Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
  • H04L63/1416—Event detection, e.g. attack signature detection
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
  • H04L63/1441—Countermeasures against malicious traffic
  • H04L63/1458—Denial of Service
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
  • H04L63/0227—Filtering policies
  • H04L63/0263—Rule management
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
  • H04L2463/141—Denial of service attacks against endpoints in a network
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
  • H04L63/0227—Filtering policies
  • H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL

Definitions

• the invention relates to the general field of telecommunications.
• the invention applies in particular to computer attacks of the denial of service (DoS) or DDoS (for “Distributed DoS”) type.
• DoS attack is an attempt to making resources in a computing domain, such as for example network or computing resources, unavailable to their users.
• DDoS attacks are often massive and likely to compromise several hundred thousand user equipment (fixed or mobile terminals, connected objects, servers, network resources, etc.), which can in turn be used as relays for amplify the harmful power of these attacks.
• the company Symantec in its annual report for 2019, reports nearly 24,000 applications embedded in mobile devices blocked daily by such attacks, a 600% increase between 2016 and 2017 in attacks targeting objects. connected, and an increase in the volume of attack traffic between 2016 and 2017, which represented 5% of global web traffic in 2016 against 7.8% in 2017.
• DDoS attacks are more and more frequent and intense, and can target several hundred thousand computer machines.
• DPS protection services for "DDoS Protection Services" in English.
• filtering policies i.e. capable of isolating the traffic coming from all the affected machines.
• FIG. 1 represents, by way of illustration, a client IT domain CL connected to two forwarding networks TN1 and TN2 providing it with access to the Internet network.
• Each of the forwarding networks hosts a dedicated DPS protection service, referenced by DPS1 for the forwarding network TN1 and by DPS2 for the forwarding network TN2.
• DPS1 for the forwarding network TN1
• DPS2 for the forwarding network TN2.
• PI for “Provider-Independent” in English
• DPS protection offers are based on services hosted in the “cloud” and not only within the infrastructures operated by providers of access to the Internet network. These deployments in the cloud pose technical problems, particularly concerning the early detection of attacks because the components of the DPS service involved in the detection or resolution of attacks and hosted in the cloud are not necessarily present on the different paths taken by the traffic. attack, so that they are not able to inspect and filter this traffic.
• certain protection services may have limited treatment and mitigation capacity and not be able to process attacks of high amplitude or corresponding to a volume of infected traffic exceeding a certain threshold.
• a protection service against computer attacks must coordinate the operations of routing traffic to the client computer domain that it protects, so that legitimate traffic destined for this the latter is routed normally to this one.
• the protection service must identify suspicious traffic and then isolate it so that it does not get routed to the customer IT domain. To this end, it can rely on a center or a so-called cleaning (or "scrubbing" in English) function, which can turn out to be undersized to handle attacks requiring CPU (Central Processing Unit) or capacity resources. consequent.
• the effectiveness of the mitigation implemented by the protection service is then reduced and the client IT domain continues to be attacked despite the intervention of the protection service.
• an AG agent of the client IT domain CL requests the two protection services DPS1 and DPS2 for the mitigation of the attack.
• the DPS1 service quickly implements an effective mitigation plan because it has detection and mitigation mechanisms adapted to the type of attack in progress, while the DPS2 service fails to set up a plan effective mitigation, for example because it does not have the traffic detection and identification mechanism characteristic of this attack.
• the attack traffic is then blocked by the forwarding network TN1, but continues to be routed to the client domain CL via the forwarding network TN2.
• the client domain CL is still the victim of the attack despite the mitigation plan put in place by the DPS1 system.
• the client domain CL uses addresses known as PA (Provider-Aggregatable), that is to say if the addresses used on the interconnection links which connect the customer domain CL to the forwarding networks TN1 and TN2 are those provided by each of the connectivity providers which operate these TN1 and TN2 forwarding networks.
• PA Provide-Aggregatable
• the invention makes it possible in particular to remedy the drawbacks of the state of the art by proposing an assistance method implemented by a device managing resources of a computer domain, said resources being protected by a plurality of protection services against computer attacks, this method comprising:
• the invention also relates to a device managing resources of a computer domain, configured to communicate with a plurality of protection services against computer attacks protecting said resources of the computer domain, this device comprising:
• a determination module configured to determine an inability of a first protection service of the plurality of protection services, to process a computer attack targeting at least one resource in the computer domain;
• a development module configured to develop a mitigation plan for said attack from a mitigation plan obtained from a second protection service of the plurality of protection services or using assistance provided by at least the second protection service;
• a transmission module configured to transmit the mitigation plan thus developed to the first protection service to handle the attack.
• the invention proposes to exploit the subscription by the IT domain to a plurality of protection services (which may be in particular, for all or part of them, managed by separate administrative entities) to dynamically provide a assistance to a protection service incapable of managing a data-processing attack detected in the data-processing field (first protection service within the meaning of the invention, also designated hereinafter by “incapacitated protection service”).
• This assistance takes the form of a mitigation plan drawn up and supplied to the incapable protection service, based on a mitigation plan set up or determined by another protection service (second protection service within the meaning of invention) in response to the attack, thus making it possible to remedy a functional insufficiency of the incapable protection service, or relying on the assistance of another protection service (second protection service within the meaning of (invention), thus making it possible to remedy a lack of capacity in the incapable protection service.
• the term “mitigation plan” denotes a set of actions developed for the resolution of an attack. The purpose of these actions is to prevent the attack traffic from spreading into the IT domain. These may be actual mitigation actions put in place or developed by a protection service, but also include assistance provided by a protection service to extend the capabilities of the incapacitated protection service and enable it to resolve the attack, etc.
• the invention is not limited to a local application of the mitigation plan developed within the IT field, an application which is not always possible depending on the state of the resources affected by the attack; but it also provides for the transmission of the mitigation plan drawn up to the incapacitated protection service to remedy its deficiencies.
• This makes it possible, when the protection service protects resources such as interconnection links of the IT domain with the Internet network or transit networks, to block the attack traffic in advance, upstream and / or inbound. of the customer IT domain.
• the invention is not restricted to a first protection service protecting resources in the IT domain targeted by the attack. It can also be applied to a first protection service protecting resources of the IT domain involved in the routing of traffic from the attack to the resources targeted by the latter. Thus, an attack is considered here falling within the scope of action of the first protection service.
• the mitigation plan transmitted to the incapable protection service is prepared by a device managing the resources of the IT domain which are protected by the plurality of protection services, also sometimes referred to here as " customer domain ”or even“ customer IT domain ”.
• customer domain also sometimes referred to here as " customer domain ”or even“ customer IT domain ”.
