CN101547124A - Method, system and device for preventing illegal routing attacks - Google Patents
Method, system and device for preventing illegal routing attacks Download PDFInfo
- Publication number
- CN101547124A CN101547124A CN200810090362A CN200810090362A CN101547124A CN 101547124 A CN101547124 A CN 101547124A CN 200810090362 A CN200810090362 A CN 200810090362A CN 200810090362 A CN200810090362 A CN 200810090362A CN 101547124 A CN101547124 A CN 101547124A
- Authority
- CN
- China
- Prior art keywords
- request message
- address
- sip request
- domain name
- tabulation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
Abstract
The embodiment of the invention discloses a method, a system and a device for preventing illegal routing attacks. The method comprises the following steps: when a next hop in an SIP request message is an IP address format, detecting whether an IP address of the next hop in the SIP request message is a broadcast address; when the IP address is the broadcast address, rejecting the SIP request message; and when the IP address is not the broadcast address, performing legality detection on the SIP request message according to an IP forbidden list and an IP allowed list in a preset SIP application layer logic routing list. The embodiment of the invention performs the legality detection on the SIP request message by inquiring the preset SIP application layer logic routing list so as to solve the problem of illegal routing attacks of the SIP request message.
Description
Technical field
The present invention relates to networking technology area, particularly a kind of mthods, systems and devices that prevent illegal routing attacks.
Background technology
Along with development of internet technology, IMS (IP Multimedia Subsystem, IP Multimedia System)/broad sense NGN (Next Generation Network, next generation network) solution has represented telecom solution to IP (Internet Protocol, Internet Protocol) trend of change development, based on VOIP (VoiceoverIP, voice IP) telecom solution is because traditional relatively comparatively security threat that communication network did not have of sealing has appearred in its open and communicate by letter with IP combination.
Be that the communication network IPization of representative is faced more security threat at present with the IMS solution, this series security threat mainly covers the networking security leak, application-level logic realizes security breaches such as many aspects such as SIP (SessionInitiation Protocol, session initiation protocol) application-level logic illegal routing attacks and protocol/standard security breaches.Because the agreement that VOIP solutions such as IMS/ broad sense NGN rely on is more, may exist in the agreement formulation process consider insufficient, the agreement of early development is not considered or is not had a particular safety problem, the consensus standard in later stage is directly quoted this agreement and is not carried out situations such as adaptability revision, and what cause exists many security breaches.
Also do not solve at present the technical scheme of SIP application-level logic illegal routing attacks.
Summary of the invention
The embodiment of the invention provides a kind of mthods, systems and devices that prevent illegal routing attacks, ends the illegal routing attacks problem to solve the SIP application-level logic.
For achieving the goal, the embodiment of the invention provides a kind of method that prevents illegal routing attacks on the one hand, may further comprise the steps:
When next jumped to IP address format in the sip request message, whether the IP address of detecting next jumping in the described sip request message was broadcast address;
When described IP address is broadcast address, refuse described sip request message;
When described IP address is non-broadcast address, allow tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP.
On the other hand, the embodiment of the invention also provides a kind of apparatus system that prevents illegal routing attacks, comprising:
Prevent the device of illegal routing attacks, be used for the session initiation protocol sip request message being carried out legitimacy and detect inspection and route processing according to pre-configured application-level logic routing table.
On the one hand, the embodiment of the invention also provides a kind of device that prevents illegal routing attacks, comprising again:
Detection module is used for when next jumping of sip request message is IP address format, and whether the IP address of detecting next jumping in the described sip request message is broadcast address;
The refusal module is used for refusing described sip request message when described IP address is broadcast address;
First checks module, is used for when described IP address is non-broadcast address, allows tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP.
The embodiment of the invention has following beneficial effect: the embodiment of the invention is carried out validity checking by inquiring about pre-configured SIP application-level logic routing table to described sip request message, thereby has solved the illegal routing attacks problem of sip request message.
