Network Monitoring Apparatus and Network Monitoring Method

US 20120304294A1
Filed: 08/09/2012
Published: 11/29/2012
Est. Priority Date: 03/18/2009
Status: Abandoned Application

First Claim

Patent Images

1. A network monitoring apparatus which is configured to monitor a network to which nodes are connected, the network monitoring apparatus comprising:

an unauthorized node determination module configured to determine whether a sender node which transmits an address resolution protocol request packet is an unauthorized node based on a sender physical address in the address resolution protocol request packet, in response to the reception of the address resolution protocol request packet;

a spoofed address resolution protocol request transmission module configured to transmit a spoofed address resolution protocol request packet to a target node corresponding to a target network address in the received address resolution protocol request packet if the sender node is an unauthorized node, the spoofed address resolution protocol request packet including a network address of the target node as a target network address, a physical address of the network monitoring apparatus as a sender physical address and a network address of the unauthorized node as a sender network address;

an address resolution protocol reply reception module configured to receive an address resolution protocol reply packet from the target node, wherein the target node is configured to unicast the address resolution protocol reply packet to the network monitoring apparatus in response to the reception of the spoofed address resolution protocol request packet, and wherein the address resolution protocol reply packet includes the physical address of the network monitoring apparatus as a target physical address, the network address of the unauthorized node as a target network address, a physical address of the target node as a sender physical address, and the network address of the target node as a sender network address; and

a spoofed address resolution protocol reply transmission module configured to transmit a spoofed address resolution protocol reply packet to the unauthorized node in response to the reception of the address resolution protocol reply packet, the spoofed address resolution protocol reply packet including a predetermined physical address other than the physical address of the target node as a sender physical address and a network address of the target node as a sender network address.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

According to one embodiment, a network monitoring apparatus includes an unauthorized node determination module, a spoofed address resolution protocol request transmission module, and a spoofed address resolution protocol reply transmission module. The unauthorized node determination module determines whether a sender node which transmits an address resolution protocol request packet is an unauthorized node. The spoofed address resolution protocol request transmission module transmits a spoofed address resolution protocol request packet to a target node corresponding to a target network address in the address resolution protocol request packet if the sender node is an unauthorized node. The spoofed address resolution protocol reply transmission module transmits to the unauthorized node a spoofed address resolution protocol reply packet which includes a predetermined physical address other than the physical address of the target node as a sender physical address and a network address of the target node as a sender network address.

225 Citations

15 Claims

1. A network monitoring apparatus which is configured to monitor a network to which nodes are connected, the network monitoring apparatus comprising:
- an unauthorized node determination module configured to determine whether a sender node which transmits an address resolution protocol request packet is an unauthorized node based on a sender physical address in the address resolution protocol request packet, in response to the reception of the address resolution protocol request packet;
  
  a spoofed address resolution protocol request transmission module configured to transmit a spoofed address resolution protocol request packet to a target node corresponding to a target network address in the received address resolution protocol request packet if the sender node is an unauthorized node, the spoofed address resolution protocol request packet including a network address of the target node as a target network address, a physical address of the network monitoring apparatus as a sender physical address and a network address of the unauthorized node as a sender network address;
  
  an address resolution protocol reply reception module configured to receive an address resolution protocol reply packet from the target node, wherein the target node is configured to unicast the address resolution protocol reply packet to the network monitoring apparatus in response to the reception of the spoofed address resolution protocol request packet, and wherein the address resolution protocol reply packet includes the physical address of the network monitoring apparatus as a target physical address, the network address of the unauthorized node as a target network address, a physical address of the target node as a sender physical address, and the network address of the target node as a sender network address; and
  
