[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

TWM541160U - Apparatus for blocking network and computer-readable medium - Google Patents

Apparatus for blocking network and computer-readable medium Download PDF

Info

Publication number
TWM541160U
TWM541160U TW105215896U TW105215896U TWM541160U TW M541160 U TWM541160 U TW M541160U TW 105215896 U TW105215896 U TW 105215896U TW 105215896 U TW105215896 U TW 105215896U TW M541160 U TWM541160 U TW M541160U
Authority
TW
Taiwan
Prior art keywords
address
network
packet
forged
blocking
Prior art date
Application number
TW105215896U
Other languages
Chinese (zh)
Inventor
陳李書滕
Original Assignee
曜祥網技股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 曜祥網技股份有限公司 filed Critical 曜祥網技股份有限公司
Publication of TWM541160U publication Critical patent/TWM541160U/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

A device for blocking network and a computer-readable medium are provided, which are adapted for performing network management on Internet Protocol (IP) connected devices in a network domain. The device is configured for executing a method for blocking network, and the method contains the following steps. Whether the IP connected devices are belong to the blocking group is determined. At least one fake address is generated. The fake address is excluded from Media Access Control (MAC) addresses of the IP connected devices in the blocking group. Then, for each IP connected device in the blocking group, a fake packet is broadcasted. The fake packet contains one of the fake addresses. Therefore, a purpose of blocking network would be achieved effectively.

Description

網路封鎖設備以及電腦可讀取儲存媒體Network blocking device and computer readable storage media

本新型創作是有關於一種網路管理(network management)技術,且特別是有關於一種網路封鎖設備,與電腦可讀取儲存媒體。The novel creation is related to a network management technology, and in particular to a network blocking device and a computer readable storage medium.

隨著科技的快速發展,各式各樣的電子裝置日益普及。而為了達到資源共享之目的,網路成為資訊交換的必要配備,從而造就商用及家用連網設備(例如,智慧電話、智慧攝影機、無線分享器、智慧型電視等)急遽成長。因應於大量連網設備的設置,網管人員亦需要針對這些連網設備的網路功能進行管控。With the rapid development of technology, a wide variety of electronic devices are becoming more and more popular. In order to achieve the purpose of resource sharing, the network becomes a necessary equipment for information exchange, which has led to the rapid growth of commercial and home networking equipment (for example, smart phones, smart cameras, wireless sharing devices, smart TVs, etc.). In response to the setting of a large number of networked devices, network administrators also need to control the network functions of these connected devices.

另一方面,資安問題是網路管理所面臨到一大難題。面對違反資安策略(例如,安裝盜版軟體、病毒碼未更新、超量廣播等)的連網設備,網管人員通常會對這些連網設備進行網路封鎖,以防止這些連網設備進一步影響網域中的其他連網設備。由此可知,有需要提出一種有效且符合實際需求的網路封鎖方案。On the other hand, the security issue is a big problem for network management. In the face of networked devices that violate the security policy (for example, installing pirated software, virus code is not updated, over-broadcast, etc.), network administrators usually block these connected devices to prevent further impact on these connected devices. Other networked devices in the domain. It can be seen that there is a need to propose a network blocking scheme that is effective and meets actual needs.

本新型創作提供一種網路封鎖設備,與電腦可讀取儲存媒體,其針對所欲封鎖連網設備透過廣播具有偽造位址的偽造封包,從而封鎖這些連網設備的網路。The novel creation provides a network blocking device, and a computer readable storage medium, which blocks the network of the networked devices by broadcasting a forged packet having a fake address for the desired networked device.

本新型創作提出一種網路封鎖設備,其適用於對處於網域的連網設備進行網路管理,且包括通訊模組及處理單元。通訊模組用以傳送及接收封包。而處理單元耦接通訊模組,並經組態用以執行下列步驟。判斷連網設備是否屬於封鎖群組。產生至少一個偽造位址。而這些偽造位址受排除於封鎖群組中連網設備的實體位址之外。接著,針對封鎖群組中各連網設備,透過通訊模組廣播偽造封包。而此偽造封包包括前述偽造位址中的一者。The novel creation proposes a network blocking device, which is suitable for network management of a networked device in a domain, and includes a communication module and a processing unit. The communication module is used to transmit and receive packets. The processing unit is coupled to the communication module and configured to perform the following steps. Determine if the connected device is a blocked group. Generate at least one fake address. These forged addresses are excluded from the physical address of the networked device in the blocked group. Then, for each connected device in the blocking group, the forged packet is broadcasted through the communication module. The fake packet includes one of the aforementioned forged addresses.

從另一觀點來看,本新型創作另提出一種電腦可讀取儲存媒體,其用以儲存一電腦程式。此電腦程式用以載入至一網路封鎖設備中,並且使得此網路封鎖設備執行一網路封鎖方法。此網路封鎖方法包括下列步驟。判斷連網設備是否屬於封鎖群組。產生至少一個偽造位址。此偽造位址受排除於此封鎖群組中連網設備的實體位址之外。接著,針對封鎖群組中各連網設備廣播偽造封包。而此偽造封包包括前述偽造位址中的一者。From another point of view, the novel creation also proposes a computer readable storage medium for storing a computer program. The computer program is loaded into a network lockout device and causes the network lockout device to perform a network lockout method. This network blocking method includes the following steps. Determine if the connected device is a blocked group. Generate at least one fake address. This fake address is excluded from the physical address of the networked device in this blocked group. Next, the forged packets are broadcast for each networked device in the blocked group. The fake packet includes one of the aforementioned forged addresses.

基於上述,本新型創作實施例所提出的網路封鎖設備與電腦可讀取儲存媒體,其針對屬於封鎖群組的連網設備產生偽造位址,並廣播包括此偽造位址的無償位址解析協定(Gratuitous Address Resolution Protocol;GARP)回應封包。據此,若其他連網設備打算傳送封包至封鎖群組中連網設備,則此封包將無法有效送達,從而對封鎖群組的網路進行封鎖。而透過廣播方式,除了能夠大幅減少封包傳輸量,更能夠因應於大量連網設備。另一方面,針對少量的欲封鎖連網設備,本新型創作實施例更透過攔截位址解析協定(Address Resolution Protocol;ARP)封包及發送偽造ARP封包,來對欲封鎖連網設備所發出的封包進行封鎖。Based on the above, the network blocking device and the computer readable storage medium proposed by the novel creation embodiment generate a fake address for the networked device belonging to the blocked group, and broadcast the free address resolution including the fake address. The Agreement (Gratuitous Address Resolution Protocol; GARP) responds to the packet. Accordingly, if other networked devices intend to transmit the packet to the networked device in the blocked group, the packet will not be effectively delivered, thereby blocking the network of the blocked group. In addition to being able to significantly reduce the amount of packet transmission, the broadcast method can be adapted to a large number of networked devices. On the other hand, for a small number of devices to block network devices, the present invention creates a packet for blocking a networked device by intercepting an Address Resolution Protocol (ARP) packet and transmitting a forged ARP packet. Block it.

為讓本新型創作的上述特徵和優點能更明顯易懂,下文特舉實施例,並配合所附圖式作詳細說明如下。The above described features and advantages of the present invention will become more apparent and understood from the following description.

