CN101702727B - Method for defending against DDos in address disjunction mapping network - Google Patents

Method for defending against DDos in address disjunction mapping network Download PDF

Info

Publication number
CN101702727B
CN101702727B CN200910238098A CN200910238098A CN101702727B CN 101702727 B CN101702727 B CN 101702727B CN 200910238098 A CN200910238098 A CN 200910238098A CN 200910238098 A CN200910238098 A CN 200910238098A CN 101702727 B CN101702727 B CN 101702727B
Authority
CN
China
Prior art keywords
token
address
request
network
packet
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN200910238098A
Other languages
Chinese (zh)
Other versions
CN101702727A (en
Inventor
张宏科
卢宁
周华春
刘颖
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Jiaotong University
Original Assignee
Beijing Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Jiaotong University filed Critical Beijing Jiaotong University
Priority to CN200910238098A priority Critical patent/CN101702727B/en
Publication of CN101702727A publication Critical patent/CN101702727A/en
Application granted granted Critical
Publication of CN101702727B publication Critical patent/CN101702727B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a method for defending against DDos in an address disjunction mapping network, which belongs to the technical field of networks. In the method, a data packet access mechanism and a flow control mechanism for giving a token are included. The method provides the data packet access mechanism to defend against DDos attacks on an access router, launched by malicious nodes, thereby ensuring the safety of the network; and on such a basis, by designing the flow control mechanism based on the token in the address disjunction mapping network the purpose that a data source end can transmit data to a receiving end for fundamentally preventing the probability of the DDoS attacks only after obtaining the permission of the receiving end can be effectively ensured. According to a border router and the access router deployed in the method, the distributed denial of service (DDoS) attack can be effectively defended even though the network is in an environment of an asymmetric roundtrip path.

