WO2009062429A1 - Procédé, nœud de réseau et système évitant des attaques dans un réseau p2p - Google Patents

Procédé, nœud de réseau et système évitant des attaques dans un réseau p2p Download PDF

Info

Publication number
WO2009062429A1
WO2009062429A1 PCT/CN2008/072506 CN2008072506W WO2009062429A1 WO 2009062429 A1 WO2009062429 A1 WO 2009062429A1 CN 2008072506 W CN2008072506 W CN 2008072506W WO 2009062429 A1 WO2009062429 A1 WO 2009062429A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
malicious
behavior
malicious behavior
notification message
Prior art date
Application number
PCT/CN2008/072506
Other languages
English (en)
Chinese (zh)
Inventor
Feng Li
Xingfeng Jiang
Haifeng Jiang
Original Assignee
Huawei Technologies Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co., Ltd. filed Critical Huawei Technologies Co., Ltd.
Publication of WO2009062429A1 publication Critical patent/WO2009062429A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers
    • H04L67/1004Server selection for load balancing
    • H04L67/1023Server selection for load balancing based on a hash applied to IP addresses or costs
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/104Peer-to-peer [P2P] networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1001Protocols in which an application is distributed across nodes in the network for accessing one among a plurality of replicated servers

Definitions

  • the present invention relates to the field of P2P technologies, and in particular, to a method, a network node, and a system for preventing attacks in a P2P network. Background technique
  • Peer to Peer is a distributed network.
  • Network participants (Peer) share some of the hardware resources they have (processing power, storage capacity, network connectivity, printers, etc.). These shared resources. Services and content need to be provided by the network and can be accessed directly by other peers (Peer) without going through intermediate entities. Participants in this network are both providers of resources (services and content) and acquirers of resources (services and content).
  • P2P breaks the traditional client/server (C/S) mode, and the status of each node in the network is peer-to-peer. Each node acts as a server, serves other nodes, and accepts services provided by other nodes.
  • C/S client/server
  • P2P technology makes full use of the capabilities of each node in the system to provide services to each other.
  • the use of P2P technology will greatly increase the utilization of these nodes, thereby further improving the efficiency of networks, devices and information services.
  • P2P networks further include several types of structured, unstructured, and loosely structured.
  • the characteristic of a structured P2P network is that the release of resources is closely related to the network topology. The resources are accurately distributed in the network according to the logical addresses in the P2P topology.
  • Each node in such a network has a virtual logical address and makes all nodes form a relatively stable and compact topology based on the address.
  • the value generated after Hash is used as the key, and the generated key and its corresponding resource are recorded as key/value pairs.
  • the resource is distributed in the structured P2P network according to the mapping relationship between the key and the P2P node, and the resource can be found in the P2P network by using the key. That is to say, in the P2P network, each peer needs to be responsible for storing a range of key values, which is based on a distributed hash algorithm. (Down Hash Table, DHT) is calculated. The range of key values calculated by different DHT algorithms is also different.
  • the chord algorithm Take the chord algorithm as an example: In the chord algorithm, assuming that Peer a and Peer b are neighbors, and the ID of Peer a is smaller than the ID of Peer b, the key value range of Peer a is from Peer a ID to Peer b ID. The key value of the range of values.
  • P2P An important function of P2P is the routing of messages.
  • messages In a structured P2P system, messages must be routed to destinations according to a certain algorithm according to a certain number of peers.
  • Identity Attack is one of the attacks.
  • the principle of this attack is: When a malicious node receives a request from a user, it knows that it is not the root node responsible for the requested key/value pair (root node.
  • the DHT algorithm rule is responsible for a node of a key/value pair), but the malicious node no longer continues to route to the real root node according to the DHT algorithm rules, but rather calls itself the root node and returns the user to the requesting user. Any response returned, which can further implement the "phishing attack". Because the user who initiated the request in the P2P network does not know which node the key's root node is in, it is possible that the attacker will attack.
  • each node selects several cooperative nodes (the number of which can be determined according to the network size), and the cooperative node may be some specific node in the network. It can also be a node selected according to a certain rule, for example, selecting n bits from NodelD to do the hash.
  • a collaborative node is responsible for preserving evidence for multiple nodes. Each time the node goes online, it generates an online evidence to send to these collaboration nodes, and maintains a keep-alive relationship with these collaboration nodes.
  • the requesting node estimates the space of the root node's Nodeld according to the distribution of the nodes in its routing table. Then, according to the space, the cooperative node of the node in the space is calculated, and then a request for obtaining evidence is sent to the cooperative node. If the cooperative node finds that a node closer to the key value exists, the evidence is returned to the node that initiated the request.
  • the premise of this is: All messages are to be signed, and all messages have a timestamp. The requesting node compares the obtained response message with the evidence sent by the cooperative node.