• the protection services can be managed by separate administrative entities, they are not necessarily aware of the mitigation actions implemented by the other protection services protecting resources in the client domain.
• the client domain has global visibility on the actions implemented to protect its resources, and the invention advantageously exploits this visibility to coordinate and improve the effectiveness of the mitigation efforts undertaken by the protection services in the presence.
• an attack detected in the client domain is a better reaction time and attack processing time as well as an increased speed of execution of mitigation actions. In this way, the continuity of the services offered by the IT sector is guaranteed.
• the invention makes it possible to exploit the knowledge of the attack by the protection service DPS2 and an effective mitigation plan thereof by developing and providing the DPS1 protection service with a mitigation plan drawn up from the mitigation plan implemented by the DPS2 protection service.
• the protection services DPS1 and DPS2 protecting the interconnection links of the client domain CL affected by the attack are able to set up policies for filtering attack traffic entering the CL client domain.
• the management of the attack affecting the IT domain is therefore improved, not only individually at the level of each protection service, but also at the level of the overall action carried out by all of the protection services. It should be noted that this improvement is advantageously obtained without having to modify or extend the visibility of the traffic available to each of the protection services. Concretely, the various protection services continue to have only partial visibility of the traffic associated with the customer domain and not the global traffic. of said customer domain.
• the invention thus enables rapid, automatic and reliable resolution of computer attacks liable to affect the resources of a computer domain. Thanks to the use of the mitigation actions implemented by various protection services, the invention offers the possibility of dealing with attacks affecting all the resources of the IT domain.
• the second protection service set up a mitigation plan in response to the attack
• the mitigation plan sent to the first protection service is drawn up by adapting the mitigation plan set up by the second protection service to the resources of the IT domain protected by the first protection service.
• This embodiment makes it possible more particularly to manage a functional incapacity of the first protection service, while the second protection service is able to deal with this attack and has put in place an effective mitigation plan for this purpose.
• the mitigation plan provided to the first protection service is then derived from the mitigation plan put in place by the second protection service.
• the derived mitigation plan is not necessarily an identical copy of the mitigation plan provided by a first protection service. It can be inspired by it and / or take up and / or adapt all or part of the actions indicated therein, for example to take account of constraints which are specific to the first protection service.
• the method further comprises:
• This embodiment also aims to overcome a functional deficiency of the first protection service.
• the attack falls only within the scope of action of the first protection service (in other words, the attack targets IT resources protected by the first protection service or that of the first protection service). This protects resources from the IT domain involved in routing attack traffic to the resources targeted by the attack).
• the second protection service was not directly concerned by the attack affecting the IT sector, it did not, strictly speaking, put in place any mitigation action against this attack.
• the invention in this embodiment by ordering the second protection service to emulate the attack on the resources of the computing domain that it protects and to propose a mitigation plan in response to this attack.
• the mitigation plan proposed by the second protection service corresponds to the resources of the IT domain protected by the second protection service (typically identified by dedicated IP addresses or prefixes), and not to the resources of the IT domain. resources protected by the first protection service targeted by the attack.
• the development of a miti gation plan intended for the first protection service then consists in particular of an adaptation by the device managing the resources of the IT domain of the mitigation plan proposed by the second protection service to the resources protected by the first service. protection.
• the inability of the first protection service stems from a lack of resources available at the level of the first protection system to mitigate the attack, the method comprising a step of obtaining from of the second protection service of at least one item of information allowing establishment of a communication between the first protection system and the second protection system to assist it in the mitigation of the attack, the mitigation plan transmitted to the first system protection comprising said at least one item of information obtained.
• the assistance provided by the second protection service is then in this embodiment a capacity assistance to handle the attack, making it possible to alleviate an insufficiency of resources of the first protection service to resolve the attack, by example because of the magnitude of the attack.
• This embodiment makes it possible to artificially extend the resources of the first protection service in order to effectively resolve the attack. Thanks to the communication established between the first and the second protection service, the first protection service can for example redirect part of the traffic intended for the IT domain to the second protection service so that the latter filters it.
• the capacity assistance provided to the first protection service can come from several protection services among the plurality of protection services protecting the resources of the computer domain.
• the method comprises:
• the interrogation can be done for example upstream of the detection of an attack.
• This embodiment makes it possible to anticipate the problems linked to a capacity failure of one of the protection services. From the stored information, when it is informed of such a failure, the device managing the resources of the client IT domain can act more quickly to set up assistance with the failing protection service.
• the interrogation step can be implemented following the detection of an attack targeting at least one resource in the IT domain.
• This embodiment makes it possible to obtain up-to-date information, representative of a current state of the protection services capable of providing their assistance.
• the information provided by the protection services able to provide assistance can be of different types. They include for example at least one element among:
• the device indicates to the questioned protection services a minimum capacity which a protection service declaring itself capable of providing assistance must have.
• the device can rely on traffic forecasting mechanisms (or "traffic forecast” in English), known per se. This minimum capacity can then be reassessed on a case-by-case basis according to the needs of a failing protection service.
• traffic forecasting mechanisms or "traffic forecast” in English
• This embodiment makes it possible to avoid the selection by the device of the client IT domain of a protection service that does not have sufficient capacity resources to provide assistance to a faulty protection service, and therefore a loss of time in the execution of the method according to the invention.
• the method comprises, after detection of the attack, a step of sending to all or part of the protection services of the plurality of protection services having a perimeter of action in which is finds at least one resource in the IT domain targeted by the attack, with a request to obtain a mitigation plan set up by these protection services in response to the attack.
• the protection services provide their mitigation plans set up if necessary against the detected attack, in response to a request from the device of the client IT domain.
• the device managing the resources of the IT domain can for this purpose, for example, register with each protection service to be informed by it of the mitigation plans that it implements.
• the method comprises:
• the device managing the resources of the client IT domain thus coordinates the mitigation actions put in place by the various protection services concerned by the attack (in other words, in the scope of action to which the attack falls) so to avoid inconsistencies between these actions.
• the protection services being likely to be managed by separate administrative entities, they have no mutual visibility on the actions implemented by the other protection services in the presence of a attack, unlike client IT domain.
• one (or more) protection service can make mitigation decisions that can have negative implications on the service provided to the client IT domain, in particular because they are not consistent with other decisions taken by another service. protection in response to the attack. For example, decisions made by two (or more) different protection services can lead to the establishment of a routing loop that prevents legitimate traffic from being routed to the customer IT domain.
• the invention is based on the device managing the resources of the computing domain which are protected by various protection services against computer attacks, but also on the action of the latter .
