CN100380871C - Protecting system and method aimed at distributing reject service attack - Google Patents
Protecting system and method aimed at distributing reject service attack Download PDFInfo
- Publication number
- CN100380871C CN100380871C CNB2005100029142A CN200510002914A CN100380871C CN 100380871 C CN100380871 C CN 100380871C CN B2005100029142 A CNB2005100029142 A CN B2005100029142A CN 200510002914 A CN200510002914 A CN 200510002914A CN 100380871 C CN100380871 C CN 100380871C
- Authority
- CN
- China
- Prior art keywords
- accurate
- anonymous
- network
- identify label
- service attack
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0407—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the identity of one or more communicating identities is hidden
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
Abstract
The present invention provides a novel protecting system aiming at distributed service attack rejection based on a quasi anonymous credit mechanism on one aspect. The present invention can enhance the protecting effect on distributed service attack rejection, and can perform the function of pushing computer systems of clients to enhance self-security, so that the problem of distributed service attack rejection can be fundamentally solved finally. The protecting system aiming at distributed service attack rejection of the present invention comprises a quasi anonymous identity application device, a quasi anonymous credit inspecting device and a quasi anonymous credit scoring device. In order to enhance the protecting effect, the protecting system aiming at distributed service attack rejection based on a quasi anonymous credit mechanism of the present invention also comprises a periphery matching device, a route marking device and a subnet behavior control device. The present invention provides a novel protecting method aiming at distributed service attack rejection based on a quasi anonymous credit mechanism on the other aspect.
Description
Technical field
The invention belongs to computer, communication and information security field, be specifically related to a kind of prevention method at distributed denial of service attack.
Background technology
Distributed denial of service attack is that a kind of collaboration type that utilizes a large amount of illegal managed computer system that one or more target computer system is initiated is attacked, methods such as the bandwidth resources by exhausting target computer system, computational resource, make target computer system to provide service, thereby cause the paralysis of serving for validated user.
At present at the prevention method of distributed denial of service attack can be divided into the prevention method of based target computer system, based on the prevention method of key route, based on the prevention method of subscriber's computer system, and attack source method for tracing.Wherein method for tracing only is a supplementary means, can not play the effect of strick precaution; Based on the prevention method of subscriber's computer system, require comprehensive participation of Internet user, actual enforcement difficulty is very big.Below simple prevention method of setting forth at present main based target computer system, and based on the prevention method of key route.
The prevention method of based target computer system mainly contains the SynCookie method, calculates the bottleneck method based on historical IP filter method (HIP), the client of IP Visitor Logs.
The SynCookie method is when setting up the TCP connection, requires digital receipt of client end response, proves the authenticity of oneself.The SynCookie method has solved the limited resources problem of the half-open connection formation of target computer system, thereby becomes at present by the DDoS prevention method of extensive employing, and new Stream Control Transmission Protocol and DCCP agreement have also adopted similar techniques.The limitation of SynCookie method is, for each handshake packet that connects, all will respond a respond packet, and promptly this method can produce 1: 1 response flow, attack stream can be doubled, greatly the waste bandwidth resource; In addition, when the promoter of distributed denial of service attack adopts random source address, the destination address of the response stream that the SynCookie method produces is dispersed very much, thereby can cause the routing cache resource of routing device of target computer system and periphery thereof depleted, thereby form newly, in the network antagonism of reality, also produced real route avalanche events by the point of attack.
The IP of the subscriber's computer system of the simple record access website service of HIP method.When distributed denial of service attack took place, the IP that visited this website service within a certain period of time had priority access power.HIP has solved the identification problem of attack packets to a certain extent, but still exists its weakness.Secondly at first the HIP method can not be resisted IP spoofing attack, and HIP method can't effective recognition be used the user of broadband online such as ADSL, is refused thereby it is considered as the assailant.At last, the HIP method can not promote subscriber's computer system and carry out the safety enhancing of himself, only is the meter of rights and interests.
Resource bottleneck when the client calculates the bottleneck method and then will visit is transferred to client from server end, thereby promotes the cost of distributed denial of service attack greatly, typically realizes having the resource access pricing method.But the client calculates the bottleneck method still the problem same with the SynCookie method, promptly can produce 1: 1 response flow, and can cause route snowslide problem.In addition, the client calculates bottleneck method agreement complexity, need carry out very big change to existing operating system and network configuration, and this has also influenced the operability of this method to a great extent.