  a spoofed address resolution protocol reply transmission module configured to transmit a spoofed address resolution protocol reply packet to the unauthorized node in response to the reception of the address resolution protocol reply packet, the spoofed address resolution protocol reply packet including a predetermined physical address other than the physical address of the target node as a sender physical address and a network address of the target node as a sender network address.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network monitoring apparatus of claim 1, wherein the spoofed address resolution protocol reply transmission module is configured to transmit a spoofed address resolution protocol reply packet to the unauthorized node in response to the reception of the address resolution protocol reply packet, the spoofed address resolution protocol reply packet including a physical address of the unauthorized node as a sender physical address and a network address of the target node as a sender network address.
  - 3. The network monitoring apparatus of claim 1, further comprising an address resolution protocol (ARP) table spoof module configured to write the network address of the unauthorized node and the physical address of the network monitoring apparatus in association with each other into an ARP table of the network monitoring apparatus in which the correspondence between network addresses and physical addresses has been written.
  - 4. The network monitoring apparatus of claim 1, wherein the unauthorized node determination module is configured to determine whether the target node of the address resolution protocol request packet is an unauthorized node, based on the target network address in the address resolution protocol request packet, in response to the reception of the address resolution protocol request packet andthe spoofed address resolution protocol request transmission module is configured to transmit a spoofed address resolution protocol request packet to the sender node of the received address resolution protocol request packet if the target node is an unauthorized node, the spoofed address resolution protocol request packet including the physical address of the network monitoring apparatus as a sender physical address and the network address of the unauthorized node as a sender network address.
  - 5. The network monitoring apparatus of claim 1, wherein the unauthorized node determination module is configured to determine whether the network monitoring apparatus is a target node of the address resolution protocol request packet, based on the target network address in the received address resolution protocol request packet, in response to the reception of the address resolution protocol request packet andthe spoofed address resolution protocol reply transmission module is configured to transmit a spoofed address resolution protocol reply packet to the unauthorized node if the network monitoring apparatus is the target node, the spoofed address resolution protocol reply packet including the physical address of the unauthorized node as a sender physical address and the network address of the target node as a sender network address.
  - 6. The network monitoring apparatus of claim 1, wherein the unauthorized node determination module is configured to determine whether the target node of an address resolution protocol request packet is an unauthorized node, based on the target network address in the address resolution protocol request packet, in response to the transmission of the address resolution protocol request packet from the network monitoring apparatus andthe spoofed address resolution protocol reply transmission module is configured to transmit a spoofed address resolution protocol reply packet to the target node if the target node is an unauthorized node, the spoofed address resolution protocol reply packet including the physical address of the target node as a sender physical address and the network address of the network monitoring apparatus as a sender network address.
  - 7. The network monitoring apparatus of claim 1, wherein the unauthorized node determination module is configured to ignore the address resolution protocol request packet if the sender node of the received address resolution protocol request packet is an unauthorized node and the received address resolution protocol request packet is a Gratuitous address resolution protocol request packet.

8. A network monitoring method of monitoring a network to which nodes are connected by use of a network monitoring apparatus connected to the network, the network monitoring method comprising:
- determining, by the network monitoring apparatus, whether a sender node which transmits an address resolution protocol request packet is an unauthorized node, based on a sender physical address in the address resolution protocol request packet, in response to the reception of the address resolution protocol request packet;
  
  transmitting, by the network monitoring apparatus, a spoofed address resolution protocol request packet to a target node corresponding to a target network address in the received address resolution protocol request packet if the sender node is an unauthorized node, the spoofed address resolution protocol request packet including a network address of the target node as a target network address, a physical address of the network monitoring apparatus as a sender physical address and a network address of the unauthorized node as a sender network address;
  
  receiving, by the network monitoring apparatus, an address resolution protocol reply packet from the target node, wherein the target node is configured to unicast the address resolution protocol reply packet to the network monitoring apparatus in response to the reception of the spoofed address resolution protocol request packet, and wherein the address resolution protocol reply packet includes the physical address of the network monitoring apparatus as a target physical address, the network address of the unauthorized node as a target network address, a physical address of the target node as a sender physical address, and the network address of the target node as a sender network address; and
  
  transmitting, by the network monitoring apparatus, a spoofed address resolution protocol reply packet to the unauthorized node in response to the reception of an address resolution protocol reply packet unicast from the target node to the network monitoring apparatus with respect to the spoofed address resolution protocol request packet, the spoofed address resolution protocol reply packet including a physical address of the unauthorized node as a sender physical address and a network address of the target node as a sender network address.