無償位址解析協定(Gratuitous Address Resolution Protocol;GARP)回應封包是ARP回應封包的一種,且為了廣播GARP回應(reply)封包,目標媒體存取控制(Media Access Contorl;MAC)須設定為FF:FF:FF:FF:FF:FF。而本新型創作實施例便是利用廣播GARP回應封包,使所述網域內的連網設備都能接收到偽造GARP回應封包(例如,包括偽造位址),從而讓連網設備無法有效將封包傳送至封鎖群組中的連網設備,進而因應於ARP封包的時效性及大量連網設備之環境。此外,本新型創作實施例更攔截封鎖群組中連網設備的ARP要求封包,並回應偽造ARP回應封包(例如,包括偽造位址),從而讓封鎖群組的後續傳送無法順利完成。以下提出符合本新型創作之精神的多個實施例,應用本實施例者可依其需求而對這些實施例進行適度調整,而不僅限於下述描述中的內容。The Gratuitous Address Resolution Protocol (GARP) response packet is a type of ARP response packet, and in order to broadcast the GARP reply (reply) packet, the target media access control (MAC) must be set to FF:FF. :FF:FF:FF:FF. The novel creation embodiment uses the broadcast GARP response packet to enable the networked devices in the domain to receive the forged GARP response packet (for example, including a fake address), so that the networked device cannot effectively encapsulate the packet. It is transmitted to the networked devices in the blocked group, which is in response to the timeliness of ARP packets and the environment of a large number of networked devices. In addition, the novel authoring embodiment intercepts the ARP request packet of the networked device in the blocking group and responds to the forged ARP response packet (for example, including the forged address), so that the subsequent transmission of the blocked group cannot be successfully completed. In the following, various embodiments in accordance with the spirit of the present invention are proposed, and those applying the present embodiment can appropriately adjust these embodiments according to their needs, and are not limited to the contents in the following description.

圖1是依據本新型創作一實施例說明通訊系統的示意圖。請參照圖1,通訊系統10包括一或多台連網(IP connected)設備網路110及網路封鎖設備150。在本實施例中,通訊系統10中的各設備處於相同網域(例如,區域網路(Local Area Network;LAN)、內部網路等)。在其他實施例中,通訊系統10中的部份設備處於不同網路,則通訊系統10可能另存在ARP代理(proxy)設備。此外,圖1中連網設備110的數量僅是用於範例說明,而並非用以侷限本新型創作實施例。1 is a schematic diagram of a communication system in accordance with an embodiment of the present invention. Referring to FIG. 1, the communication system 10 includes one or more IP connected device networks 110 and a network lockout device 150. In this embodiment, each device in the communication system 10 is in the same network domain (for example, a local area network (LAN), an internal network, etc.). In other embodiments, some of the devices in the communication system 10 are in different networks, and the communication system 10 may have an ARP proxy device. Moreover, the number of networked devices 110 in FIG. 1 is for illustrative purposes only and is not intended to limit the inventive embodiments.

連網設備110可以是電腦、手機、無線分享器、伺服器、智慧電話機、顯示裝置、智慧型攝影機、路由器、網路交換器等電子裝置,其可基於至少一種IP、傳輸控制協定(Transmission Control Protocol;TCP)、使用者資料包協定(User Datagram Protocol;UDP)等協定與另一聯網設備110及網路封鎖設備150進行資料傳輸或連接至網際網路。The networked device 110 can be an electronic device such as a computer, a mobile phone, a wireless sharer, a server, a smart phone, a display device, a smart camera, a router, a network switch, etc., which can be based on at least one IP, a transmission control protocol (Transmission Control) Protocols such as Protocol; TCP) and User Datagram Protocol (UDP) communicate with another networked device 110 and network blocking device 150 for data transmission or connection to the Internet.

網路封鎖設備150可以是各類型伺服器、無線分享器、路由器、網路交換器、電腦、工作站等設備。在實際應用上,網路封鎖設備150可以是網管人員用以作為所屬網域中網路控制中心的設備。以硬體觀點而言,圖2是依據本新型創作一實施例說明網路封鎖設備150之元件方塊圖。請參照圖2,網路封鎖設備150至少包括(但不僅限於)通訊模組151及處理單元155。The network blocking device 150 can be various types of servers, wireless sharers, routers, network switches, computers, workstations, and the like. In practical applications, the network blocking device 150 may be a device used by a network administrator to act as a network control center in the network domain. In a hardware perspective, FIG. 2 is a block diagram of components of a network lockout device 150 in accordance with an embodiment of the present invention. Referring to FIG. 2, the network blocking device 150 includes at least (but not limited to) a communication module 151 and a processing unit 155.

通訊模組151可以是支援WiFi標準或其他具備無線傳輸功能的任何類型無線網路介面模組,亦可以是支援乙太網路(Ethernet)、光纖(optical fiber)或其他具備有線傳輸功能的任何類型的有線網路介面模組,甚至是無線及有線網路介面模組之組合。在本新型創作實施例中,網路封鎖設備150透過通訊模組151與連網設備110進行通訊。The communication module 151 can be any type of wireless network interface module supporting WiFi standard or other wireless transmission function, or can support any Ethernet, optical fiber or other wired transmission function. Types of wired network interface modules, even a combination of wireless and wired network interface modules. In the present creative embodiment, the network lockout device 150 communicates with the networked device 110 via the communication module 151.

處理單元155與通訊模組151連接,其可以是中央處理單元(Central Processing Unit,CPU),或是其他可程式化之一般用途或特殊用途的微處理器(Microprocessor)、數位信號處理器(Digital Signal Processor,DSP)、可程式化控制器、特殊應用積體電路(Application Specific Integrated Circuit,ASIC)或其他類似元件或上述元件的組合。在本新型創作實施例中,處理單元155用以執行網路封鎖設備150的所有操作。The processing unit 155 is connected to the communication module 151, and may be a central processing unit (CPU), or other programmable general purpose or special purpose microprocessor (Microprocessor), digital signal processor (Digital Signal Processor, DSP), Programmable Controller, Application Specific Integrated Circuit (ASIC) or other similar components or a combination of the above components. In the present creative embodiment, the processing unit 155 is configured to perform all operations of the network lockout device 150.

為了方便理解本新型創作實施例的操作流程,以下將舉諸多實施例詳細說明本新型創作實施例中網路封鎖設備150的網路封鎖方法。圖3是依據本新型創作一實施例說明一種網路封鎖方法流程圖。請參照圖3,本實施例的方法適用於圖1及圖2的網路封鎖設備150。下文中,將以網路封鎖設備150中的各項元件及模組說明本新型創作實施例所述之方法。本方法的各個流程可依照實施情形而隨之調整,且並不僅限於此。此外,本新型創作實施例可區分成主動式封鎖及被動式封鎖,以下將先針對主動式封鎖進行說明。In order to facilitate the understanding of the operation flow of the present creative embodiment, the network blocking method of the network lockout device 150 in the present creative embodiment will be described in detail below. FIG. 3 is a flow chart showing a method of network blocking according to an embodiment of the present invention. Referring to FIG. 3, the method of this embodiment is applicable to the network lockout device 150 of FIGS. 1 and 2. Hereinafter, the method described in the novel creation embodiment will be described in terms of various components and modules in the network blocking device 150. The various processes of the method can be adjusted accordingly according to the implementation situation, and are not limited thereto. In addition, the novel creation embodiment can be divided into active blocking and passive blocking, and the following will first explain the active blocking.