Prevention method based on key route mainly contains method of pushing back (pushback) and stateless network flow filter method (SIFF).The Pushback method can't be avoided the malice race problem between ISP; The SIFF method then can't be resisted first packet and be attacked, and is difficult to carry out progressive enforcement, and also there is certain problem in the strick precaution efficient that the confederate is attacked.Generally speaking, because the load of key route is excessive, and the authentication and authorization problem on it is difficult to solve, so be difficult to become effective stand-alone solution.At present, general based on the method for key route all as complementary tracing scheme, cooperate additive method to take precautions against.
To sum up, up to the present, distributed denial of service attack does not also have long-term practical prevention method to solve.
Problem that a kind of distributed denial of service attack prevention method need solve and indispensable feature:
At first, prevention method must effectively be resisted various existing and possible distributed denial of service attack forms.
Demand one: can effectively resist first packet and attack
First packet is attacked, and attacks with regard to being to use the handshake packet of setting up the network connection.Traditional procotol, and the existing proposal that distributed denial of service attack is taken precautions against mostly need first packet carried out 1: 1 response.Such mechanism will be attacked by first packet and be utilized, thereby produces reverse consumption of broadband problem, and route snowslide problem.
Demand two: can effectively resist the confederate and attack
The confederate attacks, and is exactly when implementing distributed denial of service attack, has an attack to hold the validated user that disguises oneself as, to obtain the information needed that validated user connects; Other are attacked and hold these information of use to attack then.The confederate attacks especially effective for the prevention method based on key route.
Demand three: can effectively resist existing various ddos attack
This requirement is conspicuous.
Demand four: do not introduce new by the point of attack
If protectiving scheme itself exists new for the point of attack, this scheme is invalid so, perhaps is incomplete at least.
Secondly, prevention method must possess operational feasibility, comprises the feasibility on the economic principle, with technical feasibility.
Demand five: be required to take the user's of the precautionary measures the resource input should be relevant with its gained interests
Present existing distributed denial of service attack prevention method often needs the user to pay and its cost of acquiring an advantage and not conforming to.Such as the safety processing device that need install complex and expensive at client subnet additional, and the direct beneficiary of operation is the website service merchant like this.Such way does not meet economic principle, so be difficult to really be used yet.
Demand six: can progressively implement
Current the Internet has become a huge infrastructure.Transformation to this huge monster overnight just can not finished.So the scheme that can be accepted by whole internet world must be a kind of scheme of progressive enforcement, rather than a snafu drastic change.
Demand seven: can effectively support high performance network to handle
An obvious development trend of current distributed denial of service attack is exactly that attack traffic is increasing, if the network throughput of the equipment of strick precaution does not catch up with, just can become the bottleneck of being attacked on the contrary.Accordingly, if prevention method is too complicated, the performance that then will cause finally realizing equipment also can't satisfy the demands.
At last, prevention method also needs to be supported in other requirements in the internet development process.
Demand eight: the right of privacy that guarantees the user is inviolable
Current the Internet is the environment of an opening, and most access to netwoks is anonymous, to guarantee user's the right of privacy.Online piracy more and more came into one's own in today.A good distributed denial of service attack prevention method should be able to guarantee user's the right of privacy, and can not its identification actual identity of mandatory requirement check its legitimacy.
Demand nine: support the IP roaming
What the application of broadband and wireless network at present was very fast popularizes, and has brought the problem of User IP roaming thus.A good distributed denial of service attack prevention method should be able to adapt to this application model, can not cause obstacle to it.
Summary of the invention
One aspect of the present invention has proposed a kind of new for the anonymous credit mechanism of standard, at the distributed denial of service attack crime prevention system, can promote strick precaution effect greatly to distributed denial of service attack, and can play promoting the effect that subscriber's computer system carries out the inherently safe enhancing, thereby finally fundamentally solve the distributed denial of service attack problem.