Description

DDoS defence method in the separate mapping network of address
Technical field
The present invention relates to distributed denial of service attack in the separate mapping network of a kind of address (DistributedDenial of Service is called for short DDoS) defence method, belong to networking technology area.
Background technology
Because the IP address has been served as the dual-use function of terminal identity sign and route station location marker simultaneously among the Internet; This makes network core be exposed in face of the edge network of dynamic change; And along with broad application such as the increase of number of users and many locals, traffic engineering, tactful routes; But the Internet routing architecture is faced with serious scaling problem, is in particular in: (1) Default Free Zone (DFZ) routing table superlinearity increases, current head and shoulders above hardware designs ability.(2) quantity of Border Gateway Protocol (Border GatgewayProtocal is called for short BGP) updating message is increased sharply among the DFZ, has consumed a large amount of network bandwidths and computational resource.
But scaling problem is seriously restricting the sound development of Internet, and the researcher has successively proposed a series of solutions for this reason.Wherein famous with " identify label separates (Identifier/LocatorSeparation) with station location marker " especially; Become the mentality of designing of main flow, equipment suppliers such as Cisco and famous laboratories such as " Internet Research Lab " have all proposed proprietary scheme and respective standard; At home, Beijing Jiaotong University has designed and Implemented in the Next Generation Internet research center " address separate mapping network ", has great application prospect, and the present invention inquires into a kind of novel DDoS defence method under this network system.
As shown in Figure 1, " mapping is separated in the address ", technology was divided into transmission network and edge network with the Internet.Wherein transmission network is responsible for the packet route switching, uses routing address to accomplish the inter-domain routing function; Edge network is responsible for sending or receiving packet, and uses access address to accomplish routing function in the network.The access address (Access Address is called for short CA) of supposing source end A, opposite end B among Fig. 1 is respectively CA A, CA B, corresponding routing address (Routing Address is called for short RA) is respectively RA AAnd RA BThe couple in router that source end A is corresponding (Access Routing is called for short AR) is source end couple in router AR1, and the couple in router that opposite end B is corresponding is opposite end couple in router AR2; Border router (the Border Routing that source end A is corresponding; Be called for short BR) be BR1, the border router that opposite end B is corresponding is BR2, then " mapping is separated in the address ", the technical work flow process was:
(1) end A in source sends packet P to opposite end B, and its source address is CA A, destination address is CA B
(2) P arrives BR 1After, BR 1According to destination address CA B, P is forwarded to AR1.
(3) after AR1 received P, at first query caching or sign mapped system (AccessAddress-Routing Address Mapping System is called for short ARMIS) were to obtain and CA BCorresponding routing address RA BThen respectively with RA A, RA BFor source address and destination address replace the CA among the P A, CA B, and to transmission network (Transmit Network is called for short TN) the newly-generated packet P ' of forwarding.
(4) receive P ' after, AR 2Source address and destination address are replaced to CA again A, CA B, and transmit raw data packets P.
(5) BR 2P is forwarded to terminal B.
It is thus clear that in " address separate mapping network "; Transmission network TN makes up inter-domain routing based on routing address; So no matter which kind of form of presentation edge network adopts; ISP's (Internet ServiceProvider is called for short ISP) all can according to Rekhter rule optimum allocation routing address.When edge network used many locals, traffic engineering, tactful route etc. technological, the mapping relations that ISP only need adjust between access address and the routing address can avoid the suboptimum of address to distribute.Therefore " mapping is separated in the address ", technology will reduce routing iinformation database (the Routing Information Base in the transmission network greatly; Be called for short RIB) and forwarding information database (Forwarding Information Base; Be called for short FIB), and then the quantity of reduction bgp update message.We can say " address separate mapping " but technology efficiently solves the scaling problem that exists in the current Internet.
Yet the safety issue of Internet is the focus that people pay close attention to equally, at the beginning of new protocol architecture design, is about to network security problem and takes the common recognition that becomes the study Internet field into account." identify label and station location marker " the of the prior art technology of discovering is easy to suffer ddos attack." mapping is separated in the address " technology faces serious DDoS equally and threatens, to AR 1, AR 2Or receiving terminal starts ddos attack, can end the proper communication of domestic consumer like a cork.Therefore how resisting DDoS will be the ripe and perfect key of " address separate mapping network " system.But less to the research of this problem at present, appropriate technical scheme does not appear.The present invention has proposed to novelty a kind ofly to dispose, exercisable novel ddos attack defence method in " address separate mapping network ", has successfully remedied the deficiency of domestic and international research, has very strong perspective.
