Three solutions to IP address theft

1. Working Principle

The TCP/IP protocol model consists of four layers. The network interface layer is located between the network layer and the physical layer, and consists of the NIC and the device driver. Data on this layer can be sent and accepted through a single and specific network. This uniqueness and uniqueness are determined by the NIC's physical address MAC.

In Ethernet, the MAC address exists in the header of each Ethernet packet.
The MAC source address and the MAC Destination Address in the Ethernet packet header enable Packet Exchange and transmission.

When the network layer converts the network address in the high-level protocol to the address used by protocols such as Ethernet, FDDI, and Token Ring, it needs to map the IP address to the physical interface for communication between network nodes. To implement this ing, the TCP/IP protocol family provides the Address Resolution Protocol (ARP) in the network interface layer to convert IP addresses into hardware addresses. During network communication, the machine that initiates a hardware address resolution request will send broadcast packets to other online machines in the network. The machines that match the target IP address will respond to the address resolution request, return the hardware address to the source machine. Other machines in the network do not respond to this request, but they listen to these request packets and store the IP address and hardware address records of the source machine. It is worth noting that the ARP operating mechanism is dynamic. When the IP address and hardware address change over time, it can be corrected in a timely manner.

In reality, you may change the Client IP address or network adapter for some reason. Such changes are sometimes random, especially when they are not monitored by the network administrator, they will directly affect the secure operation of network resource environments, such as the management of network IP addresses and calculation of communication traffic. To effectively prevent and prevent such problems and ensure the uniqueness of IP addresses, the network administrator must establish a standardized IP Address Allocation Table, IP address and hardware address (MAC) Registration Form, and complete the filing.

If the IP addresses of two hosts are the same on the LAN, the two hosts will report an alarm to each other, causing application confusion. Therefore, IP address theft has become the biggest headache for network administrators. How can I prevent IP address theft when hundreds or even thousands of hosts access the Internet at the same time?

2. Introduction Problems

Most group users use leased lines to access the Internet. In the planned CIDR blocks, the Network Management Department allocates and develops network IP address resources for the registered users to ensure normal communication data transmission. Here, static IP addresses are one of the essential configuration items, and they enjoy the "Network Communication ID card" privilege. When configuring IP Address Resources, the network administrator has special requirements on their correctness, as shown in the following two aspects: the allocated address should be within the planned subnet network segment; the assigned IP address must be unique to any connected host, that is, it has no ambiguity.

In practice, the IP address assigned and provided by the network administrator for the incoming users is valid only after the correct registration by the customer. This provides a way for end users to directly access IP addresses. Due to the intervention of the end user, the inbound user may be free to modify the IP address. The modified IP Address can cause three results during the network operation: first, the IP address is invalid, the IP address modified by yourself is not in the planned network segment, and the network call is interrupted. Second, the IP address is repeated, A resource conflict with a legal IP address that has been allocated and is running online and cannot be linked. Third, the allocated resource is illegally occupied, theft of the legitimate IP addresses of other registered users (and the machines registered with this IP address are not powered on) for online communication. The first two cases can be recognized and blocked by the network system, resulting in operation interruption. In the third case, the operating system cannot be effectively identified. If the system administrator does not take preventive measures, the third case will involve the legitimate rights and interests of registered users, which is very harmful.

3. Solution

The following three methods can be used to develop corresponding IP address management measures and countermeasures to monitor and prevent random IP address changes and improve the scientific and security of network management.

Method 1: The ARP function provided by UNIX and Windows systems is used to collect information regularly and save the output data to a database or document file to form a table corresponding to the real-time IP address and the hardware address of the network card. Combined with the programming of the query program and the automatic troubleshooting of historical records, the problem occurrence and cause are determined.

Method 2: the network management function of the network switching device is used to improve the detection methods and the Network Fault inventory capability. Currently, there are many built-in network management functions for network switches. For example, 3Com SUPERSTACK Ⅱ series switches can be used to find IP addresses and set ports with conflicting IP addresses. This allows you to quickly and accurately locate and locate faulty host points.

Method 3: IP Address Management Based on Internet access is implemented through IP Address Allocation and router configuration. You can set a static route table to strictly match the IP address and hardware address, make sure that the assigned IP address is completely unique.

4. Comparison of the three methods

Method 1: No additional network equipment is required, and the detection results need to be manually interpreted. The Troubleshooting of non-conflicting and non-assigned IP addresses is lagging behind.

Method 2: fast and accurate monitoring results. A switch must have a network management function. The switch automatically tracks IP address conflict and manual monitoring must be completed. The Troubleshooting of non-conflicting and non-assigned IP addresses is lagging behind.

Method 3: significantly manage IP addresses connected to the Internet. It can automatically lock the route egress of any illegal IP address so that it can only access the internal IP address, run in the LAN, and handle non-conflicting or non-assigned IP addresses in real time. It also effectively blocks the access space of users with illegal IP addresses, ensures the legitimate rights and interests of registered users, and provides more convenience for system maintenance.