  • the responding node is considered to be a malicious node, if the evidence returned is proved If no node closer than this node is responsible for this key value, then the message that the request response is valid is valid.
  • This scheme only provides a method for detecting identity attacks, that is, it is only used to discover malicious behaviors of malicious nodes, but this malicious node is not processed, and the next request cannot be prevented from being attacked by the same malicious node.
  • an embodiment of the present invention provides a method for preventing an attack in a P2P network, including: receiving a malicious behavior notification message, where the malicious behavior notification message carries a malicious behavior information of the node; After the message is legal, the node malicious behavior information carried in the malicious behavior notification message is recorded; the node with no malicious behavior or the node with less malicious behavior record is selected as the next hop to forward the P2P data packet according to the recorded malicious behavior information of the node.
  • Another method for preventing an attack in a P2P network includes: receiving a malicious node notification message, where the malicious node notification message carries malicious node information; and determining that the malicious node notification message is legal, the recording office Describe the malicious node information carried in the malicious node notification message; select a non-malicious node or a node with less malicious records according to the recorded malicious node information as One-hop forwarding of P2P data packets.
  • the embodiment of the invention further provides a network node, including:
  • a receiving unit configured to receive a malicious behavior notification message of the node
  • a first determining unit configured to determine a legality of a node malicious behavior notification message received by the receiving unit
  • the first storage unit is configured to store the malicious behavior information of the node after the first determining unit determines that the malicious behavior notification message of the node is legal, and the malicious behavior information of the node includes the number of times the node is determined to be malicious.
  • a receiving unit configured to receive a malicious node notification message
  • a first determining unit configured to determine a validity of the malicious node notification message received by the receiving unit, where the first storage unit is configured to store the malicious node information after the first determining unit determines that the malicious node notification message is legal,
  • the malicious node information includes the number of times the malicious node is determined to be malicious; the sending unit is configured to select a non-malicious node or a node with less malicious records as the next hop forwarding
  • the P2P network system includes a first node and a second node, where the first node is configured to determine whether a node that sends a response message is a malicious node, and when the node that sends the response message is a malicious node, Sending a malicious node notification message to the second node;
  • the second node is an upstream node of the malicious node, and the second node is configured to receive the malicious node notification message, determine the legality of the malicious node notification message, and record the malicious node notification message when the malicious node is notified
  • the malicious node information and after receiving the data packet, selects a non-malicious node or a node with less malicious records as the next hop to forward the data packet according to the recorded malicious node information.
  • Another P2P network system includes a first node and a second node.
  • the first node is configured to determine whether the behavior of the node that sends the response message is a malicious behavior, and send a node malicious behavior notification message to the second node when the behavior of the node that sends the response message is a malicious behavior;
  • the second node is an upstream node of a node that performs malicious behavior, and the second node is configured to receive the malicious behavior notification message of the node, determine the legality of the malicious behavior notification message of the node, and maliciously act on the node.
  • the notification message is legal
  • the node malicious behavior information is recorded, and the node with no malicious behavior or the node with less malicious behavior record is selected as the next hop to forward the P2P data packet according to the recorded malicious behavior information of the node.
  • the embodiment sends evidence that the node performs malicious behavior to the upstream node of the node that made the malicious behavior, and the upstream node records the malicious behavior.
  • FIG. 1 is a flowchart of a first embodiment of a method for preventing an attack in a P2P network according to the present invention
  • FIG. 2 is a flowchart of a second embodiment of a method for preventing an attack in a P2P network according to the present invention
  • FIG. 4 is a schematic diagram of a system of a P2P network system according to the present invention. detailed description
  • Embodiments of the present invention provide a method for preventing an attack in a P2P network, and a P2P network system and a network node for preventing an attack.
  • the node detects that there are other nodes in the P2P network system to make malicious behavior, it will prove that the node made evidence of malicious behavior to the node that made the malicious behavior.
  • the upstream node the upstream node records the information of the node that made the malicious behavior and the number of times the node is notified of the malicious behavior, and selects the node with no malicious behavior record or the number of malicious behavior records when the data message needs to be forwarded.