DDoS is one of the most dangerous network attack mode, and how defending DDoS (Distributed Denial of Service) is the focus of network security research always, and the researcher has proposed numerous solutions.Yet in these ddos attack defense techniques; Having only bag labelling technique and TVA technology is the angle solution DDoS from routing architecture; Can not influence the exploitation and the deployment of transport layer, application layer New Deal, keep the opening of Internet technology to greatest extent, the most relevant with the present invention.Yet these two kinds of technology also are not suitable for " address separate mapping network " environment, himself have serious fail safe and validity defective.
One, the bag labelling technique is originated " router address information " mark in packet to follow the trail of DDoS, thereby reaches deterrence assailant's purpose.Its concrete operations are: when packet passes through router; Router with fixation probability p with its " address information piecemeal " mark " Identification " and " ToS " territory in the packet " IP stem "; Like this after the victim receives abundant attack packet, the routing information between just can from these information, reconstructing from assailant to victim.
The bag labelling technique is not suitable for the network environment of " mapping is separated in the address ", and reason is following:
(1) conflicts with other network technology.The bag labelling technique often directly is filled up to " Identification " territory and " TOS " territory in the IP stem with router address information, is unfavorable for that recipient's recombination data Bao Bingyu " service quality assurance " demand produces conflict.
(2) calculation of complex.At receiving terminal, a large amount of routing address information that come from different attack paths are mingled in together, and can only there be serious multiple shot array problem in the victim through enumerating Calculation Method reconstruct attack path, does not possess practicality for resisting extensive DDoS.
(3) can't information support be provided for other network security technology.When the victim receives enough packets; And after reconstructing attack path through ordering; Promptly can not utilize these data separations to attack packet and general data bag, can not can only deter the assailant through legal means according to this information blocking-up malicious traffic stream again; Waste time and energy, be difficult to satisfy the demand for security of the Internet dynamic depth defence.
Two, TVA technology
High strength is attacked data flow network is worked the mischief in the DDoS, must before the malicious data flow polymerization, just carry out necessary processing to these data flow.The TVA technology has satisfied the processing requirements of these data flow, and its concrete operations step is: (1) has data when destination B sends as sender A, at first sends " request message " to B, in the hope of obtaining the access permission of destination; (2) the access request of B response A, then generates and sends " communication permission message " if allow A to communicate with, and has wherein write down the number-of-packet that B allows A to send, information such as call duration time; (3) after receiving " communication permission message ", A sends data to B, and all carries portion in each packet " communication permission message "; (4) in routing architecture, dispose the checking node, be responsible for the communications status of record data stream, surpass the scope that " communication permission message " allows to the flow that B sends, then directly abandon these packets if find A.
There is following defective in the TVA technology:
(1) can't adapt to a large amount of trip path asymmetries that exist in the Internet, in most cases the TVA technology can not effectively stop ddos attack.
(2) the packet ID of trace route path information of carrying is excessive, has wasted a large amount of network bandwidths, and since among the Internet network path average length be 15, request message will surpass path mtu, causes burst, seriously reduces communication performance.
(3) can't verify the authenticity in " communication permission message " source, hostile network node can utilize the TVA scheme to start novel ddos attack.
(4) malicious node can start the ddos attack to router or receiving terminal through sending a large amount of useless " request messages ".
In sum, the bag labelling technique can be applicable to " mapping is separated in the address " network system, is a kind of mechanism afterwards but wrap labelling technique; Calculation of complex; Its routing information that obtains promptly can not utilize these data separations to attack packet and general data bag, can not can only deter the assailant through legal means according to this information blocking-up malicious traffic stream again; Waste time and energy, be difficult to satisfy the demand for security of the Internet dynamic depth defence.And the TVA technology can be applied to " mapping is separated in the address " network system, but in the TVA technology, the ID of trace route path information that packet carries is excessive, and communication efficiency is low, and just there is serious security threat in itself.