Description of drawings
Fig. 1 is for preventing the method flow diagram of illegal routing attacks in the existing embodiment of the invention one;
Fig. 2 is the pretreated method flow diagram of sip request message in the existing embodiment of the invention one;
Fig. 3 is for carrying out the method flow diagram of attack detecting and route processing according to the IP address in the existing embodiment of the invention one;
Fig. 4 sends the method flow diagram of handling for message in the existing embodiment of the invention one;
Fig. 5 is for preventing the method flow diagram of illegal routing attacks in the existing embodiment of the invention two;
Fig. 6 is for carrying out the method flow diagram of attack detecting and route processing according to domain name in the existing embodiment of the invention two;
Fig. 7 is for preventing the method flow of illegal routing attacks in the existing embodiment of the invention three;
Fig. 8 is for preventing the system configuration schematic diagram of illegal routing attacks in the existing embodiment of the invention four;
Fig. 9 is a kind of apparatus structure schematic diagram that prevents illegal routing attacks in the existing embodiment of the invention four;
Figure 10 is the another kind of apparatus structure schematic diagram that prevents illegal routing attacks in the existing embodiment of the invention four.
Embodiment
Be described in detail below in conjunction with accompanying drawing and the execution mode of concrete implementation step the embodiment of the invention:
The technical scheme that the embodiment of the invention provides realizes the protection to the sip request message illegal routing attacks, and the security log registering capacity is provided.It is the user@host form for " user name+@+ host name " that next of sip request message jumped routed-format, and wherein host is called host machine part.Based on Route header field and Request-URI (Uniform Resource Identifier, universal resource identifier) sip message routing mode obtains next-hop ip address according to host machine part or domain name is carried out the message route, illegal routing attacks based on the IP address may be the IP address that carries from sip request message, also may be that the domain name that sip request message carries is resolved the IP address that obtains through DNS (Domain Name Server, name server).Network element need utilize SIP application-level logic routing table to carry out the route legitimacy analysis in the routing procedure of sip request message.
For strengthening control and protection to the sip request message illegal routing attacks, route controlling mechanism based on application-level logic is analyzed and proposed to the embodiment of the invention based on IMS/ broad sense NGN SIP application-level logic, promptly adopt the form of SIP application-level logic routing table mechanism to realize, and be aided with security log so that the record to the behavior of SIP illegal routing attacks to be provided.Trace and analyze for conveniently follow-up, the application-level logic routing table formal definition in the embodiment of the invention is as shown in table 1 below:
Table 1
Different network elements has different application-level logic in the IMS/ broad sense NGN network, therefore different network elements has independently application-level logic routing table, special network element is filled sip request message application-level logic routing table according to different requesting methods, for the route destination address (supporting host IP address, network ip address and wildcard thereof) of every class message definition permission/refusal.Because sip response message is not having under the situation of corresponding requests and can directly abandoned by sip server, so the embodiment of the invention is not analyzed sip response message.
Equally, to the route purpose domain name (support wildcard) of every class message definition permission/refusal, as shown in table 2.
Table 2
Requesting method in above-mentioned table 1 or the table 2 mainly covers: INVITE (calling)/REGISTER (registration)/OPTION (selection)/SUBSCRIBE (subscription)/NOTIFY (notice)/REFER (consulting)/MESSAGE (message)/CANCEL (cancellation)/ACK (affirmation)/etc., and pay close attention to network side and handle relative complex, can cause INVITE (calling)/REGISTER (registration)/SUBSCRIBE (subscription)/MESSAGE (message) than multimode and resource consumption etc.And specifically adopt any requesting method to ask network element route sip request message, then the request initiator by sip request message determines.As shown in Figure 1, for preventing the method flow diagram of illegal routing attacks in the embodiment of the invention one, specifically may further comprise the steps:
Step S101 receives sip request message, and carries out preliminary treatment, obtains next jumping of sip request message.Pretreatment process wherein is specially as shown in Figure 2: after the sip request message decoding that receives, by sip agent decoded sip request message is carried out inter-process.Judge whether then to carry out the sip request message route according to the Route header field, when carrying out the sip request message route according to the Route header field, next jumping of obtaining sip request message according to top layer Route header field, otherwise, next jumping of obtaining sip request message according to Request-URI.
Step S102 judges whether next jumping of obtaining is the IP address.When next jumping of obtaining is the IP address, execution in step S106, otherwise, execution in step S103~S105.
