishes wireless connection with a wireless access point of the wireless routing device, the current IP address allocated by the wireless access point is IP0, and the MAC address information of the wireless routing device is MAC 0. The mobile terminal inquires whether two IP addresses correspond to the same MAC address in a current local cache table, the MAC address is the MAC address corresponding to the gateway equipment, and when the two IP addresses do not correspond to the same MAC address, the mobile terminal acquires that the current MAC address of the current gateway equipment is MAC 2. Subsequently, the mobile terminal sends a request for acquiring the MAC address corresponding to the wireless access point to the server, wherein the request includes the BSSID corresponding to the wireless access point, the server receives the request, queries the database for MAC address information MAC0 corresponding to the BSSID, and returns the correspondence between the IP0 and the MAC0 to the mobile terminal. The mobile terminal receives the corresponding relation between the IP0 and the MAC0, compares whether the MAC0 is the same as the MAC2, and if the MAC0 and the MAC2 are different MAC address information, the mobile terminal determines that ARP spoofing exists in the current wireless local area network.
In some embodiments, in step S23, if the current MAC address information of the gateway device is the same as the MAC address information of the wireless access point, the wireless terminal returns to step S21. For example, if the MAC address information returned by the server is the same as the current MAC address information, the mobile terminal determines that the current wireless local area network has been subjected to ARP spoofing, or if one piece of MAC address information shared by two IPs in the foregoing steps is false, the current network has not been subjected to ARP spoofing, and the mobile terminal reacquires the current gateway MAC address information and monitors whether ARP spoofing exists.
For example, the mobile terminal receives the feedback information including the gateway MAC address information MAC0 returned by the server, and compares the MAC0 with the MAC 2. If the MAC0 is the same as the MAC2, the mobile terminal determines that the current wireless local area network has been subjected to ARP spoofing, or the information that two IPs share one MAC address in the previous steps is false, the current network does not suffer from ARP spoofing, and whether the IP addresses of the two devices correspond to the gateway MAC address is inquired again, and whether the ARP spoofing exists in the current wireless local area network is further monitored.
The present application also provides a computer readable storage medium having stored thereon computer code which, when executed, performs a method as in any one of the preceding.
The present application also provides a computer program product, which when executed by a computer device, performs the method of any of the preceding claims.
The present application further provides a computer device, comprising:
one or more processors;
a memory for storing one or more computer programs;
the one or more computer programs, when executed by the one or more processors, cause the one or more processors to implement the method of any preceding claim.
It should be noted that the present application may be implemented in software and/or a combination of software and hardware, for example, implemented using Application Specific Integrated Circuits (ASICs), general purpose computers or any other similar hardware devices. In one embodiment, the software programs of the present application may be executed by a processor to implement the steps or functions described above. Likewise, the software programs (including associated data structures) of the present application may be stored in a computer readable recording medium, such as RAM memory, magnetic or optical drive or diskette and the like. Additionally, some of the steps or functions of the present application may be implemented in hardware, for example, as circuitry that cooperates with the processor to perform various steps or functions.
In addition, some of the present application may be implemented as a computer program product, such as computer program instructions, which when executed by a computer, may invoke or provide methods and/or techniques in accordance with the present application through the operation of the computer. Those skilled in the art will appreciate that the form in which the computer program instructions reside on a computer-readable medium includes, but is not limited to, source files, executable files, installation package files, and the like, and that the manner in which the computer program instructions are executed by a computer includes, but is not limited to: the computer directly executes the instruction, or the computer compiles the instruction and then executes the corresponding compiled program, or the computer reads and executes the instruction, or the computer reads and installs the instruction and then executes the corresponding installed program. Computer-readable media herein can be any available computer-readable storage media or communication media that can be accessed by a computer.
Communication media includes media by which communication signals, including, for example, computer readable instructions, data structures, program modules, or other data, are transmitted from one system to another. Communication media may include conductive transmission media such as cables and wires (e.g., fiber optics, coaxial, etc.) and wireless (non-conductive transmission) media capable of propagating energy waves such as acoustic, electromagnetic, RF, microwave, and infrared. Computer readable instructions, data structures, program modules, or other data may be embodied in a modulated data signal, for example, in a wireless medium such as a carrier wave or similar mechanism such as is embodied as part of spread spectrum techniques. The term "modulated data signal" means a signal that has one or more of its characteristics set or changed in such a manner as to encode information in the signal. The modulation may be analog, digital or hybrid modulation techniques.
