RU2496136C1 - Method for interaction of terminal client device with server over internet with high level of security from ddos attack and system for realising said method - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: method involves generating a request from a terminal client device to obtain a server IP address, checking the server certificate and the client certificate, generating one or more IP address tables in form of binary codes, setting up a secure connection, transmitting the generated table to the terminal client device; transmission of data packets between the terminal client device and the server is carried out with variation of the sever IP address selected from the IP address table. The system includes a terminal client device, a data server, a domain name server, a secure connection server, two routers and a unit which generates an IP address table in form of binary codes and varies the IP address on the table assigned for each connection.

EFFECT: high resistance to network attacks by reducing the effect of packets from attack bots on server operation.

14 cl, 7 dwg

Description

The invention relates to telecommunications and computer technology and can be used to organize the operation of public computer networks that provide the interaction of the terminal device from the client and server (client-server model) with increased resistance to network DDoS attacks.

A known method of client-server interaction (V.G. Olifer, N.A. Olifer, Computer networks. Principles, technologies, protocols. 4th edition, 2010), the implementation scheme of which is presented in Fig. 1, uses a terminal device as a client 1, which is connected to the Internet 5 through a router 2. In turn, server 3 is connected to the Internet 5 through a router 4. An Internet domain name server (DNS) available on the network is also an integral part of the network for terminal-server interaction indicated by block 6 and si a system of servers 7 for providing a secure connection (SSL), performing the functions of authorizing the client terminal and transmitting to it a key for connecting to the server.

The functioning of the known secure client-server system is determined by the following main processes. The terminal device 1 sends through its router 2 and then through the Internet 5 a sequence of IP packets addressed to the DNS server 6 defining a request for obtaining the IP address of the server 3. DNS server 6 generates a sequence of IP packets to the address of the terminal device 1 containing information about the IP address server 3. This sequence of packets is delivered to terminal 1 via the Internet 5 and end router 2, to the output port of which terminal device 1 is connected. Terminal device 1, having received the IP address server 3 sends to its address a sequence of IP packets defining a request for identification data in the form of a standardized certificate. Server 3 sends device 1 a copy of the certificate containing the signature of the certification authority to verify the validity of the certificate. Terminal device 1, having received a copy of the certificate by the signature of the certifying center, determines the IP address of the server of the certifying center 7 and sends a sequence of packets determining the request for trust to the certificate received from server 3 to this address. Server 7 sends a sequence of trust confirmation packets to a terminal device 1, which, having received a confirmation of trust from server 7, sends a sequence of packets to server 3 to establish a connection. Server 3 sends to terminal device 1 a sequence of confirmation packets for the beginning of a secure session containing the electronic signature of server 3. Terminal device 1, using a secret key, encrypts its data and transmits them as a sequence of packets to server 3. In turn, server 3 encrypts its data with secret key before transmitting the sequence of packets to the terminal device 1. Thus, a secure exchange of data between the terminal device 1 and the server 3 connected to the network Int rnet.

However, the described operation of the client-server system becomes impossible if the number of terminal devices 1 sending a sequence of packets to the IP address of server 3 becomes so large that server 3 does not have time to establish a data exchange connection with all terminal devices. This phenomenon is called server congestion 3. To combat server congestion, it is necessary to increase the performance of its hardware or organize the parallel operation of several sets of equipment with the same IP address. The server overload phenomenon is used by cybercriminals on the Internet to disable selected servers. This method of disabling the server is called an attack on the server type of "denial of service" - DoS (DoS - Denial of Service). Typically, to increase the flow of requests to the server, not one terminal is used, but a large number of terminals sending requests simultaneously. In this case, the attack is called a "distributed attack" - DDoS (Distributed Denial of Service). Since an increase in the flow of requests is created by an increase in the number of terminals, which are called “bots” when used for attacks, the fight against DDoS attacks is a complex, difficult task. Whatever level of server performance is achieved, starting with a certain number of bots, the stream of requests created by them can exceed the allowable level for any server.

The prior art technical solutions for solving the problem of protecting the server from DDoS attacks.