Step S103~S105 carries out dns resolution and handles.When described next jumping of obtaining is not the IP address, when promptly described next jumping of obtaining was domain name, the IP address of this domain name correspondence was obtained in dns resolution, when resolving the domain name success, and execution in step S107, otherwise, handle failure, return mistake.
Step S106 carries out attack detecting and route processing according to the IP address.Concrete attack detecting and route are handled as shown in Figure 3, specifically may further comprise the steps:
Step S1061 handles beginning.
Step S1062 judges whether the IP address is broadcast address.According to whether comprise in the IP address check sip request message with broadcasting IP address for the malicious attack feature of next jumping when described IP address comprises when being the malicious attack feature of next jumping with broadcasting IP address, execution in step S1063, otherwise execution in step S1065.
Step S1063 is according to the request initiator's who comprises in the sip request message information record security daily record.
Step S1064 uses 403 response reject sip request messages, finishes current sessions.
Step S1065 is according to IP address lookup application-level logic routing table.
Step S1066 forbids whether occurring this IP address in the IP address list according to what the requesting method title in the sip request message was judged the application-level logic routing table.When described application-level logic routing table forbid not occurring this IP address in the IP address list time, execution in step S1067, otherwise execution in step S1063 and step S1064.
Step S1067 judges in the permission IP address list of application-level logic routing table this IP address whether occurs according to the requesting method title in the sip request message.When this IP address occurring in the permission IP address list of described application-level logic routing table, execution in step S1068, otherwise execution in step S1064.
Step S1068 carries out the message route according to the IP address.
Step S107 carries out message and sends processing.Wherein, message sends handling process as shown in Figure 4: sip request message is encoded, and the sip request message after will encode carries out next and jump route, and judge whether successfully next jump route.When next jumps the route success, jump network element treatment S IP request message by next, otherwise, retransmit again until overtime, respond 408 responses.
Foregoing invention embodiment is by judging whether next jumping is IP address format in the sip request message, and when next jumped to IP address format in the sip request message, whether the IP address of detecting next jumping in the described sip request message was broadcast address; When described IP address is broadcast address, refuse described sip request message; When described IP address is non-broadcast address, allow tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP, when next jumps to Domain Name Form registering sites in the described sip request message, resolve domain name, obtain the IP address of domain name correspondence, carry out respective handling again, thereby prevented the illegal routing attacks of sip request message.
As shown in Figure 5, for preventing the method flow diagram of illegal routing attacks in the embodiment of the invention two, specifically may further comprise the steps:
Step S501 receives sip request message, and carries out preliminary treatment, obtains next jumping of sip request message.Concrete pretreatment process is with reference to the foregoing description one.
Step S502 judges whether next jumping of obtaining is the IP address.When described next jumping of obtaining is not the IP address, when promptly described next that obtain jumped to domain name, execution in step S503, otherwise, execution in step S504 and later step thereof.
Step S503 when described next that obtain jumped to domain name, according to forbidding the domain name tabulation and allowing the domain name tabulation that described sip request message is carried out validity checking in the pre-configured SIP application-level logic routing table, as shown in Figure 6, specifically may further comprise the steps:
Step S5031 tabulates according to the described domain name of forbidding of the requesting method name query in the described sip request message.
Step S5032 judges whether described forbidding domain name occurs in the domain name tabulation, when described when forbidding domain name occurring in the domain name tabulation, and execution in step S5033, otherwise, execution in step S5034 and later step thereof.
Step S5033 when forbidding domain name occurring in the domain name tabulation, refuses described sip request message when described.
Step S5034 when forbidding domain name occurring in the domain name tabulation, inquires about described permission domain name tabulation according to the described request method name when described.
Step S5035 judges in the described permission domain name tabulation domain name whether occurs.When domain name occurring in the described permission domain name tabulation, execution in step S5036, otherwise, execution in step S5037.
Step S5036 when domain name occurring in the described permission domain name tabulation, carries out route according to domain name with described sip request message.
Step S5037 when domain name not occurring in the described permission domain name tabulation, refuses described sip request message.