According to the crime prevention system at distributed denial of service attack of the present invention, mainly comprise with lower device:
Accurate anonymous identity application apparatus: on the network packet that subscriber's computer system sends, stamp accurate anonymous identify label.Accurate anonymous identify label is meant, does not need the identify label that authenticates; The accurate anonymous identify label that this method suggestion is adopted is the random number of certain-length (such as 64bit).The validity of this identify label method hereinafter can be discussed;
Accurate anonymous letter testing fixture: check the corresponding credit record of accurate anonymous identify label of the network packet enter, then according to the corresponding credit grade bandwidth constraints that conducts interviews.The corresponding credit record of accurate anonymous identify label, we use the anonymous letter that is referred to as to be as the criterion.When the network packet that enters does not have accurate anonymous identify label, deteriorate to the HIP method.The credit grade and the actual effect that are produced by the HIP method will be lower than the network packet that has good accurate anonymous letter to use, and add and true up anonymous identity application apparatus thereby promote client;
Accurate anonymous letter scoring apparatus:, and feed back to accurate anonymous letter testing fixture according to its credit grade of behavior rating of the anonymous identify label of standard.Have only complicated methods of marking just to carry out on scoring apparatus at accurate anonymous letter.Simple methods of marking uses constraint etc. such as historical record and simple bandwidth, can be directly carries out on testing fixture at accurate anonymous letter.
In above these devices, it is essential having only accurate anonymous letter testing fixture.As seen, this method has good progressive implementing ability.
In order to promote protection effect,, also comprised peripheral apolegamy device according to the distributed denial of service attack crime prevention system based on the anonymous credit mechanism of standard of the present invention:
The routing label device: to the network packet of process stamp routing label.Typically design as stateless network flow filter method (SIFF), this method is stamped routing label in the mode of pop down for each network packet in order by intermediate router.The routing label device helps accurate anonymous letter more accurately to discern the actual source of source network packet with method, and the accurate anonymous letter of client individuality that will have common routing label just produces the accurate anonymous letter usefulness of network with integrating.Having the accurate anonymous letter of good network, will have higher initial credit grade with the client access in the subnet; Opposite, with the client access in the subnet, will have relatively poor initial credit grade at the accurate anonymous letter of the network of a difference;
Subnet behavior control device: the network behavior to the main frame in the linchpin subnet is controlled.Typically design as source routing end guard system (D-WARD), this system controls from the network flow that the linchpin subnet sends all, and the rogue attacks network flow of not deferring to the flow control behavior is restrained.By restraining the hostile network behavior that may occur in this subnet, subnet behavior control device helps to promote the credit record of the subnet integral body of having jurisdiction over, thereby guarantees that validated user is enjoyed better network service in the subnet.
These two apolegamy devices are all in order to realize that better the accurate anonymous letter of network is with just needing.
Another aspect of the present invention has proposed a kind of new for the anonymous credit mechanism of standard, and at the distributed denial of service attack prevention method, the method according to this invention specifically may further comprise the steps:
1. client
In client, mainly be the work of accurate anonymous identify label device, comprise following aspect:
1) mark of accurate anonymous identify label;
Corresponding accurate anonymous identify label on mark on each network packet of sending.
2) generation of accurate anonymous identify label and record
The generation of accurate anonymous identify label has multiple scheme, has provided two kinds of concrete schemes as signal in specific embodiments of the invention.
3) renewal of accurate anonymous identify label
2. middle gateway and route
Middle gateway and route need be carried out routing label and network behavior Control work.
1) routing label device
Can adopt the routing label way of stateless network flow filter method (SIFF), but need not consider on route, to do to filter and secure hash calculating.Safety filtering is transferred to the objective network end and is gone to handle.
2) network behavior control device
Can adopt method such as DWARD to go to implement.
3. objective network end
The objective network end mainly carries out credit record, and when being distributed the formula Denial of Service attack, carries out service quality control according to credit record.
1) the accurate anonymous credit record of main frame
Main frame is discerned in anonymous identify label according to standard, and determines its credit according to the behavior of main frame.In general, the long more historical meeting of Lawful access produces high more credit level.
If the credit record of an anonymous identify label of standard is not good, then target computer system can notify it to change when replying, and makes it restart to build one's credit.
2) the accurate anonymous credit record of network
Discern the main frame that belongs to consolidated network by routing label.The accurate anonymous letter average of All hosts in network, the accurate anonymous letter that is exactly this network is used.The accurate anonymous letter of this network is with being used for the deciding grade and level that the accurate anonymous letter of main frame is used.
3) the service quality control of using based on accurate anonymous letter
When objective network is not subjected to distributed denial of service attack, do not need to start this control.When objective network when suffering distributed denial of service attack, then start this service quality controlling mechanism.