So, in application for US patent No. 201331315 "SYSTEMS AND METHODS FOR PROTECTING AGAINST DENIAL OF SERVICE ATTACKS" presents a solution at the application level. According to the description of the invention, the process of the system includes the following main steps. First, the client terminal device sends the first request for access to the server resource. The server creates a request for proof of work, which is transmitted to the client. Next, this request is processed to generate a new URL (the text address of the request), the second request is sent to the generated URL, and the server generates a value based on the accuracy of the match of the received response and the request for proof of work. When the developed value falls into the set threshold values of the server load, the priority level is assigned to the second client request, and the request is processed by the server. Thus, the proposed solution is based on the use of a verification filter on the server side that controls the setting of priority for client requests depending on the level of load on the server by the time the request is received from the new client terminal device.

US Patent Application No. 201,0235632, PROTECTING AGAINST DENIAL OF SERVICE ATTACKS USING TRUST, QUALITY OF SERVICE, PERSONALIZATION, AND HIDE PORT MESSAGE, proposes the following solution. The client terminal device gets access to the server only after receiving an assessment of the level of trust in this client using the additionally installed server for creating and updating cryptographically protected tokens. Thus, the essence of the solution proposed in this patent consists in introducing access to the server using a firewall that checks the access level of each client using the procedure for transmitting a special JavaScript program script to the client, the execution of which generates a response to the server for deciding whether the client will be allowed to exchange data with server. The process of executing the loaded JavaScript script depends on the client receiving confirmation of his level of trust from some external entity described in the patent, which identifies the client and gives him the current key for processing the above request from the server to execute the script.

However, these technical solutions also implement protection against DDoS attacks at the application protocol level and do not affect the level of transmission of IP packets.

US Patent Application 20110283367 SECURING A COMMUNICATION PROTOCOL AGAINST ATTACKS proposes to use the separation of the transmitted data stream between two systems connected via a packet network into two consecutive segments within the TCP protocol and comparing the keys of the current and subsequent segments in order to detect the presence of a segment someone else’s "attacking source. When segments that do not belong to a legal source are detected, data reception is blocked, preventing the threat of attack.

Known solutions use additional tools to distinguish packets of attacking bots from packets coming from clients at the application level, and do not provide system stability with respect to attacks on the IP address of a brute force server (that is, with high intensity).

The objective of the invention is to create a method and system for the interaction of the terminal device of the client and the data server via the Internet, providing increased resistance to network attacks (DDoS).

The technical result consists in a significant reduction in the impact on the performance of the server packages arriving at the server from attacking bots.

The problem is solved in that, in the method of interaction of the client terminal device with the server via the Internet, including the formation of a request from the client terminal device via the Internet to obtain the server IP address, check the server certificate and client certificate and establish a secure connection with subsequent transmission of data packets , according to the invention, before establishing a secure connection, one or more tables of IP addresses are formed in the form of binary codes selecting a pseudo-random sequence of IP addresses from the pool of free IP addresses allocated to the server, and transferring at least one generated table to the client terminal device after establishing a secure connection to the server, and transferring one or more data packets between the client terminal device and the server IP addresses of the server that is selected from the IP address table.

To transfer a data packet between the terminal device of the client and the server with a change in the server IP address, a sequence is used in accordance with which the data is first transferred from the client to the server, and in the first packet sent by the client, the server initial address is replaced with the first address from the received table and transferring the data packet to the server, on the router of which, upon receipt of the packet from the client, the destination address is compared with the first address from the table and, if the addresses match, replacing the destination address to the real address of the server, and then receives and processes the packet server; then initiate the sending of a data packet from the server to the client, where the sender address indicates the true address of the server that arrives at the server router, in which the true sender address is replaced with the first address from the table, followed by the transfer of the packet to the client router, where the sender address is replaced to the server’s initial address; when sending the second and subsequent packets from the client to the server, the server initial address is replaced from the received table with the second and subsequent addresses, respectively, and the transmission of the data packet to the server is similar to the transmission of the first packet. The formation of one or more tables of IP addresses is carried out when loading the server from the address pool. When checking for address matches, a time stamp is used. Tables can be generated using a random number generator by randomly selecting IP addresses from the range of IP addresses allocated to the server, for example, using the Rand () function, and the table contains at least two IP addresses. When forming several tables, the selection of the working table is carried out depending on the corresponding specific parameter, for example, a given period of time, or a range of client addresses, or another parameter. To transmit a table of IP addresses to a client terminal device, a table code can be generated, for example, in the form of a set of binary numbers defining the shift of an IP address from the initial one, while the generated table is transmitted from the data server to the client by sending a code to the authorized client via a secure connection that provides table generation on the client terminal device. The formation of the table can be carried out at certain intervals or for each session. Changing the IP address of the data server to the IP address from the table can be done in time, and the terminal device of the client and the data server are synchronized using a single time server.