Step S504 is the IP address if next that obtain jumped, and then carries out attack detecting and route processing according to the IP address, and concrete attack detecting and route handling process are with reference to the foregoing description one.
Step S505 carries out message and sends processing, and concrete message sends handling process with reference to the foregoing description one.
Foregoing invention embodiment is by judging whether next jumping is IP address format in the sip request message, and when next jumped to IP address format in the sip request message, whether the IP address of detecting next jumping in the described sip request message was broadcast address; When described IP address is broadcast address, refuse described sip request message; When described IP address is non-broadcast address, allow tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP, when next jumps to Domain Name Form registering sites in the described sip request message, thereby according to forbidding the domain name tabulation and allowing the domain name tabulation that described sip request message is carried out the illegal routing attacks that validity checking has prevented sip request message in the pre-configured SIP application-level logic routing table.
Consider in the commercial network environment of reality, Virtual network operator has fully taken into account under the situation of network security enforcement, it is relatively large to IMS network implementation difficulty of attacking that the assailant is penetrated into the Virtual network operator network internal, it is then relatively easy to launch a offensive from user side, therefore this method is considered from detecting as implementing the sip request message illegal routing attacks on PCSCF (Proxy Call Session Control Function, the Proxy Call Session Control Function) entity of IMS Web portal.Generally speaking, implementing the sip request message illegal routing attacks on the PCSCF entity detects and protects and need consider following factor:
(1), the different disposal mode of PCSCF entity in registration/session.
(2), the PCSCF entity is in the different disposal mode in local domain, roaming territory.
Yet, if the PCSCF entity fully takes into account the different disposal method under the different flow processs of registration/session of the two-part attack of Route header field/Request-URI, local PCSCF entity/roaming PCSCF entity, to cause this part PCSCF route related application layer logic quite complicated, therefore the embodiment of the invention two proposes simple relatively treating method, and is specific as follows described.
The PCSCF entity has the ability the Route header field is carried out the correctness inspection.According to existing correlation technique standard, the user is under unregistered state, and the sip request message route of network side is determined by DNS name resolution and service contracting, rather than used the Route header field to carry out the message route.Therefore, in register flow path, can not pay close attention to the problem of Route header field.In common session flow process, because the PCSCF entity can perception service, therefore the PCSCF entity can carry out the sip request message enforcement correctness inspection of route in Route header field mode to what terminal sent, if the Route header field is incorrect, the PCSCF entity can or be refused this request according to actual conditions modified R oute header field, makes sip request message forfeiture attacking ability.
Therefore, the PCSCF entity of the embodiment of the invention only needs to consider the situation of Request-URI.Virtual network operator can be according to the signatory situation of present networks application-level logic and present networks and other network interworkings or the certain domain name of supporting according to local government's mandatory requirement, for the PCSCF physical arrangements allows the domain name tabulation in the embodiment of the invention.The embodiment of the invention is for the situation of IP address, then whether be necessary to support the sip request message of the IP address format of self terminal according to the application implementation detail analysis, support at needs under the situation of IP address format, configuration allows IP address list, and strictness forbids broadcasting the Request-URI of IP address.
As shown in Figure 7, for preventing the method flow diagram of illegal routing attacks in the embodiment of the invention three, specifically may further comprise the steps:
Step S701, the PCSCF entity carries out preliminary treatment to sip request message, obtains next jumping of sip request message, and concrete pretreatment process is with reference to the foregoing description one.
Step S702, PCSCF entity judge whether the host machine part of Request-URI is Domain Name Form registering sites.When the Request-URI host machine part is Domain Name Form registering sites, execution in step S703, otherwise, execution in step S708.
Step S703, the PCSCF entity is according to the permission domain name tabulation of the host machine part inquiry of the domain name SIP application-level logic routing table of Request-URI.Step S704, PCSCF entity judge whether to match the host machine part domain name of Request-URI.When matching above-mentioned domain name, execution in step S705, otherwise, execution in step S706.
Step S705, the PCSCF entity carries out legal sip request message route according to applied logic.
Step S706, the PCSCF entity is with the information record security daily record of the request initiator in the sip request message.
Step S707, the PCSCF entity is refused this request, finishes current sessions.