Description of drawings
Below in conjunction with accompanying drawing the present invention is illustrated in further detail:
Fig. 1 is the distributed denial of service attack topological diagram;
Fig. 2 is that each side's cooperation is analyzed under the distributed denial of service attack;
Fig. 3 is based on the prevention method topology schematic diagram of accurate anonymous credit mechanism;
Fig. 4 anonymous letter preventing mechanism schematic diagram that is as the criterion;
Fig. 5 is the IP frame format one that contains accurate anonymous identify label;
Fig. 6 is the IP frame format two that contains accurate anonymous identify label;
Fig. 7 is the embodiment schematic diagram;
Fig. 8 is a normal condition, and subscriber's computer system need not to change accurate anonymous identify label;
Fig. 9 is that goal systems notifies accurate anonymous identify label to need change;
Figure 10 is the service quality control example that an accurate anonymous letter is used.
Embodiment
Below with reference to accompanying drawing of the present invention, most preferred embodiment of the present invention is described in more detail.Fig. 1 has described the topology distribution of distributed denial of service attack, among the figure
Expression the Internet backbone route, operation BGP Routing Protocol;
Represent the inner route in autonomous territory, the IGP Routing Protocol is as OSPF etc.;
The inner route of expression local area network (LAN) is as static routing protocol etc.The Internet can be divided into three layers, the core backbone of operation bgp protocol, the autonomous territory net of operation IGP agreement (as OSPF etc.), and local area network (LAN) (moving static routing protocol mostly).
Consider economic principle, an effective prevention method must meet economic principle.Fig. 2 has described under distributed denial of service attack, the cooperation analysis of each participant.Ordinate has been represented the direct losses degree, and the cooperation wish degree that is caused by direct losses; Abscissa has been represented the difficulty when protection is implemented, and mainly contains quantity, the technical capability decision of participant.
In Fig. 2, the participant that only is in upper left has reasonable cooperation wish, be willing to mean protection and pay corresponding cost, and it is also lower to implement difficulty.Remaining participant all has problem to a certain degree on cooperation wish and the difficulty, for their requirement, must be able to not be compulsory; And can not require them to pay too high cost, require its cost of paying preferably can bring corresponding interests for them.
Under such principle instructed, we had proposed the distributed denial of service attack prevention method based on the anonymous credit mechanism of standard.Fig. 3 has represented the network topology schematic diagram of this method, among the figure in the solid box, promptly
Represent essential device, in the frame of broken lines, promptly
The expression option means.Fig. 4 is the schematic diagram of mechanism of this method, among the figure
The expression legitimate traffic
Expression invalid data stream
Expression feedback data stream.
The core apparatus of this method comprises:
Accurate anonymous identity application apparatus: on the network packet that subscriber's computer system sends, stamp accurate anonymous identify label.Accurate anonymous identify label is meant, does not need the identify label that authenticates; The accurate anonymous identify label that this method suggestion is adopted is the random number of certain-length (such as 64bit).The validity of this identify label method hereinafter can be discussed:
Accurate anonymous letter testing fixture: check the corresponding credit record of accurate anonymous identify label of the network packet enter, then according to the corresponding credit grade bandwidth constraints that conducts interviews.The corresponding credit record of accurate anonymous identify label, we use the anonymous letter that is referred to as to be as the criterion.When the network packet that enters does not have accurate anonymous identify label, deteriorate to the HIP method.The credit grade and the actual effect that are produced by the HIP method will be lower than the network packet that has good accurate anonymous letter to use, and add and true up anonymous identity application apparatus thereby promote client;
Accurate anonymous letter scoring apparatus:, and feed back to accurate anonymous letter testing fixture according to its credit grade of behavior rating of the anonymous identify label of standard.Have only complicated methods of marking just to carry out on scoring apparatus at accurate anonymous letter.Simple methods of marking uses constraint etc. such as historical record and simple bandwidth, can be directly carries out on testing fixture at accurate anonymous letter.
In above these devices, it is essential having only accurate anonymous letter testing fixture.As seen, this method has good progressive implementing ability.
In order to promote protection effect, this method has also comprised peripheral apolegamy device:
The routing label device: to the network packet of process stamp routing label.Typically design as stateless network flow filter method (SIFF).The routing label device helps accurate anonymous letter more accurately to discern the actual source of source network packet with method, and the accurate anonymous letter of client individuality that will have common routing label just produces the accurate anonymous letter usefulness of network with integrating.Having the accurate anonymous letter of good network, will have higher initial credit grade with the client access in the subnet; Opposite, with the client access in the subnet, will have relatively poor initial credit grade at the accurate anonymous letter of the network of a difference;
Subnet behavior control device: the network behavior to the main frame in the linchpin subnet is controlled.Typically design as source routing end guard system (D-WARD).By restraining the hostile network behavior that may occur in this subnet, subnet behavior control device helps to promote the credit record of the subnet integral body of having jurisdiction over, thereby guarantees that validated user is enjoyed better network service in the subnet.