9. A network monitoring apparatus which is configured to monitor a network to which nodes are connected, the network monitoring apparatus comprising:
- a processor; and
  
  a memory that comprisesan first module configured to determine whether a sender node which transmits an address resolution protocol request packet is an unauthorized node based on a sender physical address in the address resolution protocol request packet, in response to the reception of the address resolution protocol request packet,a second module configured to transmit a spoofed address resolution protocol request packet to a target node corresponding to a target network address in the received address resolution protocol request packet if the sender node is an unauthorized node, the spoofed address resolution protocol request packet including a network address of the target node as a target network address, a physical address of the network monitoring apparatus as a sender physical address and a network address of the unauthorized node as a sender network address,a third module configured to receive an address resolution protocol reply packet from the target node, wherein the target node is configured to unicast the address resolution protocol reply packet to the network monitoring apparatus in response to the reception of the spoofed address resolution protocol request packet, and wherein the address resolution protocol reply packet includes the physical address of the network monitoring apparatus as a target physical address, the network address of the unauthorized node as a target network address, a physical address of the target node as a sender physical address, and the network address of the target node as a sender network address, anda fourth module configured to transmit a spoofed address resolution protocol reply packet to the unauthorized node in response to the reception of the address resolution protocol reply packet, the spoofed address resolution protocol reply packet including a predetermined physical address other than the physical address of the target node as a sender physical address and a network address of the target node as a sender network address.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The network monitoring apparatus of claim 9, wherein the fourth module is configured to transmit a spoofed address resolution protocol reply packet to the unauthorized node in response to the reception of the address resolution protocol reply packet, the spoofed address resolution protocol reply packet including a physical address of the unauthorized node as a sender physical address and a network address of the target node as a sender network address.
  - 11. The network monitoring apparatus of claim 9, further comprising an address resolution protocol (ARP) table spoof module configured to write the network address of the unauthorized node and the physical address of the network monitoring apparatus in association with each other into an ARP table of the network monitoring apparatus in which the correspondence between network addresses and physical addresses has been written.
  - 12. The network monitoring apparatus of claim 9, wherein the first module is configured to determine whether the target node of the address resolution protocol request packet is an unauthorized node, based on the target network address in the address resolution protocol request packet, in response to the reception of the address resolution protocol request packet andthe second module is configured to transmit a spoofed address resolution protocol request packet to the sender node of the received address resolution protocol request packet if the target node is an unauthorized node, the spoofed address resolution protocol request packet including the physical address of the network monitoring apparatus as a sender physical address and the network address of the unauthorized node as a sender network address.
  - 13. The network monitoring apparatus of claim 9, wherein the first module is configured to determine whether the network monitoring apparatus is a target node of the address resolution protocol request packet, based on the target network address in the received address resolution protocol request packet, in response to the reception of the address resolution protocol request packet andthe fourth module is configured to transmit a spoofed address resolution protocol reply packet to the unauthorized node if the network monitoring apparatus is the target node, the spoofed address resolution protocol reply packet including the physical address of the unauthorized node as a sender physical address and the network address of the target node as a sender network address.
  - 14. The network monitoring apparatus of claim 9, wherein the first module is configured to determine whether the target node of an address resolution protocol request packet is an unauthorized node, based on the target network address in the address resolution protocol request packet, in response to the transmission of the address resolution protocol request packet from the network monitoring apparatus andthe fourth module is configured to transmit a spoofed address resolution protocol reply packet to the target node if the target node is an unauthorized node, the spoofed address resolution protocol reply packet including the physical address of the target node as a sender physical address and the network address of the network monitoring apparatus as a sender network address.
  - 15. The network monitoring apparatus of claim 9, wherein the first module is configured to ignore the address resolution protocol request packet if the sender node of the received address resolution protocol request packet is an unauthorized node and the received address resolution protocol request packet is a Gratuitous address resolution protocol request packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yuji Fujiwara
Original Assignee
Yuji Fujiwara
Inventors
Fujiwara, Yuji

Application Number

US13/571,224
Publication Number

US 20120304294A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 43/00   Arrangements for monitoring...

H04L 61/103   across network layers, e.g....

H04L 63/0236   Filtering by address, proto...

H04L 63/1466   Active attacks involving in...

Network Monitoring Apparatus and Network Monitoring Method

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

225 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Network Monitoring Apparatus and Network Monitoring Method

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

225 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links