Step S708, PCSCF entity judge whether allow to carry out the message route according to the Request-URI of IP address format on described PCSCF entity.When on described PCSCF entity, allowing Request-URI according to IP address format to carry out the message route, execution in step S709, otherwise, execution in step S706 and step S707.
Step S709, PCSCF entity judge whether the IP address is broadcasting IP address.When described IP address is not broadcasting IP address, execution in step S710 then, otherwise execution in step S706 and step S707.
Step S710, the PCSCF entity is according to the permission IP tabulation of IP address lookup SIP application-level logic routing table.
Step S711, PCSCF entity judge whether to match described IP address.If match described IP address, execution in step S705 then, otherwise execution in step S707.
The embodiment of the invention is carried out preliminary treatment by the PCSCF entity of IMS Web portal to sip request message, carry out attack detecting and route processing according to pretreated result queries application-level logic routing table, thereby utilize inquiry application-level logic routing table that but the route scope of sip request message is effectively limited, prevented the sip request message illegal routing attacks.
As shown in Figure 8, the system configuration schematic diagram that prevents illegal routing attacks for the embodiment of the invention four comprises: one or more devices 1 that prevent illegal routing attacks.Prevent the device 1 of illegal routing attacks, be used for sip request message being carried out legitimacy and detect inspection and route processing according to pre-configured application-level logic routing table.
The above-mentioned device 1 that prevents illegal routing attacks comprises: detection module 11, be used for when next jumping of sip request message is IP address format, and whether the IP address of detecting next jumping in the described sip request message is broadcast address.Refusal module 12 is used for refusing described sip request message when described IP address is broadcast address.First checks module 13, is used for when described IP address is non-broadcast address, allows tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP.The above-mentioned device 1 of illegal routing attacks that prevents comprises the PCSCF entity.
As shown in Figure 9, a kind of apparatus structure schematic diagram that prevents illegal routing attacks for the embodiment of the invention four, comprise: detection module 1, be used for when next jumping of sip request message is IP address format, whether the IP address of detecting next jumping in the described sip request message is broadcast address.Refusal module 2 is used for refusing described sip request message when described IP address is broadcast address.First checks module 3, is used for when described IP address is non-broadcast address, allows tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP.
The above-mentioned device that prevents illegal routing attacks also comprises: judge module 4 is used for judging the form of described next jumping of sip request message.Acquisition module 5 is used for resolving domain name, the IP address that obtains the domain name correspondence when next jumping of described sip request message is Domain Name Form registering sites.Configuration module 6 is used to dispose described SIP application-level logic routing table.
In the said apparatus first checked module 3, comprising: the first inquiry submodule 31 is used for according to described IP address whether occurring in the described IP banned list of the requesting method name query of described sip request message.The first refusal submodule 32 is used for indicating the described sip request message of described refusal when described IP address appears in described IP banned list.The second inquiry submodule 33 is used for inquiring about described IP according to the described request method name and allows tabulation described IP address whether to occur.Message route submodule 34 is used for according to described IP address described sip request message being carried out route when described IP allows tabulation described IP address to occur.The second refusal submodule 35 is used for refusing described sip request message when described IP allows tabulation described IP address not occur.
The device of foregoing invention embodiment is by judging whether next jumping is IP address format in the sip request message, and when next jumped to IP address format in the sip request message, whether the IP address of detecting next jumping in the described sip request message was broadcast address; When described IP address is broadcast address, refuse described sip request message; When described IP address is non-broadcast address, allow tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP, when next jumps to Domain Name Form registering sites in the described sip request message, resolve domain name, obtain the IP address of domain name correspondence, carry out respective handling again, thereby prevented the illegal routing attacks of sip request message.
As shown in figure 10, prevent the apparatus structure schematic diagram of illegal routing attacks for the another kind of the embodiment of the invention four, comprise: detection module 1, be used for when next jumping of sip request message is IP address format, whether the IP address of detecting next jumping in the described sip request message is broadcast address.Refusal module 2 is used for refusing described sip request message when described IP address is broadcast address.First checks module 3, is used for when described IP address is non-broadcast address, allows tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP.