These two apolegamy devices are all in order to realize that better the accurate anonymous letter of network is with just needing.
Accurate anonymous identify label structure
Accurate anonymous identify label is present among the network packet as a header field.Fig. 5 and Fig. 6 have represented two kinds of possible schemes.
Routing label is known by the router mark, can adopt the method for describing in the stateless network flow filter method (SIFF) that is similar to.Routing label is not the emphasis of this method, no longer adds here to discuss.
Accurate anonymous identify label is the random number word string of certain-length (such as 32bit or 64bit).Same subscriber's computer system is different to the accurate anonymous identify label of different objective networks.And over a period to come, subscriber's computer system is identical to the accurate anonymous identify label of identical objective network, unless objective network notice subscriber's computer system upgrades its accurate anonymous identify label.
Like this, objective network can use accurate anonymous identify label to discern subscriber's computer system, and no matter whether its IP changes.Different objective networks can not be known the accurate anonymous identify label that a subscriber's computer system adopts when visiting other objective networks, thereby can't directly pretend.
Accurate anonymous credit mechanism efficiency analysis
This prevention method can effectively satisfy every demand that preamble proposes.This section is carried out selective analysis to wherein relatively more crucial several validity problems.
At first, this method provides cost performance the very high defensive ability/resistance ability to the first packet attack.
Employing can effective recognition go out validated user (user's that credit record is good) network packet based on the credit mechanism of the anonymous identity of standard, thereby guarantees the normal response to the access to netwoks of validated user under distributed refusal is attacked.
The assailant can't forge the accurate anonymous identify label of validated user easily under situation about not monitoring, can only collide by exhaustive.In general, the accurate anonymous identify label of 64bit length is enough to give up the assailant and carries out exhaustive courage.Suppose that the assailant has controlled 10,000 puppet's machines, 10 IP of every puppet's machine control, each IP attempted 10000 anonymous identify labels of standard (too much, as it can be closed with the testing fixture place at accurate anonymous letter) in one hour; And a website has 1,000,000,000 validated users.So, the assailant on average also needs under exhaustive with all strength situation
1/(((1E4*10)*1E4)*(1E9/2^64))=18.4
Promptly 18.4 hours, just can run into the accurate anonymous identify label of a validated user.Even run into the accurate anonymous identify label of a validated user, the assailant also can't know the accurate anonymous identify label of whether using a validated user, because different signs only is that service quality is different, rather than absolute on-off.The another one aspect, in a single day the assailant uses the accurate anonymous identify label of a validated user to attack, thus the credit grade of this accurate anonymous identify label can reduce at once and closed (reducing its service quality greatly) so.Attack problem in order to solve first packet, can also adopt the method for authentication.But for the authentication of finishing of safety under the situation that the server end response can not be arranged, the authentication protocol that client need adopt will be quite complicated; And when the exhaustive attack, protection intensity and accurate anonymous identify label are just the same.In addition, based on the authentication method also with the privacy of user requirement in the destruction demand.
The situation that the assailant adopts the monitoring means is discussed below.On the one hand, under present switching network was main situation, the difficulty of monitoring promoted greatly, and can pass through port binding, and perhaps method such as MAC Address binding further increases the difficulty of illegal monitoring; On the other hand, can realize that the assailant can effectively attack the nearly all network communication protocol that comprises SSH and SSL by man-in-the-middle attack and spoof attack so in case monitor.In this case, we do not attempt to design the agreement of a complexity and resist attack, and our target is by economic principle, transfers the user, oneself removes to improve the safe condition of own place network, will illegally supervise the hearer and clear out of.In order to realize this point, we combine the credit mechanism of network and the credit mechanism of main frame.Steal accurate anonymous identify label and attack if illegally supervise the hearer, the main frame credit of place network and network credit all are affected so.Therefore, in order to obtain better service quality, the user will could fundamentally solve the safety problem of the Internet like this more in the past than the safety prevention measure of being willing to strengthen own network and main frame more.