Summary of the invention
In order to overcome the deficiency of prior art structure; The present invention is in " mapping is separated in the address " network system; Proposed to novelty a kind ofly to dispose, exercisable novel DDoS defence method; It resists the ddos attack that malicious node is initiated to couple in router through the packet mechanism of permitting the entrance, thus the fail safe of guarantee plan itself; Simultaneously, a kind of flow control mechanism based on token of design in " address separate mapping " network only guarantees that the data source end could send data to receiving terminal after obtaining receiving terminal and allowing, thus the possibility that has fundamentally stoped ddos attack to take place.The technical solution adopted for the present invention to solve the technical problems is:
DDoS defence method in the separate mapping network of address, it comprises: packet mechanism of permitting the entrance and based on the flow control mechanism of token.
Host A is positioned at edge network (Edge Network) EN 1, its identify label is CA A, host B is positioned at edge network EN 2, identify label is CA B, corresponding routing address is respectively RA AAnd RA B, defence method step then of the present invention is following:
Step 1:A sends " request message " P1 to B Request, its source address is CA A, destination address is CA BSaid P1 RequestBe an IP packet that stem is only arranged, distinguishingly, first of its " tag field (Flag) " territory is set at 1.
Step 2: said P1 RequestArrive border router BR 1After, BR 1Generate puzzle N and K, and it is packaged into load p PuzzleSend to A, wherein N is BR 1Be the pseudo random number that every 60s carries out a cycle renewal, K is BR 1Puzzle difficulty according to its loading condition setting.
Step 3: receive said P PuzzleAfter, A enumerates calculating according to formula (1), generates puzzle answer message N CAnd S, and these two message parameters are packaged into load p AnswerSend to BR 1
prf ( CA | N | N c | S ) = 000 . . . 000 X K - - - ( 1 )
In formula (1), prf () representes pseudo-random function, the access address of CA GC group connector, N CShould make that with the S value the preceding K position of digest value is 0, X is the remainder of digest value, can be arbitrary value.
Step 4: receive said P AnswerAfter, BR 1At first use the answer of formula (1) checking puzzle.If it is incorrect, then directly abandon load; Otherwise, BR 1Generate P2 Request, its source address and destination address respectively with said P AnswerIdentical, " tag field (Flag) " first is set at 1, then BR 1With said P2 RequestBe transmitted to AR 1
Step 5:AR 1Stipulate that each bandwidth towards the maximum reservations 5% of interface of edge network is used for receiving terminal user " request message ".Receive said P2 RequestAfter, AR 1Operation below will carrying out:
(1) AR 1Obtain the state information S of A through Query Database A(AR 1For each user has safeguarded a state information S, and disposed corresponding constant S d, S Cutoff, S Reuse).
(2) AR 1With S AIncrease S d, i.e. S A'=S A+ S d, and with S A' value is saved in S in the database AThe memory location.
(3) AR 1Compare S A' and S CutoffIf S A'>S Cutoff, execution in step (4) then; Otherwise execution in step (5).
(4) AR 1Termination program, and packet discard P2 RequestSA ' presses the index law decay simultaneously, if promptly at t 1Constantly, P 1>P Cutoff, then arrive t 2In the time of constantly P 2 = P 1 e - ( ( t 2 - t 1 ) Ln 2 ) / H , Wherein H is a predetermined constant.Decay to less than predetermined value P at SA ' ReuseBefore, AR 1Do not allow A to send any information.
(5) AR 1At first query caching or ARMIS are to obtain and CA BCorresponding routing address RA BAR afterwards 1With RA ABe source address, RA BFor destination address replaces said P2 RequestIn CA AAnd CA B, and to the newly-generated packet P ' of transmission network forwarding Request
Step 6:AR 2Stipulate the solicited message that each sends in order to the reception user towards the bandwidth of the maximum reservations 5% of interface of transmission network equally, and for each user has safeguarded a state information S, configuration constant S d, S Cutoff, S ReuseReceive said P ' RequestAfter, AR 2At first according to AR 1Identical mode is operated S A, then with said P ' RequestSource address and destination address replace back CA A, CA B, and with the P3 that obtains RequestPacket is transmitted to BR 2
Step 7:BR 2With said P3 RequestBe forwarded to terminal B.
Step 8:B tabulates to said P3 according to its load state or owner priority RequestHandle,, then generate and send " access token "-Token if allow A to communicate with A, mainly comprised four partial datas in this token: (1) timestamp: the time that generates this token; (2) N A: the size of data that expression B allows A to send, unit is a bit; (3) T A: the maximum communication duration that expression B allows; (4) signing messages: B uses its private key to N A, T AAnd the signature of timestamp.After this, B is with Token ABe packaged into packet P with its digital certificate that has TokenSend to A.