The above-mentioned device that prevents illegal routing attacks also comprises: judge module 4 is used for judging the form of described next jumping of sip request message.Second checks module 5, is used for when next jumping of described sip request message is Domain Name Form registering sites, according to forbidding the domain name tabulation and allowing the domain name tabulation that described sip request message is carried out validity checking in the pre-configured SIP application-level logic routing table.Configuration module 6 is used to dispose described SIP application-level logic routing table.
In the said apparatus second checked module 5, comprising: the first inquiry submodule 51 is used for whether occurring domain name according to described forbidding of the requesting method name query of described sip request message in the domain name tabulation.The first refusal submodule 52 is used for when forbidding that domain name appears in domain name tabulation, refusing described sip request message when described.The second inquiry submodule 53 is used for inquiring about described permission domain name tabulation according to the described request method name and domain name whether occurs.Message route submodule 54 is used for according to domain name described sip request message being carried out route when domain name appears in described permission domain name tabulation.The second refusal submodule 55 is used for refusing described sip request message when domain name does not appear in described permission domain name tabulation.
The device of foregoing invention embodiment is by judging whether next jumping is IP address format in the sip request message, and when next jumped to IP address format in the sip request message, whether the IP address of detecting next jumping in the described sip request message was broadcast address; When described IP address is broadcast address, refuse described sip request message; When described IP address is non-broadcast address, allow tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP, when next jumps to Domain Name Form registering sites in the described sip request message, thereby according to forbidding the domain name tabulation and allowing the domain name tabulation that described sip request message is carried out the illegal routing attacks that validity checking has prevented sip request message in the pre-configured SIP application-level logic routing table.
The device of the embodiment of the invention four comprises Proxy Call Session Control Function PCSCF entity, and it will be appreciated by those skilled in the art that module in the device among the embodiment can be described according to embodiment and be distributed in the device of embodiment, also can carry out respective change and be arranged in the one or more devices that are different from present embodiment.The module of the foregoing description can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number is not represented the quality of embodiment just to description.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by hardware, certainly also can realize, but the former is better execution mode under a lot of situation by the mode that software adds essential general hardware platform.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of hardware product.More than disclosed only be several specific embodiment of the present invention, still, the present invention is not limited thereto, any those skilled in the art can think variation all should fall into protection scope of the present invention.
Claims (12)
1, a kind of method that prevents illegal routing attacks is characterized in that, may further comprise the steps:
When next jumped to IP address format in the session initiation protocol sip request message, whether the IP address of detecting next jumping in the described sip request message was broadcast address;
When described IP address is broadcast address, refuse described sip request message;
When described IP address is non-broadcast address, allow tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP.
2, prevent the method for illegal routing attacks according to claim 1, it is characterized in that when next jumped to IP address format in the sip request message, whether the IP address of detecting next jumping in the described sip request message was before the broadcast address, also comprises:
Judge the form of next jumping in the described sip request message.
3, as preventing the method for illegal routing attacks as described in the claim 2, it is characterized in that, also comprise:
When next jumps to Domain Name Form registering sites in the described sip request message, resolve domain name, the IP address that obtains the domain name correspondence;
Perhaps, when next jumps to Domain Name Form registering sites in the described sip request message, according to forbidding the domain name tabulation and allowing the domain name tabulation that described sip request message is carried out validity checking in the pre-configured SIP application-level logic routing table.
4, prevent the method for illegal routing attacks according to claim 1, it is characterized in that, describedly allow tabulation that described sip request message is carried out validity checking, specifically comprise according to the IP banned list in the pre-configured SIP application-level logic routing table and IP:
According to described IP address whether occurring in the described IP banned list of the requesting method name query in the described sip request message; When described IP address occurring in the described IP banned list, refuse described sip request message;
Otherwise, inquire about described IP according to the described request method name and allow described IP address whether to occur in the tabulation; When described IP allows described IP address to occur in the tabulation, according to described IP address described sip request message is carried out route, otherwise, refuse described sip request message.