As above-mentioned, economic principle is the key point of this method, and this method has accomplished that each side pays the relative equilibrium with income, thereby has guaranteed operational feasibility in economic aspect.
In objective network, it needs a complexity and the suitable accurate anonymous letter testing fixture of state-inspection firewall now, solves the distributed denial of service attack that its business is had fatal influence.Such cost and effect are that objective network is willing to accept.
In customer network, the client adopts accurate anonymous identify label device can make it still enjoy favorable service when objective network is distributed the formula Denial of Service attack; If the client does not adopt accurate anonymous identify label device, their access to netwoks can be with that what is arranged today be not different so: when not having distributed denial of service attack, and gun-ho, and when distributed denial of service attack is arranged, be without access to due service.Accurate anonymous identify label device logic is simple, and it is also very cheap to implement cost.In addition, the client should make great efforts rogue attacks person driven out of the network of oneself, comprise and adopt the network behavior control device, otherwise client's accurate anonymous letter is with being adversely affected.Such power will be the key factor that finally promotes the internet security level.
Backbone network only simply wrap markers work on limited router, and such enforcement can progressive expansion.Such work can well promote the network of network service quality of having jurisdiction over, and also is that backbone network service provider finds pleasure in and sees.
At last, the protection privacy of user is an important consideration of this method.
Accurate anonymous identify label is a non-imposed agreement on the underlying protocol between subscriber's computer system and objective network, can not expose any application layer message of client.This information also is different when the different objective network of visit, also can't be used for the behavior of track user.
Be illustrated in figure 7 as, the general flow chart according to the distributed denial of service attack prevention method based on the anonymous credit mechanism of standard of the present invention the following describes the concrete steps according to prevention method of the present invention in conjunction with the accompanying drawings:
1. client
In client, mainly be the work of accurate anonymous identify label device, comprise following aspect:
1) mark of accurate anonymous identify label
Corresponding accurate anonymous identify label on mark on each network packet of sending.
2) generation of accurate anonymous identify label and record
The generation of accurate anonymous identify label has multiple scheme, is that two kinds of schemes are illustrated in Fig. 7.
First kind of scheme is shown in Fig. 7 upper left quarter, for each objective network, all produce one independently at random word string as identify label, and record in addition.
Second kind of scheme is shown in Fig. 7 lower left quarter, for all objective networks, all uses a sign seed and this destination network addresses to do secure hash message authentication code (HMAC) computing, and the result is as the accurate anonymous identify label of this machine to this objective network.The sign seed also is a word string at random.
These two kinds of schemes, first kind has superiority on upgrading, and second kind of realization is simple.No matter employing is which kind of scheme, do not influence the whole structure of this method.
In order to weigh in efficient and fail safe, the suggestion objective network is divided and adopted 255.255.255.192 is mask, and promptly per 64 successive objective IP adopt identical accurate anonymous identify label.
3) renewal of accurate anonymous identify label
Under the normal condition, during access request that target computer system customer in response computer system is sent, its accurate anonymous identify label field is changed to the accurate anonymous identify label of this subscriber's computer system, as shown in Figure 8.
When the credit record of the anonymous identify label of this standard was not good, target computer system can selectively be notified.When the needs subscriber's computer system changes the anonymous identify label of original standard, can take method as Fig. 9.
Subscriber's computer system should be done corresponding change when receiving accurate anonymous identify label Notification of Changes.If adopt first kind of sign generation scheme, then regenerate the sign of respective objects network; If adopt second kind of sign generation scheme, then regenerate the sign seed.
2. middle gateway and route
Middle gateway and route need be carried out routing label and network behavior Control work.
1) routing label
Can adopt routing label way, but need not consider on route, to do to filter and secure hash calculating as the described stateless network flow of front background technology filter method (SIFF) method.Safety filtering is transferred to the objective network end and is gone to handle.
2) network behavior control
Can adopt typical design such as source routing end guard system (D-WARD) method, perhaps additive method goes to implement.
3. objective network end
The objective network end mainly carries out credit record, and when being distributed the formula Denial of Service attack, carries out service quality control according to credit record.
1) the accurate anonymous credit record of main frame
Main frame is discerned in anonymous identify label according to standard, and determines its credit according to the behavior of main frame.In general, the long more historical meeting of Lawful access produces high more credit level.Hook can also and be used in concrete realization, and should be higher than such as the credit of the validated user of registration not have the validated user registered.