在步驟S310中,網路封鎖設備150的處理單元155判斷連網設備110是否屬於封鎖群組。具體而言,網管人員針對其所屬網域內的各連網設備110的網路管理會設置管理策略。此管理策略可能是針對身份確認、系統更新、病毒碼更新、禁用軟體、網路異常、新加入所屬網域的連網設備110、IP衝突、法規要求等,本新型創作實施例不加以限制。而針對違反管理策略的連網設備110,本新型創作實施例將這些連網設備110納入封鎖群組中,以進一步對封鎖群組在所屬網域中的通訊傳輸進行封鎖,從而避免封鎖群組中各連網設備110經由網路影響其他非封鎖群組(例如,正常群組)的連網設備110。In step S310, the processing unit 155 of the network lockout device 150 determines whether the networked device 110 belongs to the blocked group. Specifically, the network administrator sets a management policy for the network management of each connected device 110 in the domain to which the network belongs. This management policy may be for identity confirmation, system update, virus pattern update, disabling software, network abnormality, networked device 110 newly joined to the domain, IP conflict, regulatory requirements, etc., and the present creative embodiment is not limited. For the networked device 110 that violates the management policy, the new authoring embodiment includes the networked devices 110 in the blocking group to further block the communication transmission of the blocking group in the domain to avoid blocking the group. Each of the networked devices 110 affects the networked devices 110 of other non-blocking groups (eg, normal groups) via the network.

需說明的是,由於網路封鎖設備150是作為所述網路中的網路控制中心,因此其已儲存所屬網域中各連網設備110的連線資訊(例如,IP位址、實體位址(或稱MAC位址)、連接埠(port)、虛擬區域網路(Virtual Local Area Network;VLAN)識別碼(Identifer;ID)等)、裝置資訊(例如,電腦名稱、群組名稱等)等資訊,亦可能透過即時事件偵測(例如,流量過大、IP位址過期、登入作業、裝載禁用軟體、使用時間超過預定關機時間等)來輔助判斷連網設備110是否屬於封鎖群組。It should be noted that since the network blocking device 150 is used as the network control center in the network, it has stored connection information (for example, IP address, physical bit) of each networked device 110 in the network domain. Address (or MAC address), port, virtual local area network (VLAN) ID (Identifer; ID), device information (for example, computer name, group name, etc.) Such information may also assist in determining whether the networked device 110 belongs to a blocked group through instant event detection (eg, excessive traffic, IP address expiration, login operation, loading disabled software, usage time exceeding a predetermined shutdown time, etc.).

在步驟S330中,網路封鎖設備150的處理單元155產生偽造位址。此偽造位址受排除於此封鎖群組中連網設備110的實體位址之外。具體而言,在ARP流程中,設備A發送對於設備B之實體位址之詢問的ARP要求封包,而設備B可回應其實體位址給設備A,以確保後續設備A及B之間通訊順利進行。而為了達到網路封鎖之目的,在主動式封鎖的實施例中,網路封鎖設備150將藉由對封鎖群組中的各連網設備110產生偽造位址,以讓所屬網域中的連網設備110打算傳送資料給封鎖群組中的連網設備110時會將資料傳送至此偽造位址。藉此,便能讓欲傳送至封鎖群組中各連網設備110的資料無法順利送達。In step S330, the processing unit 155 of the network lockout device 150 generates a fake address. This fake address is excluded from the physical address of the networked device 110 in this blocked group. Specifically, in the ARP process, device A sends an ARP request packet for the inquiry of the physical address of device B, and device B can respond to its physical address to device A to ensure smooth communication between subsequent devices A and B. . In order to achieve the purpose of network blocking, in the active blocking embodiment, the network blocking device 150 will generate a spoofed address by each networked device 110 in the blocking group to enable the network domain to be connected. When the network device 110 intends to transmit data to the networked device 110 in the blocked group, the data is transmitted to the forged address. Thereby, the data to be transmitted to the networked devices 110 in the blocked group cannot be successfully delivered.

此偽造位址可以設定為網路封鎖設備150的實體位址、特定實體位址(例如,00:00:00:00:00:01、FF:FF:FF:00:00:00等)或亂數產生的實體位址,任何與封鎖群組中連網設備110不同或不相關的實體位址,除了00:00:00:00:00:00 與FF:FF:FF:FF:FF:FF都可應用,本新型創作不以此為限。The fake address can be set to the physical address of the network blocking device 150, a specific physical address (for example, 00:00:00:00:00:01, FF:FF:FF:00:00:00, etc.) or The physical address generated by the random number, any physical address that is different or unrelated to the networked device 110 in the blocked group, except 00:00:00:00:00:00 and FF:FF:FF:FF:FF: FF can be applied, this new creation is not limited to this.

在步驟S350中,針對封鎖群組中各連網設備110,網路封鎖設備150的處理單元155透過通訊模組151廣播偽造封包。而此偽造封包包括前述偽造位址中的一者。在本實施例中,此偽造封包為GARP回應封包。而處理單元155依序(例如,每隔0.03秒或0.05秒等針對下一台欲封鎖的連網設備110)針對封鎖群組中各連網設備110,透過通訊模組151廣播包括偽造位址中的一者的GARP回應封包。此外,此GARP回應封包更包括封鎖群組中連網設備中的一者的IP位址。In step S350, for each networking device 110 in the blocking group, the processing unit 155 of the network blocking device 150 broadcasts the forged packet through the communication module 151. The fake packet includes one of the aforementioned forged addresses. In this embodiment, the forged packet is a GARP response packet. The processing unit 155 sequentially (for example, every 0.03 seconds or 0.05 seconds for the next networked device 110 to be blocked) broadcasts the networked device 110 in the blocking group, including the forged address through the communication module 151. One of the GARP response packets. In addition, the GARP response packet further includes an IP address of one of the networked devices in the blocked group.

具體而言,假設一情境中,某一區域網路中存在n台連網設備110(包括所於封鎖群組的封鎖設備C,n為正整數)。處理單元155可透過通訊模組151對其他n-1台(除了封鎖設備C)連網設備110各發送偽造的ARP封包(包括偽造位址),以通知這n-1台連網設備110設備C的MAC位址是此偽造位址(例如,00:00:00:00:00:01)。而當這n-1台設備欲傳送資料給設備C,資料就會被傳送到這假造的MAC位址,使得資料無法正確送達設備C。Specifically, it is assumed that in a scenario, there are n networked devices 110 in a certain area network (including the blocked device C of the blocked group, n is a positive integer). The processing unit 155 can send the forged ARP packets (including the forged address) to the other n-1 (except the blocking device C) networking devices 110 through the communication module 151 to notify the n-1 networked devices 110. The MAC address of C is this fake address (for example, 00:00:00:00:00:01). When the n-1 devices want to transmit data to device C, the data is transmitted to the fake MAC address, so that the data cannot be correctly delivered to device C.

而另一情境中,為了封鎖設備C對其他n-1台連網設備110的通訊,網路封鎖設備150的處理單元155需要透過通訊模組151來對設備C發送n-1個偽造ARP封包,以分別告訴設備C這n-1台連網設備110的MAC位址是偽造位址。因此,當設備C欲傳送資料給這n-1台連網設備110時,資料就都會被傳送到偽造位址,從而讓設備C發送的資料無法正確送達到這n-1台連網設備110。In another scenario, in order to block the communication of the device C to the other n-1 networked devices 110, the processing unit 155 of the network blocking device 150 needs to send n-1 forged ARP packets to the device C through the communication module 151. To tell device C that the MAC addresses of the n-1 network connected devices 110 are fake addresses. Therefore, when the device C wants to transmit data to the n-1 networked devices 110, the data is transmitted to the forged address, so that the data sent by the device C cannot be correctly sent to the n-1 networked devices 110. .

在前述兩情境中,為了不影響連網設備110的運作,處理單元155通常透過通訊模組151每發送1個偽造ARP封包就需要停例如是0.03秒再發送1個偽造ARP封包。然而,這些存在於連網設備110中的偽造ARP封包資訊是有時效性的,因此每60秒處理單元155就必須要透過通訊模組151重新傳送偽造ARP封包資訊給連網設備110。否則,這些偽造ARP封包資訊就會過期,從而無法有效封鎖設備之間的通訊,因此前述情境存有下列缺點:In the foregoing two scenarios, in order not to affect the operation of the networked device 110, the processing unit 155 usually needs to stop, for example, 0.03 seconds, and then send one forged ARP packet every time the communication module 151 sends one forged ARP packet. However, the forged ARP packet information existing in the networked device 110 is time-sensitive, so the processing unit 155 must retransmit the forged ARP packet information to the networked device 110 through the communication module 151 every 60 seconds. Otherwise, these forged ARP packet information will expire, which will not effectively block the communication between devices, so the above situation has the following disadvantages:

a.連網設備110增多,將導致封鎖失效 假設連網設備110有1200台,為了封鎖其中一台設備C與其它1199台連線設備110之間的通訊,網路封鎖設備150需要對其它1199台連線設備110(除了設備C)各自發送一個偽造ARP封包,以分別告知這1199台連線設備110這設備C的MAC位址是某個偽造位址。網路封鎖設備150亦需要對設備C發送1199個偽造的ARP封包,以告知設備C這1199台連線設備110的MAC位址是某個偽造位址。因此,前述範例總共發送了1199 + 1199 = 2398個偽造ARP封包才能封鎖設備C與其它1199台連線設備110之間的通訊。然而,由於發送一個偽造ARP封包就需要停0.03秒再發下一個偽造ARP封包,因此發送2398個偽造封包至少耗時(2398 - 1) * 0.03秒 = 71.91秒。如此將導致連線設備110在一開始前11秒收到的偽造ARP封包資訊可能會陸續在60秒~71秒失效或過期,此時設備C就有機會可以跟其它1199台連線設備110進行通訊。a. The number of networked devices 110 increases, which will result in the failure of the blocking. Assume that there are 1200 connected devices 110. In order to block the communication between one of the devices C and the other 1199 connected devices 110, the network blocking device 150 needs to access the other 1199. The station connection devices 110 (except the device C) each send a fake ARP packet to inform the 1199 connection devices 110 that the MAC address of the device C is a certain forged address. The network blocking device 150 also needs to send 1199 forged ARP packets to the device C to inform the device C that the MAC address of the 1199 connecting devices 110 is a certain forged address. Therefore, the foregoing example sends a total of 1199 + 1199 = 2398 forged ARP packets to block communication between device C and other 1199 wired devices 110. However, since sending a fake ARP packet requires 0.03 seconds to send another fake ARP packet, sending 2398 forged packets takes at least (2398 - 1) * 0.03 seconds = 71.91 seconds. In this way, the forged ARP packet information received by the connection device 110 11 seconds before the start may be invalidated or expired in 60 seconds to 71 seconds. At this time, the device C has an opportunity to perform with other 1199 connection devices 110. communication.

b.欲封鎖設備少許增加,將導致封鎖失效 假設上線的連線設備110有500台,要封鎖其中5台設備D~H。網路封鎖設備150的處理單元155需要透過通訊模組151對其它495台連線設備110各發送一個偽造ARP封包,且需要對設備D發送495個偽造的ARP封包(封鎖設備E~H的偽造ARP封包發送方式相同或相似於封鎖設備D,於此不再贅述)。因此,封鎖設備D~H與其它495台連線設備110之間的通訊需要發送(495 + 495) * 5 = 4950個偽造的ARP封包,至少耗時(4950 - 1) * 0.03秒 = 148.47秒,將導致這些連線設備110收到的偽造ARP封包資訊將在60秒~148秒陸續過期。如此設備D~H在60秒~148秒就有機會可以跟其它495台設備通訊。b. If the device is to be blocked, the blocking will be invalid. Assume that there are 500 connecting devices 110 on the line, and 5 devices D to H should be blocked. The processing unit 155 of the network blocking device 150 needs to send a forged ARP packet to the other 495 connecting devices 110 through the communication module 151, and needs to send 495 forged ARP packets to the device D (the forging of the blocking devices E to H) The ARP packet is sent in the same or similar manner to the blocking device D, and will not be described here. Therefore, the communication between the blocking device D~H and the other 495 connection devices 110 needs to be sent (495 + 495) * 5 = 4950 forged ARP packets, which takes at least (4950 - 1) * 0.03 seconds = 148.47 seconds The forged ARP packet information received by these connection devices 110 will expire in 60 seconds to 148 seconds. In this way, the devices D to H have the opportunity to communicate with other 495 devices in 60 seconds to 148 seconds.

為了解決前述缺點,在本新型創作主動式封鎖的實施例中,借重於廣播GARP回應封包(其目的MAC位址例如是FF:FF:FF:FF:FF:FF,且目的IP位址例如是0.0.0.0),網路封鎖設備150的處理單元155透過通訊模組151對封鎖群組中的各連網設備110產生對應的GARP回應封包。而各GARP回應封包的IP位址會設定為封鎖群組中連網設備110中的一者的IP位址,且來源MAC位址是偽造位址中的一者,以告知連網設備110某一特定IP位址(即,封鎖群組中連網設備110中的一者的IP位址)的MAC位址為偽造位址。In order to solve the foregoing shortcomings, in the embodiment of the novel authoring active blocking, the broadcast GARP response packet is borrowed (the destination MAC address is, for example, FF: FF: FF: FF: FF: FF, and the destination IP address is, for example, 0.0.0.0), the processing unit 155 of the network blocking device 150 generates a corresponding GARP response packet to each networked device 110 in the blocking group through the communication module 151. The IP address of each GARP response packet is set to block the IP address of one of the network devices 110 in the group, and the source MAC address is one of the forged addresses to notify the network device 110. The MAC address of a particular IP address (i.e., the IP address of one of the networked devices 110 in the blocked group) is a forged address.

舉例而言,設備C的IP位址為192.168.4.6,則對應於設備C的偽造GARP回應中的來源IP位址設定為192.168.4.6,且其來源MAC位址設定為00:00:00:00:00:01。For example, if the IP address of device C is 192.168.4.6, the source IP address in the fake GARP response corresponding to device C is set to 192.168.4.6, and the source MAC address is set to 00:00:00: 00:00:01.

相較於先前提及的情境(需要對其他n-1台連網設備110各發送一個偽造ARP封包,故共發送n-1個偽造ARP封包),本新型創作實施例針對封鎖群組中連網設備110中的一者(例如,設備C)僅需要發送一個偽造GARP回應封包,即可讓其他n-1台連網設備110都能收到設備C的MAC位址為偽造位址。因此,當這n-1台連網設備110欲傳送資料給設備C時,資料便會傳送至此偽造位址,從而無法正確傳送至設備C。Compared with the previously mentioned scenario (need to send a fake ARP packet to each of the other n-1 networked devices 110, a total of n-1 forged ARP packets are sent), the novel authoring embodiment is directed to the block group One of the network devices 110 (e.g., device C) only needs to send a fake GARP response packet, so that other n-1 networked devices 110 can receive the MAC address of device C as a forged address. Therefore, when the n-1 network connected devices 110 want to transmit data to the device C, the data is transmitted to the forged address and cannot be correctly transmitted to the device C.

此外,在某一GARP回應封包(例如,針對封鎖群組中的某一連網設備110)失效之前,網路封鎖設備150的處理單元155可再次透過通訊模組151廣播此無償位址解析協定回應封包。具體而言,無償位址解析協定回應封包具有時效性(例如,六十秒、五十秒等端視標準定義)。因此,網路封鎖設備150的處理單元155需要每隔特定時間(例如,六十秒或前述時效性的定義時間)透過通訊模組151再次廣播相同或不同(例如,偽造地址可改變,但GARP回應封包中的來源IP位址為封鎖群組中的此連網設備110)的GARP回應封包,直到欲封鎖的連網設備110不屬於封鎖群組。In addition, the processing unit 155 of the network lockout device 150 can again broadcast the gratuitous address resolution protocol response through the communication module 151 before a certain GARP response packet (eg, for a networked device 110 in the blocked group) fails. Packet. Specifically, the gratuitous address resolution protocol response packet is time-sensitive (eg, sixty seconds, fifty seconds, etc.). Therefore, the processing unit 155 of the network lockout device 150 needs to broadcast the same or different again through the communication module 151 every certain time (for example, sixty seconds or a defined time of the aforementioned timeliness) (for example, the fake address can be changed, but the GARP The source IP address in the response packet is the GARP response packet of the networked device 110 in the blocking group until the networked device 110 to be blocked does not belong to the blocking group.

另一方面,針對被動式封鎖的實施例,在步驟S310中,網路封鎖設備150的處理單元155更透過通訊模組151擷取ARP要求封包,並判斷ARP要求封包中的來源是否對應於封鎖群組中的連網設備。具體而言,當封鎖群組中各連網設備110欲與其他連網設備110進行通訊時,封鎖群組中各連網設備110會廣播ARP要求封包,以試圖取得所欲通訊之其他連網設備110的MAC位址。而處理單元155便是透過通訊模組151對廣播的ARP要求封包進行監控,且對封鎖群組中各連網設備110所發出的ARP要求封包進行擷取。On the other hand, in the embodiment of the passive blocking, in step S310, the processing unit 155 of the network blocking device 150 further retrieves the ARP request packet through the communication module 151, and determines whether the source in the ARP request packet corresponds to the blocking group. Networked devices in the group. Specifically, when each networked device 110 in the blocking group wants to communicate with other networked devices 110, each connected device 110 in the blocking group broadcasts an ARP request packet in an attempt to obtain other networking of the desired communication. The MAC address of device 110. The processing unit 155 monitors the broadcast ARP request packet through the communication module 151, and extracts the ARP request packet sent by each networked device 110 in the blocking group.

接著,若ARP要求封包中的來源對應於封鎖群組中的連網設備110,則網路封鎖設備150的處理單元155更透過通訊模組151傳送包括偽造位址中的一者的ARP回應封包至發送ARP要求封包的連網設備110(屬於封鎖群組)。而此ARP回應封包中的來源IP位址設定為ARP要求封包中的來源IP位址,來源MAC位址設定為偽造位址(例如,00:00:00:00:00:01),且目的IP位址及MAC位址為發送ARP要求封包的連網設備110的IP位址及MAC位址。Then, if the source in the ARP request packet corresponds to the networked device 110 in the blocked group, the processing unit 155 of the network blocking device 150 further transmits the ARP response packet including one of the forged addresses through the communication module 151. To the networked device 110 (which belongs to the blocked group) that sends the ARP request packet. The source IP address in the ARP response packet is set to the source IP address in the ARP request packet, and the source MAC address is set to the fake address (for example, 00:00:00:00:00:01), and the purpose The IP address and MAC address are the IP address and MAC address of the networked device 110 that sends the ARP request packet.

舉例而言,設備C發送ARP要求封包(包括目的IP位址為192.168.9.5),而網路封鎖設備150接收到此ARP要求封包,便據以回應偽造ARP回應封包(包括來源IP位址為192.168.9.5、來源MAC位址為假造00:00:00:00:00:01、目的IP位址及MAC位址為設備C的IP位址及MAC位址)至設備C。For example, device C sends an ARP request packet (including the destination IP address of 192.168.9.5), and the network blocking device 150 receives the ARP request packet, and responds to the forged ARP response packet (including the source IP address is 192.168.9.5, source MAC address is fake 00:00:00:00:00:01, destination IP address and MAC address is device C's IP address and MAC address) to device C.

相反而言,若ARP要求封包中的來源未對應於封鎖群組中的連網設備110,則網路封鎖設備150的處理單元155不會回應偽造回應封包。Conversely, if the source in the ARP request packet does not correspond to the networked device 110 in the blocked group, the processing unit 155 of the network lockout device 150 does not respond to the falsified response packet.

相較於先前提及的情境(需要對設備C告知其他n-1台連網設備110具有偽造位址,故共發送n-1個偽造ARP封包),本新型創作實施例僅需要透過攔截封鎖群組中連網設備110所發出的ARP要求封包,便能有效封鎖這些連網設備110的通訊。當屬於封鎖群組的設備C欲傳送資料給其他n-1台連網設備110時,資料便會傳送至偽造位址,從而無法正確傳送欲通訊的連網設備110。Compared with the previously mentioned scenario (need to inform the device C that the other n-1 networked devices 110 have a forged address, a total of n-1 forged ARP packets are sent), the novel authoring embodiment only needs to block through the interception. The ARP request packets sent by the networked device 110 in the group can effectively block the communication of the networked devices 110. When the device C belonging to the blocked group wants to transmit data to the other n-1 networked devices 110, the data is transmitted to the forged address, so that the networked device 110 to be communicated cannot be correctly transmitted.

為了讓本領域具通常知識者能明瞭本新型創作的操作流程,以下另舉一範例說明。圖4是一範例說明網路封鎖的流程圖。請同時參照圖1及圖4,下文中,將搭配圖1中連網設備110及網路封鎖設備150說明實施情境。各個流程可依照實施情形而隨之調整,且並不僅限於此。In order to let those skilled in the art understand the operation flow of the novel creation, an example is given below. 4 is a flow chart illustrating a network lockout. Please refer to FIG. 1 and FIG. 4 at the same time. In the following, the implementation scenario will be described in conjunction with the networked device 110 and the network blocking device 150 of FIG. The various processes can be adjusted accordingly according to the implementation situation, and are not limited thereto.

首先,網路封鎖設備150基於管理策略(例如,是否裝載禁用軟體、系統是否更新、病毒碼是否更新等)判斷是否需要進行封鎖(步驟S410),且(若是,即發生違反管理策略的事件)將連網設備110區分為正常群組及封鎖群組(步驟S420)。假設正常群組有x台連網設備110,且封鎖群組有y台連網設備110。x、y為正整數。First, the network lockout device 150 determines whether it is necessary to perform blocking based on a management policy (for example, whether to disable the software, whether the system is updated, whether the virus code is updated, etc.) (step S410), and (if yes, an event that violates the management policy occurs) The networked device 110 is divided into a normal group and a blocked group (step S420). It is assumed that the normal group has x network connected devices 110, and the blocked group has y connected devices 110. x and y are positive integers.

針對封鎖正常群組對封鎖群組的資料傳送(即,主動式網路封鎖),網路封鎖設備150每隔60秒且封鎖群組中每台間隔0.03秒來依序發送出y個偽造GARP回應封包(步驟S430)。這y個GARP回應封包分別指示這y台連網設備110的MAC位址為偽造位址(例如,00:00:00:00:00:01)。而那x台連網設備110依序接收到這y個偽造GARP回應封包,便會認為這y台連網設備110的MAC位址皆為偽造位址(例如,00:00:00:00:00:01)。因此,當這x台連網設備110要傳送資料到那y台連網設備110時,其資料都會被傳送到不存在設備的MAC偽造位址,從而達到通訊封鎖的目的。另一方面,若無須進行封鎖,則網路封鎖設備150停止擷取ARP要求封包(步驟S440),並據以結束程序(步驟S450)。In order to block the normal group from transmitting data to the blocked group (ie, active network blocking), the network blocking device 150 sequentially sends out y forged GARP every 60 seconds and each interval of the blocking group is 0.03 seconds. The response packet is sent (step S430). The y GARP response packets respectively indicate that the MAC address of the y networked device 110 is a fake address (for example, 00:00:00:00:00:01). The x network connected devices 110 sequentially receive the y fake GARP response packets, and the MAC addresses of the y networked devices 110 are considered to be fake addresses (for example, 00:00:00:00: 00:01). Therefore, when the x networking devices 110 are to transmit data to the y networking device 110, their data will be transmitted to the MAC forgery address of the non-existing device, thereby achieving the purpose of communication blocking. On the other hand, if no blocking is required, the network lockout device 150 stops capturing the ARP request packet (step S440), and ends the program accordingly (step S450).

針對封鎖封鎖群組對正常群組的資料傳送,(即,被動式網路封鎖),網路封鎖設備150判斷是否停止擷取ARP要求封包(步驟S460)。若是(例如,y為零),則結束程序(步驟S450)。反之,若否(例如,y為5台),則網路封鎖設備150擷取ARP要求封包(步驟S470)。接著,網路封鎖設備150判斷ARP要求封包是否屬於封鎖群組(步驟S480)。若是(例如,ARP要求封包的來源是屬於封鎖群組的那y台連網設備110),則網路封鎖設備150對發送ARP要求封包的那y台連網設備110中的一者回應偽造ARP回應封包(例如,來源IP位址為ARP要求封包中所設定的目的IP位址,而來源MAC位址設定為00:00:00:00:00:01)(步驟S490)。因此,當這y台連網設備110中的一者(例如,設備y1)要傳送資料至那x台連網設備110中的一者(例如,設備x1)時,此資料都會傳送至不存在的偽造位址。此外,當這些偽造的ARP回應封包於60秒失效時,設備y1可能會再次發出ARP要求封包,以詢問設備x1的MAC位址。而網路封鎖設備150亦再次對此設備y1回應偽造ARP回應封包(例如,來源MAC位址設定為00:00:00:00:00:01),以回應設備y1此設備x1的MAC位只為不存在的MAC位址00:00:00:00:00:01。如此,週而復始來達到通訊封鎖之目的。For the data transfer of the blocking group to the normal group (ie, passive network blocking), the network blocking device 150 determines whether to stop capturing the ARP request packet (step S460). If so (for example, y is zero), the program is terminated (step S450). On the other hand, if no (for example, y is 5), the network lockout device 150 retrieves the ARP request packet (step S470). Next, the network lockout device 150 determines whether the ARP request packet belongs to the blockade group (step S480). If (for example, the source of the ARP request packet is the y networked device 110 belonging to the blocked group), the network blocking device 150 responds to the forged ARP of one of the y networked devices 110 that send the ARP request packet. The response packet (for example, the source IP address is the destination IP address set in the ARP request packet, and the source MAC address is set to 00:00:00:00:00:01) (step S490). Therefore, when one of the y-networking devices 110 (for example, device y1) is to transmit data to one of the x-networked devices 110 (for example, device x1), the data is transmitted to the non-existent Forged address. In addition, when these forged ARP response packets fail in 60 seconds, device y1 may issue an ARP request packet again to query the MAC address of device x1. The network blocking device 150 also responds to the device y1 with a fake ARP response packet (for example, the source MAC address is set to 00:00:00:00:00:01) in response to the device y1, the MAC bit of the device x1 only The non-existent MAC address is 00:00:00:00:00:01. In this way, the cycle is repeated to achieve the purpose of communication blockade.

在本新型創作的一實施例中,上述網路封鎖方法可實作為非暫態電腦可讀取儲存媒體上的電腦程式,電腦程式包括複數個指令,用以在執行後實現上述網路封鎖方法的各步驟。舉例來說,電腦可讀取儲存媒體可以是任何能藉由電腦系統讀取的資料儲存裝置,包括唯讀記憶體(Read Only Memory,ROM)、隨機存取記憶體(Random Access Memory,RAM)、唯讀光碟機(compact disc read only memory,CD-ROM)、磁帶、軟碟、光學資料儲存裝置以及傳輸媒體等,在此並不限制其範圍。In an embodiment of the present invention, the network blocking method can be implemented as a computer program on a non-transitory computer readable storage medium, and the computer program includes a plurality of instructions for implementing the network blocking method after execution. Each step. For example, the computer readable storage medium can be any data storage device that can be read by a computer system, including a read only memory (ROM) and a random access memory (RAM). A compact disc read only memory (CD-ROM), a magnetic tape, a floppy disk, an optical data storage device, and a transmission medium are not limited herein.

綜上所述,本新型創作實施例所提出的網路封鎖裝置,與電腦可讀取儲存媒體,其透過主動發送偽造GARP回應封包及被動回應偽造ARP回應封包,從而達到封鎖正常群組對封鎖群組以及封鎖群組對正常群組的資料傳送。In summary, the network blocking device proposed by the novel creation embodiment and the computer readable storage medium can block the normal group by blocking the fake GARP response packet and passively responding to the fake ARP response packet. Group and block group data transfer to normal groups.