• the invention also relates to a method for obtaining, by a first protection service, a plurality of protection services against computer attacks protecting resources of a computer domain, of a plan for mitigating a computer attack targeting at least one of the resources of the computer domain, this method comprising, following a detection of an inability of the first protection service to process the attack:
• the invention also relates to a device of a first protection service of a plurality of protection services against computer attacks protecting resources of a computer domain, at least one of the resources of the computer domain being targeted. by a computer attack, said device comprising modules activated following detection of an inability of the device to process the attack, these modules comprising:
• a reception module configured to receive a mitigation plan produced by a device managing said resources of the IT domain from a mitigation plan obtained from a second protection service of said plurality of protection services or using assistance provided by at least said second protection service;
• an implementation module configured to set up in response to said attack a mitigation plan derived from the mitigation plan received from the device to process the attack.
• the method for obtaining and the device of the first protection service benefit from the same advantages mentioned above as the assistance method and the device in the IT field.
• the step of setting up the mitigation plan comprises, when the mitigation plan uses assistance provided by at least the second protection service, a routing of data suspected of being associated attack to the second protection service for processing this data.
• the data is for example routed to the second protection service via a secure tunnel established with the second protection service by means of information contained in the mitigation plan received from the device.
• the assistance provided by the second protection service allows the first protection service to relieve some of the suspicious traffic that it is not able to process and to route it to the second protection service so that it applies an appropriate mitigation plan to this suspicious traffic.
• the assistance method and / or the obtaining method are implemented by a computer.
• the assistance method and / or the obtaining method are implemented by a computer not directly connected to the IT domain (eg, a smartphone) but able to manage the resources of said IT domain.
• the invention also relates to a first computer program on a recording medium, this program being capable of being implemented in a computer or more generally in a device managing the resources of a compliant client IT domain. to the invention and includes instructions adapted to the implementation of an assistance method as described above.
• the invention also relates to a second computer program on a recording medium, this program being capable of being implemented in a computer or more generally in a device of a first service for protection against attacks.
• computer systems in accordance with the invention and comprises instructions adapted to the implementation of a method of obtaining as described above.
• Each of these programs can use any programming language, and be in the form of source code, object code, or intermediate code between source code and object code, such as in a partially compiled form, or in any other desirable shape.
• the invention also relates to an information medium or a recording medium readable by a computer, and comprising instructions of the first, second or third computer program mentioned above.
• the information or recording media can be any entity or device capable of storing the programs.
• the media can comprise a storage means, such as a ROM, for example a CD ROM or a microelectronic circuit ROM, or else a magnetic recording means, for example a hard disk, or a flash memory.
• the information or recording media can be transmitted media such as an electrical or optical signal, which can be routed via an electrical or optical cable, by radio link, by link. wireless optics or other means.
• the programs according to the invention can in particular be downloaded over an Internet type network.
• each information or recording medium can be an integrated circuit in which a program is incorporated, the circuit being adapted to execute or to be used in the execution of the communication method, according to the invention. , or of the selection method, in accordance with the invention.
• the invention is also aimed at a system for protecting an IT domain comprising:
• said plurality of protection services comprising at least:
• a first protection service comprising a device according to the invention incapable of processing a computer attack targeting at least one resource in the computer domain;
• a second protection service having set up a mitigation plan for said attack or capable of providing assistance to the first protection service to deal with said attack on which said device managing said resources of the IT domain relies to develop and transmit said first protection service a mitigation plan for the attack.
• the second protection service comprises:
• an emulation module activated at the request of the computer domain device when the attack falls within the scope of action of the first protection service only, said emulation module being configured to emulate said attack on at least one resource of the computing domain protected by the second protection service;
• a transmission module configured to transmit to the computer domain device an attack mitigation plan proposed by the second protection service during the emulation of said attack by the emulation module.
• the second protection service comprises a supply module, activated at the request of the device managing the resources of the IT domain when said attack is within the scope of action of the second protection service, said supply module being configured to provide the device managing the resources of the IT domain with a mitigation plan set up by the second protection service in response to the attack.
• the system according to the invention benefits from the same advantages mentioned above for the assistance method, the obtaining method, the device in the IT field and the device of the first protection service according to the invention.
• the assistance method, the obtaining method, the device managing the resources of the IT domain, the device of the first protection service and the system according to The invention exhibit in combination all or part of the aforementioned characteristics.
• FIG. 1 already described, represents a computer domain protected by two services for protection against computer attacks, according to the state of the art
• FIG. 2 represents a system for protecting a computer domain according to the invention in a particular embodiment
• FIG. 3 represents the hardware architecture of a device managing the resources of the computer domain protected by the protection system of FIG. 2, in a particular embodiment
• FIG. 4 represents the hardware architecture of a server device of a protection service of the protection system of FIG. 2, in a particular embodiment
• FIG. 5 represents the main steps of an assistance method according to the invention as they are implemented, in a particular embodiment, by the device of FIG. 3;
• FIG. 6 represents the main steps of a method of obtaining according to the invention as they are implemented, in a particular embodiment, by a server device of the protection system of FIG. 2;
• FIG. 7 represents steps that can be implemented, in a particular embodiment, by a server device of the protection system of FIG. 2.
• FIG. 2 represents a system 1 for protecting a computer domain 2 against computer attacks, in accordance with the invention, in a particular embodiment.
• IT domain also referred to as “client IT domain or client domain”, is understood here to mean a set of computer resources (including in particular re- resources. buckets such as routers, switches, servers, terminals, etc.), placed under the responsibility of a given administrative entity.
• a computer domain is for example a company network, a home network or an autonomous system or AS (for “Autonomous System”) using the BGP (for “Border Gateway Protocol”) protocol.
• AS for “Autonomous System”
• BGP for “Border Gateway Protocol” protocol
• the computer domain 2 is connected to the public Internet network, directly or via one or more forwarding networks. It has various computer resources (CPU resources, memory resources, network resources, interconnection links with other networks, etc.), protected by a plurality of protection services against computer attacks SP1, SP2, etc. , SPN, to which the administrator or the owner of the IT domain 2 has subscribed, N denoting an integer greater than 1. For the sake of simplicity, in Figure 2, three protection services SP1, SP2 and SP3 are shown, however the number N can be any integer greater than 1.
• All or part of the protection services SP1, SP2, ..., SPN, protecting the resources of the IT domain 2, and in particular in the example considered here SP1, SP2 and SP3, are managed by administrative entities (for example, by separate network operators. In other words, each of these administrative entities has no visibility on the attack mitigation actions implemented by the other administrative entities and their own protection services (i.e. no prior knowledge of these mitigation actions).
• the term “mitigation plan” is understood to mean actions proposed or implemented by a protection service for the resolution of an attack, in particular with a view to preventing the traffic of the attack from spreading. to achieve one or more targets in the IT field 2.
• protection services SPk, k 1, ..., N, we mean here both the service itself supplied to the computer domain 2 and the device or devices hosting the logic of this service. Also, no assumption is made as to the functional and organic structure of a DPS service.
• DDoS distributed denial of service
• the IT domain 2 comprises one (or more) functions for detecting DDoS attacks.
• the invention applies to any type of computer attack (denial of service, identity theft, ransomware, etc.).
• no limitation is attached to the nature of the resources which may be the target of an attack; it may for example be an IP address, an IP prefix, a machine, an alias, a fully qualified domain name (FQDN for Fully Qualified Domain Name), etc.
• the protection system 1 is based on a DOTS client / server architecture (for "DDoS Open Threat Signaling") as defined by ITETF (Internet Engineering Task Force).
• DOTS architecture for "DDoS Open Threat Signaling" as defined by ITETF (Internet Engineering Task Force).
• ITETF Internet Engineering Task Force
• the DOTS architecture specified by the IETF aims to provide a signaling mechanism for detecting suspicious traffic or even a proven attack, so that appropriate mitigation measures can be implemented as quickly as possible.
• it allows a client called DOTS client which manages a computer domain to inform a server called DOTS server of the detection of suspicious traffic potentially characteristic of an ongoing DDoS attack and that appropriate mitigation actions are taken. required.
• the DOTS server can then set up or coordinate various actions so that, by For example, the traffic associated with the denial of service attack is no longer routed to the IT domain of the DOTS client, and only authorized (i.e. legitimate) traffic is routed to said IT domain.
• the DOTS client is not necessarily a network element of the IT domain in question, but can be connected indirectly to the latter; it can be for example a control network or a terminal (for example, a smartphone) of an administrator of the IT domain, etc.
• DOTS communication channels are defined between the DOTS client and the DOTS server:
• DOTS Signal Channel (“DOTS Signal Channel”): this channel is used only for the duration of DDoS attacks.
• the DOTS client can use this channel to request assistance from the DOTS server by informing it that an attack is in progress.
• Table 1 illustrates an example of a mitigation request that can be sent via a DOTS “draft-ietf-dots-signal-channel” signaling channel (corresponding to a target of the attack identified by the attribute “ietf-dots-signal - channel: mitigation-scope "in table 1), by a DOTS client identified by a unique identifier CUID (for" Client Unique Identifier ")" mydotsclient ", to its DOTS server, to inform it that the prefix" 1.2.
• CUID for" Client Unique Identifier
• DOTS Data Channel this channel is used if and only no attack is in progress.
• the DOTS client can for example use this channel to install filtering rules (or ACL for “Access Control List”) such as filtering traffic received from certain addresses or intended for a given machine.
• filtering rules or ACL for “Access Control List”
• Table 2 provides an example of a message sent on a “draft-ietf-dots-data-channel” DOTS data channel (corresponding to a filter characterized by the attribute “ietf-dots-data-channel: access- lists ”in table 2), by a DOTS client with CUID“ mydotsclient ”, asking a DOTS server to block (“ actions ”: ⁇ “ forwar- ding ”:“ drop ” ⁇ ) all traffic destined for the prefix "1.2.3.0/24".
• DOTS is therefore an architecture intended to facilitate the handling of attack mitigation requests sent by a DOTS client and received by a DOTS server, such as for example a server operated by a service provider for protection against attacks computer science.
• the IT domain 2 comprises a device 3, in accordance with the invention, in charge of the management and monitoring of all the IT resources of the IT domain 2, and the protection services SP1, ..., SPN, comprise devices 4-1, ..., 4-N respectively, also according to the invention, the device 3 and the devices 4-1, ..., 4-N being capable of interact with each other according to the principles which have just been described and characteristics of the DOTS client / server architecture.
• the device 3 acts as a DOTS client (hereinafter referred to as “client device 3”) and the devices 4-1, 4-2, ..., 4-N like DOTS servers.
• client device 3 the devices 4-1, 4-2, ..., 4-N like DOTS servers.
• the invention however applies to other architectures and / or to other protocols allowing devices 3, 4-1, ..., 4-N to communicate with each other.
• DOTS communications between a DOTS client and a DOTS server can be done via relays (or “DOTS Gateways”). These relays can be hosted within the domain of the DOTS client (also referred to as “client domain”) or within the domain of the server (also referred to as “server domain”) or both.
• a DOTS relay located in a domain of the client is considered by a DOTS server as a DOTS client.
• a DOTS relay located in a server domain is considered by a DOTS client as a DOTS server.
• DOTS server in the event of the presence of a DOTS relay in a server domain, the authentication of DOTS clients is the responsibility of the relay.
• a DOTS server must be configured with the list of active DOTS relays within its domain; he can then delegate some of his functions to these trusted relays.
• the DOTS server can safely use the information provided by a relay appearing in a list declared with the DOTS server and maintained by the latter, by means of an ad hoc authentication procedure (for example, explicit configuration of the list. relays by the authorized administrator of the server, retrieval of the list from an AAA server (for “Authentication, Authorization and Accounting” in English), etc.).
• the client device 3 is configured to establish with the server devices 4-1, ..., 4-N protection services SP1, ..., SPN (or DOTS relays located in the computer domains hosting the server devices 4-1, ..., 4-N) secure DOTS sessions in accordance with the aforementioned IETF specification entitled "Distributed Denial-of-Service Open Threat Signaling (DOTS) Signal Channel Specification".
• the sessions are established here using the DTLS protocol (for “Datagram Transport Layer Security” in English), or the TLS protocol (for “Transport Layer Security” in English).
• DTLS protocol for “Datagram Transport Layer Security” in English
• TLS protocol for “Transport Layer Security” in English
• DOTS agents clients, servers and relays
• the various DOTS agents that is to say the DOTS client device 3 and the DOTS server devices 4-1 , ..., 4-N or relay between these DOTS devices
• the DOTS client device 3 and the DOTS server devices 4-1 , ..., 4-N or relay between these DOTS devices are configured to authenticate each other.
• requests from DOTS client devices not authorized to access the service offered by the DOTS server device 4-1, ..., 4-N considered are ignored by the latter.
• the DOTS client device 3 has the hardware architecture of a computer, as shown in FIG. 3. It comprises in particular a processor 5, a RAM 6, a ROM 7 , a non-volatile memory 8, and communication means 9 allowing it in particular to communicate, using in particular the DOTS protocol, with the server devices 4-1, ..., 4-N of the protection services SP1, .. ., SPN.
• These communication means 9 are based on a wired or wireless communication interface, known per se and not described in more detail here.
• the read only memory 7 of the client device 3 constitutes a recording medium according to the invention, readable by the processor 5 and on which is recorded a computer program PROG3 according to the invention, comprising instructions for the execution of the steps of an assistance method according to the invention.
• the PROG3 program defines functional modules of the client device 3, which are based on or control the hardware elements 5 to 9 of the client device 3 mentioned above, and which include in particular (see FIG. 2):
• a determination module 3A configured to determine an inability of a first protection service among the plurality of protection services SP1, ..., SPN, to process a computer attack targeting at least one resource of the computer domain 2, and falling within the scope of action of the first protection service;
• a development module 3B configured to develop a mitigation plan for said attack from a mitigation plan obtained from a second protection service among the plurality of protection services SP1, ..., SPN, or using assistance provided by at least said second protection service; and a 3C transmission module, configured to transmit the mitigation plan developed to the first protection service to process the attack.
• the client device 3 can also include a DDoS attack detection function. In the embodiment described here, however, it is assumed that this DDoS attack detection function is hosted by another device 10 in the IT domain 2 (cf. FIG. 2).
• modules 3A to 3C of the client device 3 are detailed in more detail later.
• each DOTS server device 4-1, ..., 4- N has the hardware architecture of a computer, as shown in FIG. 4. It comprises in particular a processor 11, a random access memory 12, a read only memory 13, a non-volatile memory 14, and means of communication 15 allowing it in particular to communicate, using in particular the DOTS protocol, with the client device 3.
• These means of communication 15 are based on a wired or wireless communication interface, known per se and not described in more detail here.
• computer PROG4 in accordance with the invention, comprising instructions for executing the steps of an obtaining method according to the invention.
• the PROG4 program defines functional modules of the 4-k server device, which are based on or control the hardware elements 11 to 15 mentioned above, and which notably include (cf. FIG. 2) a reception module 4A and a setting module. place 4B, activated following a detection of an inability of the server device 4-k to deal with a computer attack targeting one or more resources of the computer domain 2.
• the implementation module 4B is for its part configured to set up in response to the computer attack a mitigation plan derived from the mitigation plan received from the client device 3.
• a 4D emulation module activated at the request of the client device 3, and configured to emulate a computer attack on at least one resource of the computer domain 2 protected by the protection service SPk, as well as a transmission module 4E configured for transmit to the client device 3 an attack mitigation plan proposed by the protection service SPk during the emulation of the attack by the emulation module 4D.
• FIG. 5 thus illustrates the steps of an assistance method according to the invention, as implemented by the client device 3 in a particular embodiment.
• an ATTACK computer attack has been detected on at least one resource in the computer domain 2 by the function for detecting computer attacks, in a manner known per se.
• This attack is signaled by the detection function 10 to the client device 3 (step E10).
• the detection function 10 supplies various information on the ATTACK attack to the client device 3, such as for example the characteristics of the traffic of the attack (source address (es), destination address (es), identifia nt ( s) protocols (for example ICMP (for Internet Control Message Protocol), TCP (for Transmission Control Protocol), etc.), the nature of the attack (here DDoS attack), etc.
• This information can be supplemented by information of attack traffic volume, obtained for example by function 10 via the collection of SNMP (Simple Network Management Protocol) counters on the affected interfaces.
• SNMP Simple Network Management Protocol
• the client device 3 On receipt of this signal, the client device 3 sends a DOTS request to all or part of the devices 4-1, ..., 4-N to signal the detected ATTACK computer attack and ask them for help to resolve this attack (step E20).
• the DOTS request sent is for example a DOTS “Request Mitigation” request known from the state of the art, similar or identical to the request given by way of illustration in table 1. It is sent by the client device 3 to everyone. server devices 4-1, ..., 4-N or only to server devices among server devices 4-1, ..., 4-N protecting the resources targeted by the attack or involved in the routing of traffic from the attack to the computer domain 2. This sending can be done in parallel to each of the server devices or sequentially.
• the server (s) device (s) contacted (step F10) by the client device 3, and which is (are) able to process this attack (“yes” response).
• "In test step F20) acknowledges the attack mitigation request received from the client device 3 by sending it a DOTS" 2.01 Created “message (step F30).
• the server device has the functional capacity (that is to say it knows the attack, knows how to identify it and to mitigate it) and has the material and / or software resources (in appropriate quantity) to treat and mitigate it.
• Each server device of a protection service capable of processing the attack also sets up a mitigation plan to process the traffic intended for the IT domain 2 of which it has visibility (in other words intended for or passing through the resources of the computer domain 2 for which it ensures the protection) (step F40). It informs the client device 3 that it has successfully implemented a mitigation plan against the attack.
• the protection service SP1 is able to process the attack, successfully sets up a mitigation plan against this attack and informs the client device 3 thereof.
• one of the protection services contacted is not able to process this attack (response "no" to test step F20), it informs the client device 3 by sending it by example an error message such as a DOTS message “5.03 (Service Unavailable)” (step F70).
• the protection service SP2 is not able to process the attack, and informs the client device 3 thereof.
• the client device 3 requests the protection service (s) having set up a mitigation plan against the attack (“SPk / ATTACK OK” branch) to provide it with this. (s) mitigation plan (step E30). To this end, it sends for example, to each server device concerned, a DOTS GET request containing an attribute (“Uri-Path”) newly introduced for the needs of the invention and called here “mplan”.
• Uri-Path an attribute
• An example of such a query is provided by way of illustration in Table 3 below.
• the request can include an attack mitigation identifier, "mid” (for "Mitigation IDentifier”), here assumed equal for the ATTACK attack to "12332". If this identifier is not entered in the request then, in the embodiment described here, the server device must communicate all the mitigation plans of all the mitigation actions being executed by the associated protection service. .
• the server device On receipt of this request (step F50), the server device supplies the client device 3, via its supply module 4B, with the technical characteristics of the mitigation plan set up against the ATTACK attack (or of all mitigation plans being executed if no attack mitigation identifier is specified in the GET request (step F60).
• the mitigation plan is provided in the form of a list (which can be ordered) comprising one or more rules, each rule defining (that is to say characterizing) the traffic that one wishes to treat (for example the traffic identified as suspect), and the action (s) to be applied to the traffic characterized by the rule.
• Such actions are, for example, a rejection of the traffic defined by the rule associated with the action, a redirection of the traffic, a limitation of the traffic flow, etc.
• the mitigation plan is provided in the "mpian” attribute, in the body of the response.
• the "mpian” attribute can be structured according to a formalism similar or identical to that of the ACLs (Access Control Lists) defined in the specification of the DOTS protocol, or according to an ECA chronology (Event, Condition, Action), etc.
• ACLs Access Control Lists
• ECA chronology Event, Condition, Action
• the plan described in table 5 contains an ACE entry (for “Access Control Entry”), that is to say a filtering action whose name is “ruiel”: this action consists in rejecting (as 'indicates the "forwarding” clause positioned at "drop” to reject without notification to the source) all the traffic defined by the attribute "matches”, namely here the traffic sent from any address of the network associated with the prefix " 192.0.2.0/24 "and intended for the resources associated with the prefix” 1.2.3.0/24 ".
• a mitigation plan can alternatively include several ACE inputs; indeed, distinct actions such as redirection, rate reduction, etc. can be executed by the same mitigation service in response to an attack.
• a mitigation plan can also or as a variant, comprise one or more information making it possible to implement assistance provided by a protection service for the treatment of an attack.
• the client device 3 stores locally, for example in its non-volatile memory 8, all the mitigation plans received from the protection services competent to process the ATTACK attack in association with the server devices and / or the protection services itself. having provided these plans (step E40).
• mplan (SPk, mid # j) denotes the mitigation plan set up by the protection service SPk (and its server device 4-k) in response to the attack identified by the attack mitigation identifier mid # j, j designating an integer greater than 1. It is noted that distinct mitigation identifiers can be used for the same attack to facilitate the management of the mitigation plans during or after their execution.
• the protection service SP2 is unable to process the ATTACK attack falling within its scope of action (“SPk / ATTACK NOK” branch).
• the server device 4-2 of the protection service SP2 notifies the client device 3 of this inability during step F750 described above by sending it an error message in response to its “5.03 (Service Unavailable)” mitigation request.
• the error message “5.03 (Service Unavailable)” advantageously comprises, in a “status” parameter introduced in the specification of the DOTS protocol for the needs of the invention, the cause of the error. .
• the ATTACK attack is unknown to the SPkO protection service, in other words, it does not have the means to identify the traffic of the attack and / or does not know how to deal with this attack.
• the SPkO protection service is therefore not capable of implementing an adapted mitigation plan in response to the detected attack. This reason is codified in the error message by a "status" parameter valued for example at "unknown-attack"; or
• the SPkO protection service is aware of the attack but suffers from insufficient resources available to mitigate the attack (capacity problem, due to lack of adequate resources and / or resources in sufficient quantity to mitigate the attack, for example if it is of great magnitude). This reason is then codified in the error message by a “status” parameter having for example the value “attack-exceeded-capacity”.
• the client device 3 can in this way detect, by means of its determination module 3A, not only the inability of the protection service SP2 to process the ATTACK attack, but also to determine the cause of this inability by examining the value of the “status” parameter included in the error message received from the server device 4-2 (step E50).
• the client device 3 can detect this incapacity other than by information received directly from the server device 4-2.
• the client device 3 can detect (directly or indirectly through information received from another entity in the IT domain 2 or by an external entity) that the IT domain 2 is still receiving the attack traffic. from resources protected by the protection service SP2 while an explicit mitigation request has been issued by the client device 3 to the latter, etc.
• the client device 3 selects in its non-volatile memory 8 one of these mitigation plans (step E70).
• the client device 3 has requested the protection services by means of the GET request to obtain their mitigation plans as soon as the attack is detected.
• it can send the GET request upon detection of the inability of the SP1 protection service to set up a mitigation plan (this can make it possible to have a more up-to-date version of the mitigation plan if the attack has progressed for example), or following the detection of the attack and following the detection of the incapacity of the SP1 protection service, or even periodically, etc.
• No limitation is attached to the number of times or to the times when the client device 3 can request the protection services to know the mitigation plans that they are carrying out.
• the client device 3 adapts the mitigation plan provided by the protection service SP1 so that it applies resources protected by the SP2 protection service.
• Table 7 shows in bold characters the adaptation carried out by the client device 3 to develop a mitigation plan adapted to the protection service SP2 (change in the identification of the resources targeted by the attack).
• the client device 3 can select any one of these plans (randomly, or the first provided , or the one corresponding to a particular protection service (for example the most attractive in terms of cost), etc.), aggregate the different plans received, or as a variant take into account a predetermined selection criterion, such as for example the mitigation plan that requires the least adaptation to be able to suit the incapable protection service.
• the client device 3 transmits it via its transmission module 3C and its communication means 9 to the protection service SP2 in capable and more particularly to the server device 4-2 belonging to the protection service SP2 (step E90). For this purpose, it can send to the server device 4-2 a DOTS “Request Mitigation” miti gation request as described previously comprising the mitigation plan g (mplan (SP1)).
• the inability of the protection service SP2 comes from an ignorance of the ATTACK attack (branch (I) in FIG. 5), but the attack falls only within the scope of action of the incapable SP2 protection service (in other words the resources targeted by the ATTACK attack or involved in the routing of the traffic of the AT TACK attack are protected by a single protection service among the plurality of protection services SP1, ..., SPN protecting the resources of the computer domain 2, namely SP2) (response "no" to step E60), then this means that none of the protection services requested from among the most of the protection services during step E30 did not set up an effective mitigation plan against the ATTACK attack and a fortiori did not provide such a mitigation plan to the client device 3 during step E40 . In other words, the client device 3 does not have in its non-volatile memory 9 any already “known” mitigation plan against the ATTACK attack.
• the client device 3 sends to at least one of the protection services SPk, k12, protecting resources of the computer domain 2, and more particularly to the server device 4- k from this protection service, a request to emulate the ATTACK attack on the resources protected by this protection service and to obtain a mitigation plan set up as part of this emulation by the protection service in response to the ATTACK attack (step E100).
• DOTS mitigation request "Request Mitigation” as described previously in which the client device 3 inserts an attribute, newly defined for the needs of the invention (named for example “emulate "), Requiring an emulation of the ATTACK attack, and the mplan attribute requiring the mitigation plan proposed, if necessary, by the protection service during the emulation.
• the “emulate” attribute can be used for other purposes, for example for purposes of stress testing in the IT domain 2, not detailed further here.
• the emulation of the attack is carried out on the resources of the computer domain 2 protected by the protection service executing the emulation.
• the mitigation request sent by the client device 3 to the server device of the protection service must therefore be adapted. ted to be compatible with the perimeter of the protection service to which it is addressed.
• the target addresses of the attack mentioned in the request must be those of resources protected by the protection service and validated with the latter.
• Such an address validation mechanism is known in the context of the DOTS protocol and is not described in detail here.
• FIG. 7 illustrates the main steps implemented by the protection service SP1 on receipt of this request, and more particularly here by the 4D emulation module of its server device 4-1.
• the server device 4-1 On receipt of the emulation request (step G10), the server device 4-1 triggers the emulation of the ATTACK attack on the resources that it protects (step G20).
• Such an emulation consists in reproducing the ATTACK attack undergone by the computer domain 2 according to the characteristics provided by the client device 3 in the emulation request, and in particular in generating a similar attack traffic.
• the server device can for this purpose rely on a library of attack traffic collected over time.
• the server device 4-1 derives from this simulation of the actions appropriate mitigation measures in response to this attack.
• the mplan_emul (SPl) mitigation plan, if applicable, developed during emulation is then supplied to the client device 3 in response to its emulation request (step G40).
• the server device 4-1 in informs the client device 3 by sending in response to its emulation request an error message as described above (step G50).
• the client device 3 examines the response (s) received to its emulation request (depending on whether one or more protection services have been contacted to emulate the attack. ) (test step E1 10), in other words in the illustrative example considered here, the response of the protection service SP1.
• the client device 3 then works out from this mitigation plan (or from one of the mitigation plans received and selected for example arbitrarily or according to the wealth of information contained in the mitigation plans received), a mitigation plan intended for the incapable protection service, SP2 in the example considered.
• the client device 3 develops from the mplan_emul (SPl) plan a plan g (mplan_emul (SPl)): it does this in the same way as what was described previously for the 'step E80.
• the plan thus prepared g (mplan_emul (SP1)) is then transmitted to the server device 4-2 of the protection service SP2 (step E90).
• the client device 3 can reiterate its requests by providing more details on the attack or by sending captures of the traffic of attack on protection services.
• the server device 4-2 sets up, in response to the ATTACK attack , a mitigation plan for this attack derived from the mitigation plan g (mplan (SPl)) or g (mplan_emul (SPl)) received from the client device 3 (step F90).
• the mitigation plan put in place can be identical to the plan received from the client device 3, be prepared by the server device 4-2 from all or part of the information (mitigation rules and actions in particular) contained in the mitigation plan received from the client device 3, or be inspired by the logic of the plan received.
• the invention is not limited to an execution as such by the server device 4-2 of the mitigation plan received from the client device 3, but also includes a suitable version thereof.
• the client device 3 is informed thereof. (either by the server device 4-2 directly, or by another means), and can then develop and communicate to the server device 4-2 another mitigation plan derived from a mitigation plan provided by a protection service other than the protection service SP1.
• the branch (I) of FIG. 5 which has just been described refers to a functional inability of the protection service SP2 to process the ATTACK attack targeting the resources of the computer domain 2 that it protects, and to the assistance provided by the client device 3 to the protection service SP2 to deal with the ATTACK attack in the event of such a functional incapacity.
• the inability of the protection service SP2 can alternatively stem from a capacity insufficiency, in other words, the protection service SP2 does not have sufficient resources to mitigate the attack, for example because it is of great magnitude.
• the client device 3 on receipt of the error message transmitted by the server device 4-2, interrogates at least one other protection service among the protection services SP1 , ..., SPk, ..., SPN, k12, protecting resources of computer domain 2, to determine whether it is able to provide capacity assistance to the protection service SP2 to mitigate the ATTACK attack (step E120) .
• it sends, in the embodiment described here, to at least one of the protection services SP1, ..., SPk, ..., SPN, k12, a DOTS assistance request.
• this assistance request is sent to the protection service SP1 and more particularly to its server device 4-1. It should be noted that such a request does not exist in the current version of the DOTS protocol and needs to be defined for the needs of the invention.
• Such a request is for example named “Request Assisted Mitigation”.
• the body of the request for assistance “Request Assisted Mitigation” comprises in particular the following attributes:
• the server device 4-1 On receipt of such a request for assistance by the server device 4-1, the latter checks whether the protection service SP1 has the capacity necessary for setting up the required assistance. If such is the case and if the protection service SP1 agrees to provide this assistance, the server device 4-1 responds to the client device 3 with a DOTS response message "2.01 Created", in which it includes information for the establishment of the assistance offered by the SP1 protection service.
• an attribute named for example “Scrubbing_Endpoint (s)” is included in the body of the response message and contains the IP address or addresses (or the domain name or names) of the entity or entities with which the server device 4-2 can establish a communication to benefit from the assistance provided by the protection service SP2 to resolve the ATTACK attack.
• Such an entity is for example a cleaning center (more commonly called a “scrubbing center”) of the protection service SP1 in charge of filtering all or part of the suspicious traffic which reaches it.
• Other information may be included in the response, such as for example a capacity available at the level of the protection service providing its assistance, one or more security keys intended to be used during this assistance (for example in the framework of a secure communication tunnel established between the incapacitated protection service and the protection service providing its assistance), a lifetime of the assistance provided by the protection service, etc.
• the client device 3 On receipt of the information provided by the protection service (s) declaring itself capable of providing assistance to the protection service SP2 unable to process the attack, the client device 3 stores them in its non-volatile memory 9 (step E130) . It should be noted that depending on the lifetime associated, if applicable, with the assistance offered by the protection services, this information is intended to be used to process the ATTACK attack and to provide assistance to the SP2 protection service unable to. process the ATTACK attack, but also if necessary later for this same protection service or another.
• step E140 it develops, by means of its development module 3B, a mitigation plan intended for the protection service SP2 using the assistance of one or more protection services having declared themselves capable of providing. such assistance.
• this mitigation plan includes the information provided by the protection service SP1 to establish a communication between the protection service SP2 and the protection service SP1 in order to allow it to benefit from the assistance of the protection service SP1. for the mitigation of the ATTACK attack. If several protection services have responded favorably to provide assistance to the protection service SP2, the mitigation plan may include the information indicated to the client device 3 by all or part of these protection services capable of providing their assistance.
• the mitigation plan comprising the information allows both the protection service SP2 to benefit from the assistance of one or more other protection services to mitigate the attack is transmitted by the client device 3 to the server device 4-1 of the protection service SP1 in a DOTS mitigation request “Request Mitigation” comprising in particular as attributes the mitigation identifier of the attack “mid” and an attribute called “assist-on” comprising the information supplied by the protection service or services having offered their assistance in establishing a communication with him or them (SP1 here) (step E150).
• DOTS mitigation request Mitigation comprising in particular as attributes the mitigation identifier of the attack “mid” and an attribute called “assist-on” comprising the information supplied by the protection service or services having offered their assistance in establishing a communication with him or them (SP1 here)
• the server device 4-2 on receipt of this mitigation plan (step F80), the server device 4-2, by means of its installation module 4B, then sets up, in response to the ATTACK attack targeting the resources of the computer domain 2 that it protects, a mitigation plan for this attack derived from the mitigation plan received from the client device 3 (step F90).
• This mitigation plan consists in particular of establishing a communication that can be secured (for example a secure tunnel) with the entity or entities of the SP1 protection service identified in the information provided in the mitigation plan (“scrubbing center” of the SP1 protection service) and to be redirected via the communication thus established, all or part of the suspicious traffic (ie, data suspected of being associated with the attack) to the scrubbing center of the SP1 protection service for treatment or filtering.