Step 9: said P TokenThrough BR 2Arrive AR 2Carry out the token message.
Step 10: replace after AR the address 2Arrive AR 1, carry out the token message.
Step 11:AR 1At first use the public key information in the B digital certificate to verify said P TokenIn signature, to confirm its true source.If said P TokenReally be B transmission, then AR 1With N A, T A, CA ADeposit buffer memory in, and to BR 1Transmit said P TokenOtherwise, AR 1Directly abandon said P Token
Step 12:BR 1With said P TokenBe forwarded to terminal A.
Step 13:A uses the public key information in the B digital certificate to verify said P equally TokenIn signature, to confirm its true source.If said P TokenFor other user forges, then A directly abandons it; Otherwise A starts the proper communication routine, supposes that this moment, it was P to the general data bag that B sends.
Step 14:BR 1Said P is forwarded to AR 1
Step 15:AR 1Number-of-packet and call duration time that recording user A sends to B are if it surpasses N in the buffer memory A, T AThe scope that allows, then AR 1To abandon said P, and send announcement to A; Otherwise, AR 1Accomplish the encapsulation back and transmit said P to transmission network.
Step 16~17:P arrives B according to the normal flow of " mapping is separated in the address " technology.
Wherein, said packet mechanism of permitting the entrance comprises step 1~step 7 part; Said flow control mechanism based on token comprises step 8~step 17 part.
Beneficial effect of the present invention
(1) the present invention has proposed the perfect DDoS defence method of a kind of safety for the first time in the network system of " mapping is separated in the address ", has successfully remedied the deficiency of domestic and international research, significant and great practical value.
(2) the present invention has designed a kind of effective flow control mechanism, only guarantees that the data source end could send data to receiving terminal, fundamentally stops the possibility that ddos attack takes place after obtaining receiving terminal and allowing.Compared with prior art, this mechanism has communication efficiency height, characteristics that computational complexity is low.The opening that simultaneously should technology have also effectively kept " mapping is separated in the address " network system, not can with other protocol violation, help the deployment and the technological innovation of new technology.
(3) the present invention proposes a kind of novel mechanism of permitting the entrance, to resist malicious node to AR 1And AR 2The ddos attack of initiating, the fail safe of guarantee plan itself.
(4) the present invention mainly is deployed in border router and couple in router, has effectively avoided the adverse effect that a large amount of trip path asymmetries that exist cause the DDoS defense schemes in the Internet.
Description of drawings
Separate mapping network sketch map in address in Fig. 1 prior art;
Fig. 2 is the DDoS defence method that separates mapping techniques based on the address according to of the present invention;
Fig. 3 is the interaction diagrams of DDoS defence method in the separate mapping network of address of the present invention.
Embodiment
Below in conjunction with accompanying drawing and embodiment the present invention is described in further detail:
Embodiment 1
As shown in Figure 2, suppose that host A is positioned at edge network EN 1, its identify label is CA A, host B is positioned at edge network EN 2, identify label is CA B, corresponding routing address is respectively RA AAnd RA BReferring to the protocol interaction flow chart among Fig. 3, defence method step of the present invention is following: step 1:A sends " request message " P to B Request, its source address is CA A, destination address is CA BP RequestBe an IP packet that stem is only arranged, distinguishingly, first of its " tag field (Flag) " territory is set at 1.
Step 2:P RequestArrive border router BR 1After, BR 1Generate puzzle N, K also is packaged into load p with it PuzzleSend to A.Wherein N is BR 1Cycle is upgraded a pseudo random number of (every 60s), and K is BR 1Puzzle difficulty according to its loading condition setting.
Step 3: receive P PuzzleAfter, A enumerates calculating according to formula (1), generates puzzle answer N CAnd S, and these two parameters are packaged into load p AnswerSend to BR 1
prf ( CA | N | N c | S ) = 000 . . . 000 X K - - - ( 1 )
In formula (1), prf () representes pseudo-random function, the access address of CA GC group connector, N CShould make that with the S value the preceding K position of digest value is 0.X is the remainder of digest value, can be arbitrary value.
Step 4: receive P AnswerAfter, BR 1At first use the answer of formula (1) checking puzzle.If it is incorrect, then directly abandon load; Otherwise, BR 1Generate P Request, its source address and destination address respectively with P AnswerIdentical, " tag field (Flag) " first is set at 1, then BR 1With P RequestBe transmitted to AR 1
Step 5:AR 1Stipulate that each bandwidth towards the maximum reservations 5% of interface of edge network is used for receiving terminal user " request message ".Receive P RequestAfter, AR 1Operation below will carrying out:
(1) AR 1Obtain the state information S of A through Query Database A(AR 1For each user has safeguarded a state information S, and disposed corresponding constant S d, S Cutoff, S Rense).
(2) AR 1With S AIncrease S d, i.e. S A'=S A+ S d, and with S A' value is saved in S in the database AThe memory location.