By way of example, and not limitation, computer-readable storage media may include volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer-readable instructions, data structures, program modules or other data. For example, computer-readable storage media include, but are not limited to, volatile memory such as random access memory (RAM, DRAM, SRAM); and non-volatile memory such as flash memory, various read-only memories (ROM, PROM, EPROM, EEPROM), magnetic and ferromagnetic/ferroelectric memories (MRAM, FeRAM); and magnetic and optical storage devices (hard disk, tape, CD, DVD); or other now known media or later developed that can store computer-readable information/data for use by a computer system.
An embodiment according to the present application comprises an apparatus comprising a memory for storing computer program instructions and a processor for executing the program instructions, wherein the computer program instructions, when executed by the processor, trigger the apparatus to perform a method and/or a solution according to the aforementioned embodiments of the present application.
It will be evident to those skilled in the art that the present application is not limited to the details of the foregoing illustrative embodiments, and that the present application may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the application being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned. Furthermore, it is obvious that the word "comprising" does not exclude other elements or steps, and the singular does not exclude the plural. A plurality of units or means recited in the apparatus claims may also be implemented by one unit or means in software or hardware. The terms first, second, etc. are used to denote names, but not any particular order.
Claims (9)
1. A method for monitoring ARP spoofing in a wireless local area network by a wireless terminal, wherein the method comprises:
taking current MAC address information of gateway equipment of a wireless network where a wireless terminal is located as reference MAC address information, wherein the wireless terminal is accessed into the wireless network through wireless connection with a wireless access point;
detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not in a delayed manner, wherein the current MAC address information is determined by the wireless terminal in a current ARP cache table according to the MAC address information corresponding to the current IP after a period of time;
if the current MAC address information of the gateway equipment is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network;
wherein, if the current MAC address information of the gateway device is different from the reference MAC address information, determining that ARP spoofing exists in the wireless local area network includes:
if the current MAC address information of the gateway equipment is different from the reference MAC address information, sending a request about the MAC address information of the wireless access point to a corresponding server, and receiving the MAC address information of the wireless access point returned by the server based on the request;
if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network; if the current MAC address information of the gateway equipment is the same as the MAC address information of the wireless access point, determining that the wireless local area network has been subjected to ARP spoofing or determining that the current MAC address information of the gateway equipment is different from the reference MAC address information and is false, updating the MAC address information of the wireless access point into the reference MAC address information, and returning to the step of detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information in a delayed manner.
2. The method of claim 1, wherein the method further comprises:
if the current MAC address information of the gateway equipment is the same as the reference MAC address information, detecting whether other equipment sharing an MAC address with the gateway equipment exists in an address cache table of the wireless terminal;
and if so, determining that ARP spoofing exists in the wireless local area network.
3. The method of claim 2, wherein the determining that ARP spoofing exists in the wireless local area network if there is any, comprises:
if the MAC address information exists, sending a request about the MAC address information of the wireless access point to a corresponding server, and receiving the MAC address information of the wireless access point returned by the server based on the request;
and if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network.
4. The method of claim 3, wherein the determining that there is ARP spoofing in the wireless local area network further comprises:
and if the current MAC address information of the gateway equipment is the same as the MAC address information of the wireless access point, returning to the step of detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information or not by delaying.
5. The method of claim 2, wherein the method further comprises:
and if no other equipment sharing the MAC address with the gateway equipment exists in the address cache table of the wireless terminal, returning to the step of detecting whether the current MAC address information of the gateway equipment is the same as the reference MAC address information in a delayed manner.
6. A method for monitoring ARP spoofing in a wireless local area network by a wireless terminal, wherein the method comprises:
when other equipment sharing an MAC address does not exist in a wireless local area network where a wireless terminal is located, acquiring current MAC address information of the gateway equipment, wherein the wireless terminal is accessed to the wireless local area network through wireless connection with a wireless access point;
sending a request about MAC address information of the wireless access point to a corresponding server, and receiving the MAC address information of the wireless access point returned by the server based on the request, wherein the request comprises BSSID of the wireless access point;
if the current MAC address information of the gateway equipment is different from the MAC address information of the wireless access point, determining that ARP spoofing exists in the wireless local area network; and if the current MAC address information of the gateway equipment is the same as the MAC address information of the wireless access point, determining that the wireless local area network has been subjected to ARP spoofing.
7. The method of claim 6, wherein the determining that ARP spoofing exists in the wireless local area network if the current MAC address information of the gateway device is different from the MAC address information of the wireless access point comprises:
and if the current MAC address information of the gateway equipment is the same as the MAC address information of the wireless access point, returning to other equipment which does not share the MAC address with the gateway equipment in the wireless local area network where the wireless terminal is located, and acquiring the current MAC address information of the gateway equipment, wherein the wireless terminal is accessed to the wireless local area network through the wireless connection with the wireless access point.