The problem is also solved by the fact that the system for interaction of the client terminal device with the server via the Internet, including at least one client terminal device, data server, domain name server, secure connection server, two routers, while the secure server the connection is configured to authorize the client terminal device and transmit to him a key for connecting to the data server, and the client terminal device is configured to connecting to the Internet via the first router, the data server is configured to connect to the Internet via the second router, according to the invention it is equipped with a unit that enables the formation of one or more tables of IP addresses in the form of binary codes by selecting a pseudo-random sequence of IP addresses from the free IP pool addresses allocated to the server, and changing the IP address according to the table assigned for each of the connections with the authorized terminal device of the client.

The block that provides the possibility of changing the IP address of the server contains an IP packet address control unit included between the first router and the client terminal device, an address multiplexer unit connected between the second router and the data server and a separate control input connected to the additional addressable input of the router, and also a single time server configured to connect to the Internet. The address management unit may include a terminal network interface unit connected to an external network interface via a key request generation unit and an IP address replacement unit in IP packets, as well as a confirmation receiving unit connected via an address change sequence setting unit to an IP address replacement unit in IP packets. The address multiplexer unit may include an external network interface connected to the server network interface through the routing unit and the address replacement unit, a control network interface connected to the routing unit and the IP address replacement unit through the IP address sequence storage unit and the current address setting unit, as well as a control unit connected to the control network interface and the storage unit sequence of IP addresses.

The essence of the invention lies in the fact that in order to protect against DDoS attacks, the server IP address is selected from the address pool allocated for this server and is changed according to a special schedule in accordance with one of the pseudorandom sequences assigned for each connection with an authorized client, or assigned for a given period of time, or a combination of these two methods. The server’s IP address is changed randomly according to an algorithm that allows the use of the entire pool of addresses allocated to the server, while encoded (in the form of keys) pseudorandom sequences of server IP addresses are transmitted to authorized clients. IP addresses from these sequences are used to communicate a client with a server at certain time intervals, and / or communication sessions.

The invention is illustrated by drawings, where Fig. 1 shows a system that provides one of the standard client-server interactions: Fig. 2 shows a system that implements client-server interaction according to the claimed method; figure 3 and 4 presents an example implementation of blocks 8 and 9 of the system of figure 2; figure 5 presents the process of address translation on the way from client 1 to server 3 and vice versa; figure 6 is an algorithm for the interaction of system blocks; 7 is a diagram of the operation of the block of the address multiplexer when replacing the address of the arriving IP packet with the real server address.

The positions in the drawings indicate: 1 - the client terminal device (client), 2 - the router (or router) installed on the client side, 3 - the server (or data server), 4 - the router (or router) installed on the server side, 5 - the Internet, 6 - a system of domain name servers, for example DNS, 7 - a server system for providing a secure connection, for example SSL, 8 - an IP packet address control unit installed on the client side, 9 - an address multiplexer unit installed on the server side, 10 - server of uniform time. The following are the positions of the elements making up block 8, namely: 11 - terminal network interface block, 12 - external network interface block, 13 - IP address replacement block in IP packets, 14 - key generation request generation block, 15 - sequence setting block IP address changes, 16 - acknowledgment receiving unit. The following are the positions of the elements that make up block 9, namely: 17 - the block of the external network interface, 18 - the block of the server network interface, 19 - the block of the control network interface, 20 - the block for storing the sequence of IP addresses, 21 - the block for setting the current address, 22 - routing unit, 23 - IP address replacement unit, 24 - control unit.

The inventive method can be implemented using the system shown in figure 2, which contains standard units: the terminal device of the client 1, routers 2 and 4, installed on the client and server side, respectively, server 3, the Internet 5, the domain name server system 6, a server system for providing a secure connection 7, as well as new units: an IP packet address control unit 8, an address multiplexer unit 9, and a single time server 10. Unit 8 is included in the disconnection of the client terminal device 1 — router 2. Bl ok 9 is included in the disconnect of the router 4 - server 3 connection and is connected to the additional addressing input of the server router by a separate control input.

The system operation is based on the principle of mandatory authorization of client terminal devices and establishing a secure connection between the client terminal device and the server, which can be implemented according to the algorithm presented in the description of the analogue operation (Fig. 1). In accordance with this algorithm, customers must register and receive a digital signature (centralized certificate).

A distinctive feature of the operation of the claimed system is the presence of the operation of generating a table of IP addresses, which is carried out by block 9, which can be part of server 3, by selecting server 3 IP addresses from its address pool. Thus, the table of IP addresses is formed from a subset of IP addresses allocated by the server network or the provider's network. For server addressing, not one IP address is used, but a set of IP addresses from the table. In this case, the server IP address is changed according to a special schedule in accordance with one of the pseudo-random sequences assigned for each of the connections with an authorized client, or in time. The table of IP addresses is formed before a secure connection is established, for example, at the time of server 3 loading. The minimum table size must include at least two IP addresses, the maximum is limited by the allocated range of available addresses and the amount of memory allocated for storing the table at the client and on the server . At the same time, resistance to attacks will be proportional to the length of the table. The formation of the table can be carried out, for example, in two stages. At the first stage, a number is assigned to each available free address from the address pool, at the second - using the random number generator (for example, using the random number generator function that is present in the standard environment), a number is determined by which the IP address is selected from the existing address pool. The process of forming a table can be associated, for example, with parameters such as time - days of the week, time of day, etc., or other parameters, for example, be formed for each request or session.

After the stage of forming the table is completed, it is encoded in the form of a key, followed by transmission of this key to the client terminal device. Using this key, a table equivalent to the table that is stored in block 9 is generated on the client terminal device side. Thus, when the client terminal device receives the server’s initial address and table key, the client restores the server’s IP address table. The key can be implemented as a sequence of numbers, each of which represents a shift of the subsequent IP address from the initial one. The initial address is the IP address under which this server is known to the external system and which the DNS server reports.

In the process of implementing client-server interaction, the time synchronization of the terminal device of the client and server is performed. In addition, a time stamp (time stamp) is recorded in each IP packet to take into account the time shift during the passage of the packet through the network, by which this packet is checked for compliance with its address that was current at the time the packet was transmitted. The sender of the packet, for example, the client, takes the address from the table, receives information from the single time server, adding it as a time stamp to the packet being sent. And the packet receiver, for example, the server, analyzes the time and IP address in the received packet, as well as the time and IP address in the server address table. If the addresses from the packet and the IP address table match at the time indicated in the received packet, the packet is sent for further processing by the server. Each packet can be transmitted with a new IP address.

From the same pool of IP addresses allocated for the server, several different tables of IP addresses in the form of pseudo-random sequences can be built. At one point in time, different clients can work on different tables. Tables can be different for different time intervals (by day or by hour). Tables are generated on the server, for example, at boot time, providing a double level of protection. When the server is working, first one of the tables is selected, then the address is selected from the selected table, which ensures greater system resistance to DDoS attacks.

Connecting to the system only authorized (i.e., having a digital certificate) clients allows the system to distinguish between clients and bots. At the same time, the behavior of server 3 is different for the authorized user from the behavior of the server in relation to the bot. In well-known solutions, an authorized client uses a single IP address (the initial server address) for connection, which is the only one in the tunnel. And in the case of network attacks on a given address, packets sent by the client to this address cannot be processed, i.e. denial of service occurs. The inventive method significantly increases the resistance to DDoS attacks by introducing the original operation of forming a table of IP addresses and using changing addresses from this table when transmitting data packets after establishing a secure connection.

In one embodiment of a system that implements the claimed method, router 2 itself can act as a client terminal device, block 8 can be built into router 2 from the client side, and block 9 to router 4 from the server side. The operation algorithms of blocks 8 and 9 can be implemented in hardware and / or software.

In a private embodiment, the internal device of the IP address block control unit of packet 8 includes a terminal network interface unit 11 and an external network interface 12, an IP address replacement unit in IP packets 13, a key request generation unit 16, an address change sequence setting unit 15, and confirmation acceptance unit 14 (FIG. 3).

Block 9 has an internal composition, which also includes network interfaces 17 — an external network interface, 18 — a server network interface, and 19 — a control network interface. The IP address replacement unit 23 is connected to the current address setting unit 21 and the routing unit 22. The IP address sequence storage unit 20, the output of which is connected to the unit 21, is controlled by commands from the control unit 24 and can change its contents from the network via the control network interface 19. The control unit 24 interacts with external devices also through the block 19 (figure 4).

An important feature of the proposed solution is the use of a security mechanism at the network level of protocols - i.e. lower than known methods. In order to reduce the load on the server from the “bots” that carry out the attack and receive all network packets from an authorized client, the server address is changed according to a schedule (algorithm) known only to the authorized client. At the same time, the client during the data exchange session with the server changes according to this algorithm the server IP address on its side. Bots do not have reliable information about the schedule for changing the server IP address, cannot form a packet stream to the server address, and therefore, a significant load that disrupts its normal functioning.

The authorized client and server use a coordinated and / or synchronous change of the server IP address, thereby ensuring a continuous process of information transfer, and only the authorized client knows about the schedule for changing the server IP address, for other unauthorized users this schedule is not known.

In the particular case, a system that implements the claimed method works as follows.

Server 3 using block 9 forms one or more tables of IP addresses from the pool (range) of free addresses allocated to the server by the provider. The table of IP addresses is formed by constructing a pseudo-random sequence from them — that is, a sequence when the addresses in the table are not presented sequentially from the used address pool, and free addresses from the pool are selected in a pseudo-random way. IP address tables can be generated for use at different time intervals, and / or for different sessions and / or for different clients. After creating the tables, the server prepares the appropriate keys for transmitting the table to the client for switching IP addresses (for example, as a sequence of binary numbers that represent the value of the shift of the address relative to the initial one) for further transmission to authorized clients (and decryption on the client side) via secure SSL compound.

Client 1 generates a request for receiving the address of server 3 in the form of transmitting a sequence of packets through block 8 and router 2 to the Internet 5 to the server of DNS 6. Server 6 processes the request using the available data on the correspondence of the name of the requested server to its IP addresses. The server’s IP address is the address recorded in the standard DNS record by the server owner. The address returned by the DNS system is not the real address of server 3, but belongs to block 9 — the address multiplexer. This address is called the initial address of server 3.

Having received the IP address from the DNS system, the client generates a request to establish a connection with server 3 at the initial IP address received by him. This request, in the form of a sequence of IP packets, is transmitted through network 5 and router 4 to the address multiplexer block 9. Through the network interface of block 17, the request is sent to routing block 22, where a response to the client is generated containing the requirement to switch to the advanced secure SSL protocol and server security certificate. This response is transmitted by a sequence of packets through 17 to network 5 and then to client 1 through router 2 and address management unit 8. Client 1, having received this requirement, forms its own security certificate, authenticated on the secure connection server 7, and sends an encrypted request to server 3 An encrypted connection request via the extended secure protocol via network 5, router 4 enters block 9 to routing block 22. Block 22 calculates the correctness of the request. If it is incorrect, the request is ignored and the process ends.

If correct, block 22 generates a signal to the control unit 24, which generates a request for receiving data from a single time stamp and sends it as a sequence of packets through a network interface 19 to a server with a single time 10. The server of a single time, having received a request for a single time stamp, returns data about the current time, which in the form of a sequence of packets arrive through the router 4 and the network interface 19 inside the block 9 to the control block 24. In this block, time data is used together with the signal correctness at block 22 to produce a signal to select the sequence unit 20 IP address for the server 3 and assigning it the current address. The sequence of IP addresses of server 3 is stored in the form of address tables in the memory of block 20. The choice of sequence is determined by the data of the single time stamp and the generated encrypted key calculated from the server certificate. The server sends prepared IP address table keys in response via block 22 and network interface 19, sends a response via an extended secure protocol to client 1 and control unit 8 in the form of a sequence of IP packets through network interface 17 and router 4 to network 5 and then to router 2 and through block 8. Block 8, receiving a response from 9, generates a request to server 10 to obtain data about a single time stamp. Having received a response from the server of the system of single time 10 through the network interface 12, block 8 performs the following actions. The received response from block 9 and the data from the server 10 in the form of a sequence of packets pass through the network interface 12 to the control unit 14, in which the signal for setting the current request address to the server 3 is generated. The signal is sent to block 13, which stores the decrypted from the received key from server table of IP addresses of the sequence of address changes. To select the current server IP address, a single time stamp is used that defines the address in this table. A timestamp is written to each IP packet. On the server side, when receiving an IP packet, this timestamp is analyzed and a decision is made whether the received packet was relevant at the time of transmission, i.e. whether the IP address in the received packet matches the IP address from the table at the point in time specified in the packet.

Client 1 sends the next request to server 3 using the server’s initial address. The request passes through block 8 in the form of a sequence of IP packets and in each of them block 14 changes the IP address to another, determined by block 13 from the IP address table. To exchange information with the server, the client can use separate packets or groups of IP packets. During further interaction with the server, for each individual IP packet or for a group of IP packets, the initiative to navigate the table always belongs to the client - if the client does not send requests, the table is not scanned, addresses are not selected.

Packets go through network interface 12 to router 2 and then to network 5. All addresses in the IP address sequence of server 3 belong to the address space of router 4 and therefore all packets directed to these addresses go through router 4 to block 9. After receiving the next packet through the network interface 17, block 22 transfers it to block 23, in which the address in the IP packet is checked for coincidence with the current server address at a point in time determined by a single time stamp. If these addresses match, then the packet replaces the IP address with the real IP address of server 3 and the packet enters the input of server 3 through the network interface 18.

Thus, the server protocol stack works as usual in accordance with the standard set of protocols. Client 1 also works through the standard protocol stack during packet exchange. However, in all packets transmitted by the terminal using block 8, the recipient's IP address is replaced with an address that is taken from the IP address table and by the time stamp on the transmitted packet. Such packets are transmitted through the network in accordance with the routing rules and are collected on router 4, which owns the entire address grid from the sequence used, then go to block 9, which analyzes (compares) the addresses in the received packets and replaces the address with the real server address on packets that contain the correct address that matches the current address for a specific timestamp. Such packets form a packet stream directed to server 3 and processed by its stack according to conventional algorithms.

Figure 5 illustrates the process of translating addresses along the path from client 1 to server 3 and vice versa. In this case, in FIG. 5, the terms “Series 1” and “Series 2” denote two alternative tables of server IP addresses stored in blocks 13 and 20 and used depending on the contents of the received key, as (l), s (k) and s (n) IP addresses that are used in received and transmitted packets are designated. 6 shows a diagram of the interaction of the blocks of the system. Fig.7 discloses in more detail the functionality of the blocks 20, 21, 23 when replacing the address of the arriving IP packet with the real server address.

One of the options for filling the address table is to fill it with a pseudo-random sequence, i.e. so that at the addresses previously observed it was most difficult to predict the subsequent value of the address.

It should be noted that the principle of replacing an address in received packets is currently applied in Internet routers using a technology called Network Address Translation (NAT). Unlike the proposed method, this replacement is carried out by assigning the correspondence of the variable external device address for the session period from the address pool to the internal permanent address. This mechanism is used to ensure the collective use of external network addresses with a large number of devices that do not need a permanent connection via the Internet. All packets arriving at the device must have the same IP address throughout the session; therefore, this use of address translation does not solve the problem posed in the present invention.

This invention proposes the use of the following techniques: changing the server IP address according to a special schedule in accordance with one of the pseudorandom sequences assigned for each connection with an authorized (certified) client, converting IP addresses on the fly (NAT technology), encryption with public key (SSL technology). Using these techniques allows you to solve the urgent task of protecting the server from DDoS attacks, thereby increasing the level of reliability of the server and information security in the network.

Claims (14)

1. The method of interaction between the client terminal device and the server via the Internet, including generating a request from the client terminal device via the Internet to obtain the server IP address, checking the server certificate and client certificate and establishing a secure connection with the subsequent transmission of data packets, characterized in that before establishing a secure connection, the formation of one or more tables of IP addresses in the form of binary codes by selecting a pseudo-random sequence IP addresses from the pool of free IP addresses allocated to the server and transfer of at least one generated table to the client terminal device after establishing a secure connection to the server, and one or more data packets between the client terminal device and the server are transferred with the IP address changing server, which is selected from the table of IP addresses. 2. The method according to claim 1, characterized in that for the transmission of a data packet between the terminal device of the client and the server with a change in the IP address of the server, a sequence is used according to which the data is first transferred from the client to the server, while in the first packet sent by the client replace the server’s initial address with the first address from the received table and transfer the data packet to the server, on the router of which, upon receipt of the packet from the client, the destination address is compared with the first address from the tables and the coincidence of addresses are replacing the destination address to the real address of the server, and then receives and processes the packet server; then initiate the sending of a data packet from the server to the client, where the sender address indicates the true address of the server that arrives at the server router, in which the true sender address is replaced with the first address from the table, followed by the transfer of the packet to the client router, where the sender address is replaced to the server’s initial address; when sending the second and subsequent packets from the client to the server, the server initial address is replaced from the received table with the second and subsequent addresses, respectively, and the transmission of the data packet to the server is similar to the transmission of the first packet. 3. The method according to claim 1, characterized in that the formation of one or more tables of IP addresses is carried out when loading the server from the address pool. 4. The method according to claim 2, characterized in that when checking the coincidence of addresses, a time stamp is used. 5. The method according to claim 1, characterized in that the tables are formed using a random number generator by randomly selecting IP addresses from the range of IP addresses allocated to the server, for example, using the Rand () function, while the table contains at least two IP addresses. 6. The method according to claim 1, characterized in that several tables are formed, wherein the selection of a work table is carried out depending on a specific parameter corresponding to it, for example, a given period of time, or a range of client addresses, or another parameter. 7. The method according to claim 1, characterized in that for transmitting the table of IP addresses to the terminal device of the client, the table code is generated, for example, in the form of a set of binary numbers defining the shift of the IP address from the initial one, while the generated table is transmitted from the data server to the client by Forwarding to an authorized client via a secure connection of the code that provides table generation on the client terminal device. 8. The method according to claim 1, characterized in that the formation of the table is carried out at certain intervals. 9. The method according to claim 1, characterized in that the formation of the table is carried out for each session. 10. The method according to claim 1, characterized in that the change of the IP address of the data server to the IP address from the table is carried out in time, while the terminal device of the client and the data server are synchronized using a single time server. 11. A system for interacting with a client terminal device and a server over the Internet, including at least one client terminal device, a data server, a domain name server, a secure connection server, two routers, while the secure connection server is configured to authorize the client’s terminal device and transmitting a key to it to connect to the data server, and the client’s terminal device is configured to connect to the Internet through the first march a router, a data server is configured to connect to the Internet via a second router, characterized in that it is equipped with a unit that enables the formation of one or more tables of IP addresses in the form of binary codes by selecting a pseudo-random sequence of IP addresses from the pool of free IP addresses allocated to the server , and changing the IP address according to the table assigned to each of the connections with the authorized terminal device of the client. 12. The system according to claim 11, characterized in that the unit that provides the ability to change the server IP address includes an IP packet address control unit included between the first router and the client terminal device, an address multiplexer unit included between the second router and the data server and a separate control input connected to an additional addressable input of the router, as well as a single-time server configured to connect to the Internet. 13. The system of claim 12, wherein the address management unit includes a terminal network interface unit connected to an external network interface through a key request generation unit and an IP address replacement unit in IP packets, as well as an acknowledgment receiving unit connected via block for setting the sequence of changing the address with the block replacing the IP address in IP packets. 14. The system of claim 12, wherein the address multiplexer unit includes an external network interface connected to the server network interface via a routing unit and an address replacement unit, a control network interface connected to the routing unit and to the IP address replacement unit through the storage unit a sequence of IP addresses and a unit for setting the current address, as well as a control unit connected to the control network interface and the storage unit for the sequence of IP addresses.

Images