(3) AR 1Compare S A' and S CutoffIf S A'>S Cutoff, execution in step (4) then; Otherwise execution in step (5).
(4) AR 1Termination program, and packet discard P RequestSA ' presses the index law decay simultaneously, if promptly at t 1Constantly, P 1>P Cutoff, then arrive t 2In the time of constantly P 2 = P 1 e - ( ( t 2 - t 1 ) Ln 2 ) / H , Wherein H is a predetermined constant.Decay to less than predetermined value P at SA ' ReuseBefore, AR 1Do not allow A to send any information.
(5) AR 1At first query caching or ARMIS are to obtain and CA BCorresponding routing address RA BAR afterwards 1With RA ABe source address, RA BFor destination address replaces P RequestIn CA AAnd CA B, and to the newly-generated packet P ' of transmission network forwarding Request
Step 6:AR 2Stipulate the solicited message that each sends in order to the reception user towards the bandwidth of the maximum reservations 5% of interface of transmission network equally, and for each user has safeguarded a state information S, configuration constant S d, S Cutoff, S ReuseReceive P ' RequestAfter, AR 2At first according to AR 1Identical mode is operated S A, then with P ' RequestSource address and destination address replace back CA A, CA B, and with the P that obtains RequestPacket is transmitted to BR 2
Step 7:BR 2With P RequestBe forwarded to terminal B.
Step 8:B tabulates to P according to its load state or owner priority RequestHandle,, then generate and send " access token "---Token if allow A to communicate with A, mainly comprised four partial datas in this token: (1) timestamp: the time that generates this token; (2) N A: the size of data that expression B allows A to send, unit is a bit; (2) T A: the maximum communication duration that expression B allows; (3) signing messages: B uses its private key to N A, T AAnd the signature of timestamp.After this, B is with Token ABe packaged into packet P with its digital certificate that has TokenSend to A.
Step 9~10:P TokenThrough BR 2, AR 2Arrive AR 1
Step 11:AR 1At first use the public key information checking P in the B digital certificate TokenIn signature, to confirm its true source.If P TokenReally be B transmission, then AR 1With N A, T A, CA ADeposit buffer memory in, and to BR 1Transmit P TokenOtherwise, AR 1Directly abandon P Token
Step 12:BR 1With P TokenBe forwarded to terminal A.
Step 13:A uses the public key information checking P in the B digital certificate equally TokenIn signature, to confirm its true source.If P TokenFor other user forges, then A directly abandons it; Otherwise A starts the proper communication routine, supposes that this moment, it was P to the general data bag that B sends.
Step 14:BR 1P is forwarded to AR 1
Step 15:AR 1Number-of-packet and call duration time that recording user A sends to B are if it surpasses N in the buffer memory A, T AThe scope that allows, then AR 1With packet discard P, and to A transmission announcement; Otherwise, AR 1Accomplish the encapsulation back and transmit P to transmission network.
Step 16~17:P arrives B according to the normal flow of " mapping is separated in the address " technology.
Wherein, said mechanism of permitting the entrance comprises step 1~step 7 part; Said flow control mechanism based on token comprises step 8~step 17 part.
Embodiment 2
In deployment of the present invention, need carry out the function expansion to some network structure in " mapping is separated in the address " network, mainly comprise:
(1) terminal A, B: support the novel mechanism of permitting the entrance that the present invention proposes, promptly can answer puzzle, send message (3); Support the novel flow control mechanism that the present invention proposes, promptly can send the source of message (1), reception and processing request message, generation Token, checking Token and send packet according to the Token content based on token.
(2) BR 1: support the novel mechanism of permitting the entrance that the present invention proposes, promptly can upgrade in the cycle (every 60s) pseudo random number N, can set puzzle difficulty K, can generate puzzle according to the request message that the terminal use sends and send message (2), can verify the puzzle answer, can regenerate request message (message (4)) according to load state according to puzzle answer message (message (3)).
(3) AR 1: support the novel mechanism of permitting the entrance that the present invention proposes, be each user and safeguarded a state information S, configuration constant S d, S Cutoff, S Reuse, and upgrade S value, the operations that completing steps 5 is stipulated according to the request message frequency that the user sends; Support the novel flow control mechanism that the present invention proposes, promptly receive and verify the flow situation that information, the track terminal users such as source, the N among the storage Token, T, CA of Token send and make control based on token.
(4) AR 2: support the novel mechanism of permitting the entrance that the present invention proposes, be each user and safeguarded a state information S, configuration constant S d, S Cutoff, S Reuse, and upgrade S value, the operations that completing steps 6 is stipulated according to the request message frequency that the user sends.
In addition, each terminal also should have the digital certificate of its identity of unique identification, and couple in router should be supported the validity check of digital certificate.