5, as preventing the method for illegal routing attacks as described in the claim 3, it is characterized in that, described according to forbidding the domain name tabulation and allowing the domain name tabulation that described sip request message is carried out validity checking in the pre-configured SIP application-level logic routing table, specifically comprise:
In tabulating whether domain name appears according to the described domain name of forbidding of the requesting method name query in the described sip request message; When forbidding domain name occurring in the domain name tabulation, refuse described sip request message when described;
Otherwise, inquire about in the described permission domain name tabulation domain name whether occurs according to the described request method name; When domain name occurring in the described permission domain name tabulation, according to domain name described sip request message is carried out route, otherwise, refuse described sip request message.
6, a kind of system that prevents illegal routing attacks is characterized in that, comprising:
Prevent the device of illegal routing attacks, be used for the session initiation protocol sip request message being carried out legitimacy and detect inspection and route processing according to pre-configured application-level logic routing table;
The described device that prevents illegal routing attacks comprises:
Detection module is used for when next jumping of sip request message is IP address format, and whether the IP address of detecting next jumping in the described sip request message is broadcast address;
The refusal module is used for refusing described sip request message when described IP address is broadcast address;
First checks module, is used for when described IP address is non-broadcast address, allows tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP.
7, a kind of device that prevents illegal routing attacks is characterized in that, comprising:
Detection module is used for when next jumping of sip request message is IP address format, and whether the IP address of detecting next jumping in the described sip request message is broadcast address;
The refusal module is used for refusing described sip request message when described IP address is broadcast address;
First checks module, is used for when described IP address is non-broadcast address, allows tabulation that described sip request message is carried out validity checking according to IP banned list in the pre-configured SIP application-level logic routing table and IP.
8, as preventing the device of illegal routing attacks as described in the claim 7, it is characterized in that, also comprise:
Judge module is used for judging the form of described next jumping of sip request message.
9, as preventing the device of illegal routing attacks as described in the claim 8, it is characterized in that, also comprise:
Acquisition module is used for resolving domain name, the IP address that obtains the domain name correspondence when next jumping of described sip request message is Domain Name Form registering sites;
Perhaps, second checks module, is used for when next jumping of described sip request message is Domain Name Form registering sites, according to forbidding the domain name tabulation and allowing the domain name tabulation that described sip request message is carried out validity checking in the pre-configured SIP application-level logic routing table.
As preventing the device of illegal routing attacks as described in the claim 7, it is characterized in that 10, described first checks module, comprising:
The first inquiry submodule is used for according to described IP address whether occurring in the described IP banned list of the requesting method name query of described sip request message;
The first refusal submodule is used for indicating the described sip request message of described refusal when described IP address appears in described IP banned list;
The second inquiry submodule is used for inquiring about described IP according to the described request method name and allows tabulation described IP address whether to occur;
Message route submodule is used for according to described IP address described sip request message being carried out route when described IP allows tabulation described IP address to occur;
The second refusal submodule is used for refusing described sip request message when described IP allows tabulation described IP address not occur.
As preventing the device of illegal routing attacks as described in the claim 9, it is characterized in that 11, described second checks module, comprising:
The first inquiry submodule is used for whether occurring domain name according to described forbidding of the requesting method name query of described sip request message in the domain name tabulation;
The first refusal submodule is used for when forbidding that domain name appears in domain name tabulation, refusing described sip request message when described;
The second inquiry submodule is used for inquiring about described permission domain name tabulation according to the described request method name and domain name whether occurs;
Message route submodule is used for according to domain name described sip request message being carried out route when domain name appears in described permission domain name tabulation;
The second refusal submodule is used for refusing described sip request message when domain name does not appear in described permission domain name tabulation.