8. An apparatus for monitoring ARP spoofing in a wireless local area network by a wireless terminal, wherein the apparatus comprises:
a processor; and
a memory arranged to store computer executable instructions which, when executed by a computer, cause the processor to perform the operations of the method of any one of claims 1 to 7.
9. A computer-readable medium storing instructions that, when executed by a computer, cause a system to perform the operations of any of the methods of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810331311.4A CN108430063B (en) | 2018-04-13 | 2018-04-13 | Method and equipment for monitoring ARP spoofing in wireless local area network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810331311.4A CN108430063B (en) | 2018-04-13 | 2018-04-13 | Method and equipment for monitoring ARP spoofing in wireless local area network |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108430063A CN108430063A (en) | 2018-08-21 |
| CN108430063B true CN108430063B (en) | 2021-11-19 |
Family
ID=63160933
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810331311.4A Active CN108430063B (en) | 2018-04-13 | 2018-04-13 | Method and equipment for monitoring ARP spoofing in wireless local area network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108430063B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112804668A (en) * | 2019-11-14 | 2021-05-14 | 诺玛有限公司 | Computer readable medium recorded with bluetooth security threat detection method |
| CN111953794A (en) * | 2020-08-20 | 2020-11-17 | 深圳市富之富信息科技有限公司 | Group cheating and lending early warning method and device |
| CN113132993B (en) * | 2021-04-23 | 2023-03-24 | 杭州网银互联科技股份有限公司 | Data stealing identification system applied to wireless local area network and use method thereof |
| CN114828004B (en) * | 2022-04-28 | 2024-01-26 | 广州通则康威科技股份有限公司 | Method and device for automatically acquiring IP of wireless network equipment by applet |
Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101099134A (en) * | 2005-02-25 | 2008-01-02 | 思科技术公司 | Dynamically measuring and re-classifying access points in a wireless network |
| CN101119371A (en) * | 2007-08-28 | 2008-02-06 | 杭州华三通信技术有限公司 | Method, client terminal, server and system for preventing network attack using ARP |
| CN103313429A (en) * | 2013-07-10 | 2013-09-18 | 江苏君立华域信息安全技术有限公司 | Processing method for recognizing fabricated WIFI (Wireless Fidelity) hotspot |
| CN103634270A (en) * | 2012-08-21 | 2014-03-12 | 中国电信股份有限公司 | A method for identifying validity of an access point, a system thereof and an access point discriminating server |
| CN104219339A (en) * | 2014-09-17 | 2014-12-17 | 北京金山安全软件有限公司 | Method and device for detecting address resolution protocol attack in local area network |
| CN106209837A (en) * | 2016-07-08 | 2016-12-07 | 珠海市魅族科技有限公司 | ARP cheat detecting method and system |
| CN106376003A (en) * | 2015-07-23 | 2017-02-01 | 中移(杭州)信息技术有限公司 | Method and device for detecting wireless local area network connection and wireless local area network data transmission |
| CN106961683A (en) * | 2017-03-21 | 2017-07-18 | 上海斐讯数据通信技术有限公司 | A kind of method, system and finder AP for detecting rogue AP |
| CN107294989A (en) * | 2017-07-04 | 2017-10-24 | 杭州迪普科技股份有限公司 | A kind of method and device of anti-ARP gateways deception |
| CN107493576A (en) * | 2016-06-12 | 2017-12-19 | 上海连尚网络科技有限公司 | For the method and apparatus for the security information for determining WAP |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101951367A (en) * | 2010-09-09 | 2011-01-19 | 健雄职业技术学院 | Method for preventing campus network from virus attacks |
| KR101270041B1 (en) * | 2011-10-28 | 2013-05-31 | 삼성에스디에스 주식회사 | System and method for detecting arp spoofing |
| CN106899554A (en) * | 2015-12-21 | 2017-06-27 | 北京奇虎科技有限公司 | A kind of method and device for preventing ARP from cheating |
| CN106506531A (en) * | 2016-12-06 | 2017-03-15 | 杭州迪普科技股份有限公司 | The defence method and device of ARP attack messages |
| CN107222462A (en) * | 2017-05-08 | 2017-09-29 | 汕头大学 | A kind of LAN internals attack being automatically positioned of source, partition method |
-
2018
- 2018-04-13 CN CN201810331311.4A patent/CN108430063B/en active Active
Patent Citations (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101099134A (en) * | 2005-02-25 | 2008-01-02 | 思科技术公司 | Dynamically measuring and re-classifying access points in a wireless network |
| CN101119371A (en) * | 2007-08-28 | 2008-02-06 | 杭州华三通信技术有限公司 | Method, client terminal, server and system for preventing network attack using ARP |