Claims (3)

1. DDoS defence method in the separate mapping network of address is characterized in that, comprising: packet mechanism of permitting the entrance and based on the flow control mechanism of token, source end host A is positioned at edge network EN 1, its identify label is CA A, the opposite end host B is positioned at edge network EN 2, identify label is CA B, corresponding routing address is respectively RA AAnd RA BCorresponding couple in router is respectively AR 1And AR 2, corresponding border router is respectively BR 1And BR 2, then said DDoS defence method step is following:
Step 1:A sends request message P1 to B Request, said P1 RequestCorresponding source address is CA A, destination address is CA B
Step 2: said P1 RequestArrive BR 1After, by BR 1Generate puzzle message N and K, and it is packaged into load p PuzzleSend to A, wherein N is BR 1Every 60s carries out a pseudo random number of a cycle renewal, and K is BR 1Puzzle difficulty according to its loading condition setting;
Step 3: receive said P PuzzleAfter, A enumerates calculating according to following formula, generates puzzle answer message N CAnd S, and these two message parameters are packaged into load p AnswerSend to BR 1
prf ( CA | N | N c | S ) = 000 . . . 000 K X
In following formula, prf () representes pseudo-random function, the access address of CA GC group connector, N CShould make that with the S value the preceding K position of digest value is 0, X is the remainder of digest value, gets arbitrary value;
Step 4: receive said P AnswerAfter, BR 1At first use the formula checking puzzle answer in the step 3,, then directly abandon load if it is incorrect; Otherwise, BR 1Generate request message P2 Request, its source address and destination address respectively with said P AnswerIdentical, " tag field (Flag) " first is set at 1, then BR 1With said P2 RequestBe transmitted to AR 1
Step 5:AR 1Stipulate that each bandwidth towards the maximum reservations 5% of interface of edge network is used for receiving terminal user " request message ", receives said P2 RequestAfter, AR 1It is following to carry out associative operation;
(1) AR 1Obtain the state information S of A through Query Database A, AR 1For each user safeguards a state information S, and disposed corresponding constant S d, S Cutoff, P Reuse
(2) AR 1With S AIncrease S d, i.e. S A'=S A+ S d, and with S A' value is saved in S in the database AThe memory location;
(3) AR 1Compare S A' and S CutoffIf, S A'>S Cutoff, execution in step (4) then; Otherwise execution in step (5);
(4) AR 1Termination program, and packet discard P2 RequestWhile S A' press the index law decay, if promptly at t 1Constantly, P 1>S Cutoff, then arrive t 2P2 in the time of constantly
Figure FSB00000838626900021
Wherein H is a predetermined constant, at S A' decay to less than predetermined value P ReuseBefore, AR 1Do not allow A to send any information;
(5) AR 1At first query caching or ARMIS are to obtain and CA BCorresponding routing address RA BAR afterwards 1With RA ABe source address, RA BFor destination address replaces P2 RequestIn CA AAnd CA B, and to the newly-generated packet P ' of transmission network forwarding Request
Step 6:AR 2Stipulate the solicited message that each sends in order to the reception user towards the bandwidth of the maximum reservations 5% of interface of transmission network equally, and for each user has safeguarded a state information S, configuration constant S d, S Cutoff, S ReuseReceive P ' RequestAfter, AR 2At first according to the AR in the step 5 1Carry out identical operations, then with P ' RequestSource address and destination address replace back CA A, CA B, and with the request message P3 that obtains RequestPacket is transmitted to BR 2
Step 7:BR 2With said P3 RequestBe forwarded to opposite end B;
Step 8: opposite end B tabulates to said P3 according to its load state or owner priority RequetHandle,, then generate and send " access token " Token if allow A to communicate with A, after this, opposite end B is with Token ABe packaged into packet P with its digital certificate that has TokenSend to A;
Step 9: said P TokenThrough BR 2Arrive AR 2Carry out the token message;
Step 10: replace after AR the address 2Arrive AR 1, carry out the token message;
Step 11:AR 1At first use the public key information in the B digital certificate to verify said P TokenIn signature, to confirm its true source; If said P TokenReally be B transmission, then AR 1With N A, T A, CA ADeposit buffer memory in, and to BR 1Transmit said P TokenOtherwise, AR 1Directly abandon said P TokenN A: the size of data that expression B allows A to send, unit is a bit; T A: the maximum communication duration that expression B allows;
Step 12:BR 1With said P TokenBe forwarded to terminal A;
Step 13: source end A uses the public key information in the B digital certificate to verify said P equally TokenIn signature, to confirm its true source; If said P TokenFor other user forges, then A directly abandons it; Otherwise A starts the proper communication routine, supposes that this moment, it was P to the general data bag that B sends;
Step 14:BR 1Said P is forwarded to AR 1
Step 15:AR 1Number-of-packet and call duration time that record source end A sends to opposite end B are if it surpasses N in the buffer memory A, T AThe scope that allows, then AR 1To abandon said P, and send announcement to A; Otherwise, AR 1Accomplish the encapsulation back and transmit said P to transmission network;
Step 16~17: said P arrives opposite end B according to the workflow of " mapping is separated in the address " technology;
Wherein, said packet mechanism of permitting the entrance comprises step 1~step 7 part; Said flow control mechanism based on token comprises step 8~step 17 part.
2. DDoS defence method in the separate mapping network of address according to claim 1 is characterized in that, mainly comprises following four partial datas described in the step 8 in the token:
(1) timestamp: the time that generates this token;
(2) N A: the size of data that expression B allows A to send, unit is a bit;
(3) T A: the maximum communication duration that expression B allows;
(4) signing messages: B uses its private key to N A, T AAnd the signature of timestamp.
3. DDoS defence method in the separate mapping network of address according to claim 1 is characterized in that, in the step 1, and said P1 RequestBe an IP packet that stem is only arranged, first of its " tag field (Flag) " territory is set at 1.
CN200910238098A 2009-11-25 2009-11-25 Method for defending against DDos in address disjunction mapping network Expired - Fee Related CN101702727B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN200910238098A CN101702727B (en) 2009-11-25 2009-11-25 Method for defending against DDos in address disjunction mapping network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN200910238098A CN101702727B (en) 2009-11-25 2009-11-25 Method for defending against DDos in address disjunction mapping network