據此,針對前述缺點a.(上線設備增多),假設上線連網設備有1200台,為了封鎖1199台連網設備對設備C通訊,本新型創作實施例僅需要發送一個偽造GARP回應封包就可以告知這1199台連網設備這設備C的MAC位址是一個假造的MAC位址。發送此GARP回應封包時間並不會超過60秒時間,以使得這些偽造GARP回應封包資訊在下個60秒過期前,能具有足夠時間來重傳這個偽造GARP回應封包。至於封鎖設備C對1199台連網設備通訊,由於設備C通訊前會廣播ARP要求封包來試圖取得要通訊連網設備的MAC位址,因此只要根據ARP要求封包的封包資訊,回應設備C偽造ARP回應封包(回應設備C即將要通訊的連網設備的MAC位址是某個偽造MAC位址),設備C就無法傳送資料給要通訊的連網設備。而若設備C會再次發出ARP廣播封包詢問此通訊連網設備的MAC位址,本新型創作實施例同樣可根據此ARP要求封包的相關資訊,回應設備C偽造ARP封包(同樣告知設備C要通訊的連網設備的MAC位址是某個偽造位址),這樣周而復始的進行,直到設備C停止與其它正常設備通訊意圖為止。Accordingly, in view of the aforementioned shortcomings a. (increased on-line equipment), it is assumed that there are 1200 uplink network-connected devices. In order to block 1199 network-connected devices from communicating with device C, the present creative embodiment only needs to send a fake GARP response packet. Inform the 1199 networked devices that the MAC address of device C is a fake MAC address. Sending this GARP response packet time will not exceed 60 seconds, so that these fake GARP response packet information can have enough time to retransmit the fake GARP response packet before the next 60 seconds expire. As for the blocking device C to communicate with 1199 networked devices, since the device C broadcasts the ARP request packet before the communication to try to obtain the MAC address of the networked device to be communicated, the device C falsifies the ARP according to the packet information of the ARP request packet. In response to the packet (in response to the MAC address of the network device to which the device C is about to communicate is a forged MAC address), device C cannot transmit the data to the networked device to be communicated. If the device C sends the ARP broadcast packet again to query the MAC address of the communication network device, the new creation embodiment can also respond to the device C forging the ARP packet according to the information related to the ARP request packet (also telling the device C to communicate) The MAC address of the networked device is a fake address), so that it continues until the device C stops communicating with other normal devices.

而針對前述缺點b.(欲封鎖設備少許增加),假設上線連網設備有500台,為了封鎖495台正常設備對設備D~H通訊,現有技術只要發送5個偽造GARP回應封包就可以告知這495台設備這設備D~H的MAC位址是假造MAC位址(這5個偽造的GARP回應封包發送間隔亦為0.03秒)。而發送5個GARP回應封包包含發送間隔時間約為(5 - 1) * 0.03 = 0.12秒,其並未超過60秒。因此,這5個偽造GARP回應封包資訊在下個60秒過期前,本新型創作實施例便馬上重新傳送這5個偽造GARP回應封包。至於封鎖設備D~H對495台設備通訊,因為設備D~H與正常設備通訊前會發ARP要求封包來試圖取得要正常設備的MAC位址,因此只要根據此ARP要求封包資訊,就可以回應設備D~H偽造ARP封包(回應設備D~H要通訊的正常設備MAC位址為偽造位址),設備D~H就無法傳送資料給要通訊的連網設備。For the above disadvantages b. (to increase the number of devices to be blocked), it is assumed that there are 500 online connected devices. In order to block 495 normal devices from communicating to devices D to H, the prior art can send 5 fake GARP response packets to inform this. 495 devices The MAC address of the device D to H is a fake MAC address (the five fake GARP response packets are sent at intervals of 0.03 seconds). Sending 5 GARP response packets contains a transmission interval of approximately (5 - 1) * 0.03 = 0.12 seconds, which does not exceed 60 seconds. Therefore, the five fake GARP response packet information will be retransmitted to the five fake GARP response packets immediately before the next 60 seconds expire. As for the blocking device D ~ H to communicate with 495 devices, because the device D ~ H will send an ARP request packet before communication with the normal device to try to obtain the MAC address of the normal device, so as long as the information is encapsulated according to the ARP request, it can respond The device D~H forges the ARP packet (in response to the normal device MAC address to be communicated by the device D~H as the forged address), the device D~H cannot transmit the data to the networked device to be communicated.

雖然本新型創作已以實施例揭露如上,然其並非用以限定本新型創作,任何所屬技術領域中具有通常知識者,在不脫離本新型創作的精神和範圍內,當可作些許的更動與潤飾,故本新型創作的保護範圍當視後附的申請專利範圍所界定者為準。Although the present invention has been disclosed in the above embodiments, it is not intended to limit the novel creation, and any person skilled in the art can make some changes without departing from the spirit and scope of the novel creation. Retouching, the scope of protection of this new creation is subject to the definition of the scope of the patent application attached.

10‧‧‧通訊系統
110‧‧‧連網設備
150‧‧‧網路封鎖設備
151‧‧‧通訊模組
155‧‧‧處理單元
S310~S350、S410~S490‧‧‧步驟10‧‧‧Communication system
110‧‧‧Networking equipment
150‧‧‧Network blocking equipment
151‧‧‧Communication Module
155‧‧‧Processing unit
S310~S350, S410~S490‧‧‧ steps

圖1是依據本新型創作一實施例說明通訊系統的示意圖。 圖2是依據本新型創作一實施例說明網路封鎖設備之元件方塊圖。 圖3是依據本新型創作一實施例說明一種網路封鎖方法流程圖。 圖4是一範例說明網路封鎖的流程圖。1 is a schematic diagram of a communication system in accordance with an embodiment of the present invention. 2 is a block diagram showing the components of a network lockout device in accordance with an embodiment of the present invention. FIG. 3 is a flow chart showing a method of network blocking according to an embodiment of the present invention. 4 is a flow chart illustrating a network lockout.

150‧‧‧網路封鎖設備 150‧‧‧Network blocking equipment

151‧‧‧通訊模組 151‧‧‧Communication Module

155‧‧‧處理單元 155‧‧‧Processing unit

Claims (6)