| CN103634270A (en) * | 2012-08-21 | 2014-03-12 | 中国电信股份有限公司 | A method for identifying validity of an access point, a system thereof and an access point discriminating server |
| CN103313429A (en) * | 2013-07-10 | 2013-09-18 | 江苏君立华域信息安全技术有限公司 | Processing method for recognizing fabricated WIFI (Wireless Fidelity) hotspot |
| CN104219339A (en) * | 2014-09-17 | 2014-12-17 | 北京金山安全软件有限公司 | Method and device for detecting address resolution protocol attack in local area network |
| CN106376003A (en) * | 2015-07-23 | 2017-02-01 | 中移(杭州)信息技术有限公司 | Method and device for detecting wireless local area network connection and wireless local area network data transmission |
| CN107493576A (en) * | 2016-06-12 | 2017-12-19 | 上海连尚网络科技有限公司 | For the method and apparatus for the security information for determining WAP |
| CN106209837A (en) * | 2016-07-08 | 2016-12-07 | 珠海市魅族科技有限公司 | ARP cheat detecting method and system |
| CN106961683A (en) * | 2017-03-21 | 2017-07-18 | 上海斐讯数据通信技术有限公司 | A kind of method, system and finder AP for detecting rogue AP |
| CN107294989A (en) * | 2017-07-04 | 2017-10-24 | 杭州迪普科技股份有限公司 | A kind of method and device of anti-ARP gateways deception |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108430063A (en) | 2018-08-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN108566656B (en) | Method and equipment for detecting security of wireless network | |
| CN108430063B (en) | Method and equipment for monitoring ARP spoofing in wireless local area network | |
| US10708226B2 (en) | Domain name resolution | |
| CN110113747B (en) | Method and equipment for connecting hidden wireless access point | |
| US11409819B2 (en) | Method and device for recommending social user | |
| JP2017534198A (en) | Apparatus and method for identifying tunneling, outflow and intrusion of domain name system | |
| US20200196149A1 (en) | Method and a device for performing wireless connection pre-authorization on a user device | |
| US20200252363A1 (en) | Method and device for managing a user | |
| CN107517461B (en) | Method and equipment for carrying out wireless connection pre-authorization on user equipment | |
| US9350754B2 (en) | Mitigating a cyber-security attack by changing a network address of a system under attack | |
| CN108924833B (en) | Method and equipment for authorizing user equipment to connect wireless access point | |
| CN108650236B (en) | Method and equipment for detecting ssl man-in-the-middle attack | |
| CN107396362B (en) | Method and equipment for carrying out wireless connection pre-authorization on user equipment | |
| CN110557355B (en) | Method and equipment for detecting man-in-the-middle attack through user equipment | |
| US20200213856A1 (en) | Method and a device for security monitoring of a wifi network | |
| CN108769086B (en) | Method and equipment for detecting man-in-the-middle attack through user equipment | |
| CN108848076B (en) | Method and equipment for detecting DNS hijacking through user equipment | |
| US11411887B2 (en) | Method and device for performing traffic control on user equipment | |
| CN108282786B (en) | Method and equipment for detecting DNS spoofing attack in wireless local area network | |
| CN109890027B (en) | Method and apparatus for determining security risk information of target wireless access point | |
| CN108768937B (en) | Method and equipment for detecting ARP spoofing in wireless local area network | |
| CN107404722B (en) | Method and equipment for carrying out wireless connection pre-authorization on user equipment | |
| CN111181864B (en) | Method and apparatus for determining link congestion status from an application to a server | |
| CN108696918B (en) | Method, apparatus and medium for establishing wireless connection | |
| CN109246034B (en) | Method and equipment for allocating flow resources for mobile equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| TA01 | Transfer of patent application right | ||
| TA01 | Transfer of patent application right |
Effective date of registration: 20210426 Address after: 200131 Zone E, 9th floor, No.1 Lane 666, zhangheng Road, China (Shanghai) pilot Free Trade Zone, Pudong New Area, Shanghai Applicant after: Shanghai Shangxiang Network Technology Co.,Ltd. Address before: 200120 Shanghai city Pudong New Area mud Town Road No. 979 Building 2 Hon Applicant before: SHANGHAI LIANSHANG NETWORK TECHNOLOGY Co.,Ltd. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |