At present, destruction of network virus becomes more and more diversified and many new destructive methods appear. Attack to network reliability is one kind of these new destructive methods. The purpose of this kind of attack is not to steal information, but to attack network devices targeting on security vulnerabilities in networks and destroy normal network communication. Consequently, network paralysis will be caused and more losses will be brought to users. The attack to Ethernet is a familiar mode of this kind of attack.
In conventional networks, Ethernet is mostly used in an inner network which is considered to be very safe. Therefore, network security precaution tactics are set only at the exits of the inner network, but not within it. At the same time, because of different users existing in the inner network, it is impossible for a network management department to monitor and control the network usage of each user within the inner network. Thus, with continuous development of new destructive methods caused by computer virus and increase in application of middle and low end network products which are easy to be attacked, attacks to Ethernet become easier and easier. In addition, with the rise of broadband and popularization of new-style services, Ethernet is applied in outer networks relative to the network management department more frequently, for example a broadband cell that is accessed by means of an Ethernet. In such a case, Ethernet is easier to be attacked.
For users that communicate with others through Ethernet, once Ethernet is attacked and network paralysis occurs, there will be massive losses which are in direct proportion to the paralysis time even if no valuable data is lost; for companies which operate business based on Ethernet, such loss is more serious than losing data.
In Ethernet, the address of a host is identified by a Media Access Control (MAC) address. When data is transmitted, a destination MAC address and a source MAC address need to be carried in a data packet. Ethernet communication device, such as switch, determines a forwarding port for the data packet by the MAC address information. At present, forwarding data packets in switch is based on MAC address learning mechanism. As shown in FIG. 1, taking the MAC address of PC 1 as MAC 1, and the MAC address of PC 2 as MAC 2, when receiving a data packet transmitted by PC 1, the switch records the MAC address information carried in the data packet and the information of the port which receives the data packet, namely, it establishes a map between MAC 1 and Port 1. Similarly, a map between MAC 2 and Port 2 is established. In this way, the switch can establish a map between the MAC address information of each host and its associated port information, and store this map in a MAC table. As shown in FIG. 1, there are two entries in the MAC table in which MAC 1 associates with Port 1 and MAC 2 associates with Port 2. When receiving a data packet needed to be transmitted to PC 1, the switch firstly searches the corresponding Port 1 in the MAC table according to the MAC address MAC 1 of PC 1, then transmits the data packet to PC 1 via Port 1.
There is no authentication mechanism in the above-mentioned MAC address learning process, so some malicious users may attack a single user in Ethernet or whole Ethernet. This kind of attack may be implemented through MAC address cheating or MAC address bombing.
FIG. 2 schematically illustrates an attack process through MAC address cheating. As shown in FIG. 2, if the user of PC 2 is a malicious user and plans to attack PC 1, he may transmit a data packet carried with MAC 1 in source MAC address field from PC 2. Then, the switch will implement a learning process to establish a map between MAC 1 and Port 2. That is, after this learning process, the map between MAC 1 and Port 1 in the switch's MAC table will transfer to the map between MAC 1 and Port 2 Therefore, all the data packets to be sent to PC 1 will be transmitted to Port 2 and then to PC 2, resulting in PC 1 failing to receive the data packets normally. If the malicious user adopts the same method to attack multiple hosts and even all hosts in Ethernet, the whole Ethernet will be close to paralysis.
Besides the above-mentioned MAC address cheating, malicious users can attack Ethernet through MAC address bombing. For example, malicious users can continually send data packets with varying source MAC addresses from PC 2, e.g., the MAC address in the first data packet is MAC 1, the MAC address in the second data packet becomes MAC 3 and the MAC address in the third data packet is changed to MAC 8. Thus the switch needs to update the MAC table after receiving each data packet with different source address, and the MAC table of the switch will be in an unstable state. If the source MAC address carried in these data packets is the true address of a network device in Ethernet, this network device cannot communicate normally. This method is usually used by viruses to implement MAC bombing to whole Ethernet through the hosts which are infected by viruses, thereby destroying normal operations of the whole Ethernet.
To avoid above attacks to Ethernet, it is popular for a switch to bind host MAC address with a switch port, that is, if establishing a fixed map between a port and a MAC address, the switch no longer needs to learn any dynamic MAC address. Thus the map between the MAC addresses and the ports will not be changed for receiving a new data packet, and the MAC table becomes a fixed mapping table. In this way, attacks such as MAC address cheating or MAC address bombing will be avoided effectively.
However, this kind of binding relationship needs to be configured in a switch by a network administrator according to the fixed network connection, and once the configuration is accomplished, the network will be in a fixed mode. A new computer or other legal Ethernet devices can not communicate when they are connected to the network, a computer with a changed Ethernet Network Interface Card (NIC) can not communicate because of different MAC addresses, and a computer moved from one place to another can not communicate because of the change of connection port.