Publications (2)

Publication Number Publication Date
CN101702727A CN101702727A (en) 2010-05-05
CN101702727B true CN101702727B (en) 2012-09-05

Family

ID=42157620

Family Applications (1)

Application Number Title Priority Date Filing Date
CN200910238098A Expired - Fee Related CN101702727B (en) 2009-11-25 2009-11-25 Method for defending against DDos in address disjunction mapping network

Country Status (1)

Country Link
CN (1) CN101702727B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102355465B (en) * 2011-10-11 2014-03-19 北京交通大学 Mapping cache DoS (Disc operating System) attack defense method based on identification, separation and mapping network
CN102447707B (en) * 2011-12-30 2014-11-26 北京交通大学 DDoS (Distributed Denial of Service) detection and response method based on mapping request

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921488A (en) * 2006-09-19 2007-02-28 清华大学 Method for preventing forgery of source address based on signature authentication inside IPv6 sub network
CN1972286A (en) * 2006-12-05 2007-05-30 苏州国华科技有限公司 A defense method aiming at DDoS attack

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1921488A (en) * 2006-09-19 2007-02-28 清华大学 Method for preventing forgery of source address based on signature authentication inside IPv6 sub network
CN1972286A (en) * 2006-12-05 2007-05-30 苏州国华科技有限公司 A defense method aiming at DDoS attack

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
张宏科.新互联网体系理论及关键技术.《中兴通讯技术》.2008,第14卷(第1期),全文. *
董平等.新一代互联网移动管理机制研究.《电子学报》.2008,第36卷(第10期),全文. *

Also Published As

Publication number Publication date
CN101702727A (en) 2010-05-05

Similar Documents

Publication Publication Date Title
CN106506274B (en) Dynamically-expandable efficient single-packet tracing method
Gong et al. A more practical approach for single-packet IP traceback using packet logging and marking
Yang et al. A DoS-limiting network architecture
EP2345212B1 (en) Method and apparatus for forwarding data packets using aggregating router keys
CN102132532B (en) Method and apparatus for avoiding unwanted data packets
CN100364306C (en) Identifying method for IPv6 actual source address between autonomy systems based on signature
CN103701700A (en) Node discovering method and system in communication network
US8547848B2 (en) Traffic control within a network architecture providing many-to-one transmission with denial-of-service protection
CN105262737B (en) A method of based on defending against DDOS attack for jump channel pattern
Rothenberg et al. Self-routing denial-of-service resistant capabilities using in-packet Bloom filters
Lu et al. A novel path‐based approach for single‐packet IP traceback
CN101702727B (en) Method for defending against DDos in address disjunction mapping network
Alston et al. Neutralizing interest flooding attacks in named data networks using cryptographic route tokens
Lagutin Redesigning internet-the packet level authentication architecture
CN108712391A (en) A kind of method of reply name attack and time analysis attack under content center network
Gong et al. Single packet IP traceback in AS-level partial deployment scenario
Lu et al. A novel approach for single-packet IP traceback based on routing path
Li et al. Reducing delay and enhancing DoS resistance in multicast authentication through multigrade security
CN108494774A (en) A kind of anti-link control attack method for reinforcing anonymous communication system safety
Zhang et al. An analysis on selective dropping attack in BGP
Yonghui et al. Deterministic packet marking based on the coordination of border gateways
Vivian et al. Evaluation of qos metrics in ad hoc networks with the use of secure routing protocols
Jing et al. NIS04-5: Defending Against Meek DDoS Attacks By IP Traceback-based Rate Limiting
Sedaghat et al. A mechanism-based QoS and security requirements consideration for MANETs QoS routing
Li et al. Staggered tesla: a multicast authentication scheme resistant to dos attacks

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20120905

Termination date: 20181125