If the credit record of an anonymous identify label of standard is not good, then target computer system can notify it to change when replying, and makes it restart to build one's credit.This situation mainly is the situation (comprising exhaustive and monitoring) in order to consider that accurate anonymous identify label is stolen.
2) the accurate anonymous credit record of network
Discern the main frame that belongs to consolidated network by routing label.The accurate anonymous letter average of All hosts in network, the accurate anonymous letter that is exactly this network is used.The accurate anonymous letter of this network is with being used for the deciding grade and level that the accurate anonymous letter of main frame is used.
3) the service quality control of using based on accurate anonymous letter
When objective network is not subjected to distributed denial of service attack, do not need to start this control.When objective network when suffering distributed denial of service attack, then start this service quality controlling mechanism.
Figure 10 has provided a service quality control example of using based on accurate anonymous letter.There is the user of good credit record will not be subjected to restrict access, and has the user of bad credit record will be subjected to strict bandwidth and resource limit.
Although disclose most preferred embodiment of the present invention and accompanying drawing for the purpose of illustration, it will be appreciated by those skilled in the art that: without departing from the spirit and scope of the invention and the appended claims, various replacements, variation and modification all are possible.Therefore, the present invention should not be limited to most preferred embodiment and the disclosed content of accompanying drawing.
Claims (6)
1. crime prevention system at distributed denial of service attack comprises with lower device:
Accurate anonymous identity application apparatus is located at subscriber's computer system, is used for stamping on the network packet that subscriber's computer system sends accurate anonymous identify label;
Accurate anonymous letter testing fixture is located at the gateway of target computer system, is used to check the corresponding credit record of accurate anonymous identify label of the network packet that enters, then according to the corresponding credit grade bandwidth constraints that conducts interviews;
Accurate anonymous letter scoring apparatus is located at target computer system, is used for its credit grade of behavior rating according to the anonymous identify label of standard, and feeds back to accurate anonymous letter testing fixture.
2. the crime prevention system at distributed denial of service attack according to claim 1 is characterized in that, further comprises peripheral apolegamy device, specifically comprises:
The routing label device: be used for to the network packet of process stamp routing label;
Subnet behavior control device: be located at the customer network gateway, be used for the network behavior of the main frame in the linchpin subnet is controlled.
3. the crime prevention system at distributed denial of service attack according to claim 1 is characterized in that: the random number of regular length is adopted in accurate anonymous identify label.
4. prevention method at distributed denial of service attack specifically may further comprise the steps:
In client, may further comprise the steps:
1) corresponding accurate anonymous identify label on mark on each network packet of sending;
2) generate and write down accurate anonymous identify label;
3) upgrade accurate anonymous identify label;
Carry out routing label and network behavior control at middle gateway and route;
The objective network end mainly carries out credit record, and when being distributed the formula Denial of Service attack, carries out service quality control according to credit record, specifically comprises the steps:
1) main frame is discerned in anonymous identify label according to standard, and determines its credit according to the behavior of main frame;
2) discern the main frame that belongs to consolidated network by routing label;
3) when objective network is not subjected to distributed denial of service attack, do not need to start this control, when objective network when suffering distributed denial of service attack, then start this service quality controlling mechanism.
5. the prevention method at distributed denial of service attack according to claim 4, it is characterized in that in client, the generation method of accurate anonymous identify label is: for each objective network, all produce one independently at random word string as identify label, and record in addition.