12, as preventing the device of illegal routing attacks as described in the claim 7, it is characterized in that described device comprises Proxy Call Session Control Function PCSCF entity.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810090362A CN101547124A (en) | 2008-03-28 | 2008-03-28 | Method, system and device for preventing illegal routing attacks |
| PCT/CN2009/071033 WO2009117968A1 (en) | 2008-03-28 | 2009-03-26 | Illegal route attack defending method, system and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810090362A CN101547124A (en) | 2008-03-28 | 2008-03-28 | Method, system and device for preventing illegal routing attacks |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101547124A true CN101547124A (en) | 2009-09-30 |
Family
ID=41112984
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810090362A Pending CN101547124A (en) | 2008-03-28 | 2008-03-28 | Method, system and device for preventing illegal routing attacks |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101547124A (en) |
| WO (1) | WO2009117968A1 (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075924A (en) * | 2010-11-22 | 2011-05-25 | 北京邮电大学 | Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS) |
| CN104539590A (en) * | 2014-12-10 | 2015-04-22 | 深圳市共进电子股份有限公司 | Message processing method and device |
| CN109743470A (en) * | 2019-02-28 | 2019-05-10 | 上海市共进通信技术有限公司 | The method for realizing non-proxy IP refusal incoming call function based on Session Initiation Protocol |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| ATE338418T1 (en) * | 2004-06-07 | 2006-09-15 | Cit Alcatel | METHOD AND DEVICE FOR PREVENTING ATTACKS ON A CALL SERVER |
| JP4654092B2 (en) * | 2005-08-25 | 2011-03-16 | 日本電信電話株式会社 | Attack protection method, system and program for SIP server |
| CN100525256C (en) * | 2006-06-23 | 2009-08-05 | 华为技术有限公司 | Transmission method and device for request message in SIP multimedia system |
| CN100583835C (en) * | 2007-06-28 | 2010-01-20 | 华为技术有限公司 | Message forwarding method and network device |
-
2008
- 2008-03-28 CN CN200810090362A patent/CN101547124A/en active Pending
-
2009
- 2009-03-26 WO PCT/CN2009/071033 patent/WO2009117968A1/en active Application Filing
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102075924A (en) * | 2010-11-22 | 2011-05-25 | 北京邮电大学 | Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS) |
| CN102075924B (en) * | 2010-11-22 | 2013-03-27 | 北京邮电大学 | Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS) |
| CN104539590A (en) * | 2014-12-10 | 2015-04-22 | 深圳市共进电子股份有限公司 | Message processing method and device |
| CN109743470A (en) * | 2019-02-28 | 2019-05-10 | 上海市共进通信技术有限公司 | The method for realizing non-proxy IP refusal incoming call function based on Session Initiation Protocol |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2009117968A1 (en) | 2009-10-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7574735B2 (en) | Method and network element for providing secure access to a packet data network | |
| US7773983B2 (en) | Application filtering apparatus, system and method | |
| KR101139072B1 (en) | Method for initiating ims based communications | |
| EP1886456B1 (en) | Call forwarding in an ip multimedia subsystem (ims) | |
| EP1897343B1 (en) | Service error handling in a communications network | |
| US20080137686A1 (en) | Systems, methods, media, and means for hiding network topology | |
| US9392027B2 (en) | Message handling in an IP multimedia subsystem | |
| US20090271859A1 (en) | Systems and methods for restricting event subscriptions through proxy-based filtering | |
| EP1994707B1 (en) | Access control in a communication network | |
| US20070055874A1 (en) | Bundled subscriber authentication in next generation communication networks | |
| US7904954B2 (en) | Method, device and security control system for controlling communication border security | |
| KR100928247B1 (en) | Method and system for providing secure communication between communication networks | |
| CN1753363A (en) | Method of selecting right identification mode at network side | |
| US8499340B2 (en) | IMS network identity management | |
| EP2106091B1 (en) | Method of setting up a call in an internet protocol (IP) multimedia subsystem (IMS) network, method of operating a network nude, network node, a telecommunications service provider using such a method, computer program and computer readable medium | |
| CN102480487B (en) | Multi-user on-line video game method based on authentication and system thereof | |
| CN101547124A (en) | Method, system and device for preventing illegal routing attacks | |
| US20130060954A1 (en) | Enabling set up of a connection from a non-registered ue in ims | |
| WO2008117165A2 (en) | Methods, apparatuses and computer program product for forwarding emergency registration request to a home network | |
| EP2609727B1 (en) | Method and apparatus for registration of an emergency service in packet data connections | |
| CN100562019C (en) | Operation processing method in the IP Multimedia System and home signature user server | |
| CN1953448A (en) | A method for identifying and controlling IMS communication service in SIP request course | |
| RU2433558C2 (en) | Calculating initial filter criterion |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20090930 |