• a communication that can be secured (for example a secure tunnel) with the entity or entities of the SP1 protection service identified in the information provided in the mitigation plan (“scrubbing center” of the SP1 protection service) and to be redirected via the communication thus established, all or part of the suspicious traffic (ie, data suspected of being associated with the attack) to the scrubbing center of the SP1 protection service for treatment or filtering.
• the suspect traffic redirected and routed to the protection service SP1 is then processed by the latter. Traffic considered legitimate can be returned to the protection service SP2 or be routed directly to the IT domain 2 by the protection service SP1.
• the client device 3 requests the protection services SP1,
• the client device 3 can preconfigure the assistance likely to be provided by the protection services SP1, ..., SPN.
• the client device 3 can optionally also include in the request an estimate of the capacity necessary for the assistance required. Such an estimate can be carried out by means of a heuristic based on the analysis of SNMP (Simple Network Management Protocol) or NETCONF counters making it possible to estimate the volume of data packets exchanged over a network.
• the sending of this request to the protection services can be done simultaneously or sequentially.
• a server device of a protection service concerned On receipt of this request by a server device of a protection service concerned, the latter checks whether it has the necessary capacity for setting up such assistance, as described above. If the assistance request is accepted by the protection service, the server device responds with a “2.01 Created” message, including in the body of the response the information described previously allowing communication with the protection service to be established. A lifetime of the support offered may also be included in the response message. The reception and storage of this information by the client device 3 in its non-volatile memory 9 completes the pre-configuration of the assistance.
• the client device 3 can then, as soon as the “Request Mitigation” is sent to the protection services protecting the resources. affected by the attack, request the intervention of these protection services while including in the request the preconfigured assistance offer offered by the protection services (in other words, the information transmitted by the latter to allow establishing a communication with them for the purpose of providing this assistance), as long as it still has a valid lifespan.
• each mitigation service executes a mitigation plan by putting in place countermeasures against the attack. If it is unable to process the suspect traffic for capacity reasons, it can thus redirect part of the excess traffic to one or more protection services which have offered its assistance.
• the failing protection service can redirect excess suspicious traffic that it cannot handle to a supporting protection service. This excess is then managed by the protection service providing assistance, while legitimate traffic can be returned to the failing protection service or be taken directly to IT domain 2.
• the invention therefore generally makes it possible to provide assistance to a faulty protection service by relying on the other protection services protecting the resources of the computer domain 2, whatever the reason for this failure.
• a capacitor-type failure or a functional failure has been mentioned, however these examples are not limiting in themselves and other types of failures can be envisaged.
• the client device 3 is also able, when the attack falls within the scope of action of several protection services among the protection services SP1, ..., SPN, to check the compatibility of the mitigation plans put in place by each of the protection services concerned by the attack, and to coordinate, if necessary, the consistency of these mitigation plans between them .
• the client device 3 at the end of step E30, when the client device 3 has been informed of all the mitigation plans put in place by the protection services concerned by the attack, it can check whether the plans mitigation methods obtained are compatible with each other in order to treat the ATTACK attack.
• An example of incompatibility is the creation of a routing loop by the association of uncoordinated mitigation plans set up by several protection services.
• a routing loop is created: legitimate traffic can no longer be routed to the CL client domain. However, this routing loop is not detectable by the DPS1 and DPS2 protection services.
• the client device 3 has at the end of step E40 mitigation plans put in place by the various protection services in response to the ATTACK attack, the client device 3 has the possibility of detecting such a routing loop, or more generally an incompatibility between the mitigation plans put in place.
• the client domain CL can also detect such an anomaly by observing the traffic entering / leaving the computer domain 2 (a routing loop as described above can typically manifest itself by an absence of traffic entering the domain. computer science).
• the client device 3 coordinates, in a particular embodiment, an adjustment of all or part incompatible mitigation plans so as to eliminate the incompatibility. To this end, it can proceed, for example, according to one or other of the following variant embodiments.
• the client device 3 selects at least one of the “conflicting” protection services (for example SPkl) and notifies the server device (4-kl) of the latter of the incompatibility. between mitigation plans (for example the existence of a routing loop).
• the notified protection service can be arbitrarily selected from among the conflicting protection services, or it is conceivable to select, for example, the one presenting the plan. least effective mitigation.
• the client device 3 can send it a mitigation DOTS request with an attribute, newly introduced in the DOTS protocol for the purposes of the invention, named here “Thirdparty-dps-conflict” aiming to require an adjustment, in other words an update, of the mitigation plan proposed by the protection service in question (SPkl here).
• This request may also contain elements necessary to identify the conflict, such as for example all or part of the mitigation plans that are incompatible with that of the protection service in question (typically the conflicting rules and actions).
• the 4-kl server device modifies its mitigation plan to avoid the incompatibility and transmits its modified plan to the client device 3.
• the client device 3 checks whether the incompatibility is effectively resolved and whether none further incompatibility was created due to the adjustment of the SPkl protection service plan.
• the client device 3 notifies all the server devices of the protection services involved in the incompatibility detected to ask them to adjust their mitigation plans. In the illustrative example considered above, it thus notifies the 4-kl and 4-k2 server devices. For this purpose, it can use a mitigation request with a “thirdparty-dps-conflict” attribute as described above.
• each server device On receipt of this request, each server device makes an adjustment to its mitigation plan to resolve the detected incompatibility and transmits its adjusted mitigation plan to the client device 3.
• the client device 3 checks the compatibility of the control plans. mitigation adjusted and in case of incompatibility proceeds again according to the first variant or the second variant.
• the invention thus offers an efficient solution making it possible to enhance the use of a plurality of protection services to protect the resources of a client IT domain. It is applied in an advantageous but nonlimiting manner when the protection services are managed by separate administrative entities. This invention is advantageously based on the visibility available to the client IT domain to coordinate the actions of the protection services.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Security & Cryptography (AREA)
• Computer Hardware Design (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Business, Economics & Management (AREA)
• General Business, Economics & Management (AREA)
• Data Exchanges In Wide-Area Networks (AREA)
• Computer And Data Communications (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=70295236

Family Applications (1)

Country Status (4)

Family Cites Families (3)

• 2019
  • 2019-11-29 FR FR1913504A patent/FR3103920A1/fr not_active Withdrawn
• 2020
  • 2020-11-26 EP EP20824303.0A patent/EP4066460A1/de active Pending
  • 2020-11-26 WO PCT/FR2020/052180 patent/WO2021105617A1/fr unknown
  • 2020-11-26 US US17/780,603 patent/US20230082637A1/en active Pending

Also Published As

Similar Documents

Legal Events