6. the prevention method at distributed denial of service attack according to claim 4, it is characterized in that, in client, a kind of generation method of accurate anonymous identify label is: for all objective networks, all use a sign seed and this destination network addresses to do the computing of secure hash message authentication code, the result is as the accurate anonymous identify label of this machine to this objective network.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100029142A CN100380871C (en) | 2005-01-26 | 2005-01-26 | Protecting system and method aimed at distributing reject service attack |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB2005100029142A CN100380871C (en) | 2005-01-26 | 2005-01-26 | Protecting system and method aimed at distributing reject service attack |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1812335A CN1812335A (en) | 2006-08-02 |
| CN100380871C true CN100380871C (en) | 2008-04-09 |
Family
ID=36845041
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB2005100029142A Expired - Fee Related CN100380871C (en) | 2005-01-26 | 2005-01-26 | Protecting system and method aimed at distributing reject service attack |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN100380871C (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101572700B (en) * | 2009-02-10 | 2012-05-23 | 中科正阳信息安全技术有限公司 | Method for defending HTTP Flood distributed denial-of-service attack |
| CN101600227B (en) * | 2009-06-26 | 2013-04-24 | 北京邮电大学 | Distributed network routing method and routing device |
| CN101986741B (en) * | 2010-11-19 | 2013-09-11 | 中国船舶重工集团公司第七〇九研究所 | Virtual subnet partition method based on node reputation in MANET (mobile ad hoc network) |
| CN107564149A (en) * | 2017-08-28 | 2018-01-09 | 新华三技术有限公司 | A kind of personal identification method, device, server and terminal |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020199109A1 (en) * | 2001-06-25 | 2002-12-26 | Boom Douglas D. | System, method and computer program for the detection and restriction of the network activity of denial of service attack software |
| WO2003017613A1 (en) * | 2001-08-07 | 2003-02-27 | Ip-Online Gmbh | Method, data carrier, computer system and computer programme for the identification and defence of attacks on server systems of network service providers and operators |
| WO2004012089A1 (en) * | 2002-07-29 | 2004-02-05 | International Business Machines Corporation | Method and apparatus for improving the resilience of content distribution networks to distributed denial of service attacks |
| US20040233846A1 (en) * | 2003-04-17 | 2004-11-25 | Khandani Mehdi K. | Method for quantifying reponsiveness of flow aggregates to packet drops in communication network |
-
2005
- 2005-01-26 CN CNB2005100029142A patent/CN100380871C/en not_active Expired - Fee Related
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20020199109A1 (en) * | 2001-06-25 | 2002-12-26 | Boom Douglas D. | System, method and computer program for the detection and restriction of the network activity of denial of service attack software |
| WO2003017613A1 (en) * | 2001-08-07 | 2003-02-27 | Ip-Online Gmbh | Method, data carrier, computer system and computer programme for the identification and defence of attacks on server systems of network service providers and operators |
| WO2004012089A1 (en) * | 2002-07-29 | 2004-02-05 | International Business Machines Corporation | Method and apparatus for improving the resilience of content distribution networks to distributed denial of service attacks |
| US20040233846A1 (en) * | 2003-04-17 | 2004-11-25 | Khandani Mehdi K. | Method for quantifying reponsiveness of flow aggregates to packet drops in communication network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1812335A (en) | 2006-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alharbi | Deployment of blockchain technology in software defined networks: A survey | |
| CN1968272B (en) | Method used for remitting denial of service attack in communication network and system | |
| Tupakula et al. | A practical method to counteract denial of service attacks | |
| Douligeris et al. | DDoS attacks and defense mechanisms: classification and state-of-the-art | |
| CN100452799C (en) | Method for preventing forgery of source address based on signature authentication inside IPv6 sub network | |
| Wu et al. | Source address validation: Architecture and protocol design | |
| US20070192500A1 (en) | Network access control including dynamic policy enforcement point | |
| Wu et al. | A source address validation architecture (sava) testbed and deployment experience | |
| US20040196843A1 (en) | Protection of network infrastructure and secure communication of control information thereto | |
| WO2005024567A2 (en) | Network communication security system, monitoring system and methods | |
| US7299297B2 (en) | Method and apparatus for protecting electronic commerce from distributed denial-of-service attacks | |
| Geng et al. | Defending wireless infrastructure against the challenge of DDoS attacks | |
| Kline et al. | Shield: DoS filtering using traffic deflecting | |
| CN100380871C (en) | Protecting system and method aimed at distributing reject service attack | |
| US20070287422A1 (en) | Communication System and Method for Providing a Mobile Communications Service | |
| CN102027726A (en) | Method and apparatus for controlling the routing of data packets | |
| Candolin | Securing military decision making in a network-centric environment | |
| Tupakula et al. | Tracing DDoS floods: An automated approach | |
| CN112653506A (en) | Block chain-based handover flow method for spatial information network | |
| Bhaskaran et al. | Tracebacking the spoofed IP packets in multi ISP domains with secured communication | |
| Lee | Advanced packet marking mechanism with pushback for ip traceback | |
| He et al. | Network-layer accountability protocols: a survey | |
| Mehrotra | A review on attack in wireless and computer networking | |
| Kurian et al. | FONet: a federated overlay network for DoS defense in the Internet (a position paper) | |
| JP3938763B2 (en) | DoS attack countermeasure system, method and program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20080409 Termination date: 20140126 |