一種網路封鎖設備,適用於對處於一網域的多個連網設備進行網路管理,包括:一通訊模組,用以傳送及接收封包;一處理單元,耦接該通訊模組,並經組態用以執行:判斷該些連網設備是否屬於一封鎖群組;產生至少一偽造位址,其中該至少一偽造位址受排除於該封鎖群組中該些連網設備的實體位址之外;以及針對該封鎖群組中各該些連網設備,透過該通訊模組廣播一偽造封包,其中該偽造封包包括該至少一偽造位址中的一者。 A network blocking device is configured to perform network management on a plurality of networked devices in a network domain, including: a communication module for transmitting and receiving packets; a processing unit coupled to the communication module, and And configured to: determine whether the networked devices belong to a lock group; generate at least one fake address, wherein the at least one fake address is excluded from the physical bits of the networked devices in the blocked group Outside the address; and for each of the networked devices in the blocked group, a forged packet is broadcast through the communication module, wherein the forged packet includes one of the at least one forged address. 如申請專利範圍第1項所述的網路封鎖設備,其中該偽造封包為一無償位址解析協定回應封包,而該處理單元更經組態以執行:依序針對該封鎖群組中各該些連網設備,透過該通訊模組廣播包括該至少一偽造位址中的一者的該無償位址解析協定回應封包,其中該無償位址解析協定回應封包更包括該封鎖群組中該些連網設備中的一者的網際網路協定位址。 The network blocking device of claim 1, wherein the forged packet is a gratuitous address resolution protocol response packet, and the processing unit is further configured to perform: sequentially for each of the blocking groups The networked device broadcasts, by the communication module, the gratuitous address resolution agreement response packet including one of the at least one forged address, wherein the gratuitous address resolution agreement response packet further includes the block in the block group The internet protocol address of one of the networked devices. 如申請專利範圍第2項所述的網路封鎖設備,其中該處理單元更經組態以執行:在該無償位址解析協定回應封包失效之前,再次透過該通訊模組廣播該無償位址解析協定回應封包。 The network blocking device of claim 2, wherein the processing unit is further configured to: perform the free address resolution through the communication module again before the gratuitous address resolution protocol response packet fails The agreement responds to the packet. 如申請專利範圍第1項所述的網路封鎖設備,其中該處理單元更經組態以執行:透過該通訊模組擷取一位址解析協定要求封包;以及判斷該位址解析協定要求封包中的來源是否對應於該封鎖群組中的該些連網設備。 The network blocking device of claim 1, wherein the processing unit is further configured to: retrieve an address resolution protocol request packet through the communication module; and determine that the address resolution protocol requires a packet Whether the source in the corresponds to the networked devices in the blocked group. 如申請專利範圍第4項所述的網路封鎖設備,其中該處理單元更經組態以執行:若該位址解析協定要求封包中的該來源對應於該封鎖群組中的該些連網設備,則傳送包括該至少一偽造位址中的一者的一位址解析協定回應封包。 The network blocking device of claim 4, wherein the processing unit is further configured to perform: if the address resolution protocol requires the source in the packet to correspond to the networking in the blocked group And transmitting, by the device, an address resolution protocol response packet including one of the at least one forged address. 一種電腦可讀取儲存媒體,用以儲存一電腦程式,該電腦程式用以載入至一網路封鎖設備中並且使得該網路封鎖設備執行至少下列步驟:判斷多個連網設備是否屬於一封鎖群組;產生至少一偽造位址,其中該至少一偽造位址受排除於該封鎖群組中該些連網設備的實體位址之外;以及針對該封鎖群組中各該些連網設備廣播一偽造封包,其中該偽造封包包括該至少一偽造位址中的一者。 A computer readable storage medium for storing a computer program for loading into a network lockout device and causing the network lockout device to perform at least the following steps: determining whether a plurality of networked devices belong to a Blocking the group; generating at least one spoofed address, wherein the at least one spoofed address is excluded from the physical address of the networked devices in the blocked group; and the plurality of connected networks in the blocked group The device broadcasts a spoofed packet, wherein the falsified packet includes one of the at least one spoofed address.
TW105215896U 2016-01-21 2016-10-19 Apparatus for blocking network and computer-readable medium TWM541160U (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW105101821 2016-01-21

Publications (1)

Publication Number Publication Date
TWM541160U true TWM541160U (en) 2017-05-01

Family

ID=59370285

Family Applications (2)

Application Number Title Priority Date Filing Date
TW105215896U TWM541160U (en) 2016-01-21 2016-10-19 Apparatus for blocking network and computer-readable medium
TW105133640A TWI660284B (en) 2016-01-21 2016-10-19 Method and apparatus for blocking network, and computer-readable medium

Family Applications After (1)

Application Number Title Priority Date Filing Date
TW105133640A TWI660284B (en) 2016-01-21 2016-10-19 Method and apparatus for blocking network, and computer-readable medium

Country Status (2)

Country Link
CN (1) CN107040507B (en)
TW (2) TWM541160U (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI660284B (en) * 2016-01-21 2019-05-21 曜祥網技股份有限公司 Method and apparatus for blocking network, and computer-readable medium

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI611377B (en) * 2017-03-30 2018-01-11 崑山科技大學 Anti-lost alarm method and system with grouping multiple warning devices
TWI709309B (en) * 2019-09-25 2020-11-01 飛泓科技股份有限公司 Network management device and network management method thereof

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101616191A (en) * 2008-06-27 2009-12-30 英业达股份有限公司 Address simulating device and method thereof
CN101562542B (en) * 2009-05-21 2011-06-29 杭州华三通信技术有限公司 Response method for free ARP request and gateway device thereof
US8800025B2 (en) * 2009-11-10 2014-08-05 Hei Tao Fung Integrated virtual desktop and security management system
CN102195862A (en) * 2010-03-11 2011-09-21 正文科技股份有限公司 Routing device and related packet processing circuit
CN101820396B (en) * 2010-05-24 2012-04-18 杭州华三通信技术有限公司 Method and equipment for verifying message security
KR101236822B1 (en) * 2011-02-08 2013-02-25 주식회사 안랩 Method for detecting arp spoofing attack by using arp locking function and recordable medium which program for executing method is recorded
CN103856443B (en) * 2012-11-29 2018-05-15 台众计算机股份有限公司 Method of the judgement of site with stopping
TWM541160U (en) * 2016-01-21 2017-05-01 曜祥網技股份有限公司 Apparatus for blocking network and computer-readable medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
TWI660284B (en) * 2016-01-21 2019-05-21 曜祥網技股份有限公司 Method and apparatus for blocking network, and computer-readable medium

Also Published As

Publication number Publication date
CN107040507B (en) 2020-06-23
CN107040507A (en) 2017-08-11
TWI660284B (en) 2019-05-21
TW201727529A (en) 2017-08-01

Similar Documents

Publication Publication Date Title
US20200259834A1 (en) Fast heartbeat liveness between packet processing engines using media access control security (macsec) communication
US9015852B2 (en) Protecting address resolution protocol neighbor discovery cache against denial of service attacks
US20160381015A1 (en) Authentication for VLAN Tunnel Endpoint (VTEP)
US9491261B1 (en) Remote messaging protocol
EP3720100A1 (en) Service request processing method and device
CN112468518B (en) Access data processing method and device, storage medium and computer equipment
WO2011020254A1 (en) Method and device for preventing network attacks
JP4920878B2 (en) Authentication system, network line concentrator, authentication method used therefor, and program thereof
JP2010200300A (en) Tcp communication scheme
WO2012075850A1 (en) Method and system for preventing mac address cheat, and switch
CN104426837A (en) Application specific packet filter method and device of file transfer protocol
US20170180382A1 (en) Method and Apparatus for Using Software Defined Networking and Network Function Virtualization to Secure Residential Networks
Lu et al. An SDN‐based authentication mechanism for securing neighbor discovery protocol in IPv6
TWI660284B (en) Method and apparatus for blocking network, and computer-readable medium
US20240259316A1 (en) Network load balancing method and apparatus, electronic device, medium, and program product
EP3932044B1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
EP3133790B1 (en) Message sending method and apparatus
US8615591B2 (en) Termination of a communication session between a client and a server
US9686311B2 (en) Interdicting undesired service
JP2004104805A (en) Apparatus and method for connecting device to wireless network
TWI770483B (en) Method and apparatus for transmitting and receiving data in computer network, computer program and data set
JP2010187314A (en) Network relay apparatus with authentication function, and terminal authentication method employing the same
WO2017219777A1 (en) Packet processing method and device
Xiaorong et al. Security analysis for IPv6 neighbor discovery protocol
US10248365B2 (en) Method and system of using OAuth2 to secure neighbor discovery