  • the node forwards the data packet to reduce or avoid the impact of the node that has made malicious behavior on the entire P2P network.
  • FIG. 4 it is a schematic diagram of a system of a P2P network system according to the present invention.
  • the node A-G assumes the same work in the P2P network.
  • data packets are transmitted clockwise along the A-G direction.
  • A is the node that initiated the request
  • F is the root node of the key/value pair requested by the storage A
  • D is the node responding to the request of A
  • C is the upstream node of D
  • the dotted line indicates the path to be forwarded
  • the solid line indicates the notification message sent by node A.
  • FIG. 1 a flow chart of a first embodiment of a method for preventing an attack in a P2P network according to the present invention is shown.
  • the method runs in the system shown in FIG. 4 and specifically includes the following steps:
  • the node A initiates a request message for acquiring a resource in the P2P network, where the request message carries a tag value of the resource.
  • the request message is transmitted in the P2P network according to the routing rule of the P2P.
  • the node D After receiving the resource request message, the node D sends a response message to the node A by using itself as the root node.
  • the node A After receiving the response message sent by the node D, the node A determines whether the behavior of the node D sending the response message is malicious.
  • the node A can determine whether the behavior of the node D sending the response message is a malicious behavior by using the solution provided by the background of the present invention. That is, the node A knows through the cooperation node whether the node D is the root node responsible for the key requested by the node A, where Let me repeat.
  • Node A determines that the behavior of determining that node D sends a response message is a malicious behavior, and calculates a section. The upstream node of point D.
  • node A can also save evidence that node D sends a response message that is malicious.
  • the evidence may include a response message signed by node D and evidence that node D sent by the cooperating node is not responsible for the root node of the requested key.
  • Node A sends a malicious behavior notification message to node C, informing node D to make a malicious behavior.
  • the malicious behavior notification message may carry evidence that the behavior of the node D transmitting the response message is malicious behavior.
  • the node C After receiving the malicious behavior notification message sent by the node A, the node C determines whether the malicious behavior notification message is legal. If it is legal, step S17 is performed. If it is not legal, the malicious behavior may be discarded or not processed. The notification message may also confirm the behavior of the node A sending the notification message as a malicious behavior when the malicious behavior notification message is invalid.
  • Judging whether the malicious behavior notification message is legal can be performed according to whether the node A is a trusted node, or according to the evidence that the behavior of the certification node D carried in the malicious behavior notification message is a malicious behavior. If the evidence can prove that node D is not the root node responsible for the key requested by node A, then the behavior of node D sending the response message is considered malicious.
  • Node C records the malicious behavior information of node D.
  • the malicious behavior information includes the information of the node D and the number of times the node D is notified of the malicious behavior.
  • the node C After receiving the request for forwarding the P2P data packet, the node C first calculates the possible next hop node, and then selects the node with no malicious behavior record or the node with less malicious behavior record to forward the data packet from the nodes. .
  • FIG. 2 it is a flow chart of a second embodiment of a method for preventing an attack in a P2P network according to the present invention.
  • the method also operates in the system shown in FIG. 4, and specifically includes the following steps:
  • the node A initiates a request message for acquiring a resource in the P2P network, where the request message carries the resource.
  • the tag value key The request message is transmitted in the P2P network according to the routing rule of the P2P.
  • the node D After receiving the resource request message, the node D sends a response message to the node A by using itself as the root node.
  • the node A After receiving the response message sent by the node D, the node A determines whether the node D is a malicious node. Node A can use the scheme provided in the background of the present invention to determine whether node D is the root node responsible for the key requested by node A. If not, node D is considered to be a malicious node.
  • node A After determining that node D is a malicious node, node A calculates an upstream node of node D. Preferably, node A can also save evidence that node D is a malicious node. The evidence may include a response message signed by the node D and evidence that node D sent by the cooperating node is not responsible for the root node of the requested key.
  • Node A sends a malicious node notification message to node C, and notifies node D that it is a malicious node.
  • the malicious node notification message may carry evidence that the node D is a malicious node.
  • the node C determines whether the malicious node notification message is legal. If it is legal, step S27 is performed. If it is not legal, the malicious node may be discarded or not processed.
  • the notification message may also be considered as a malicious node by the node A that sent the notification message.
  • Judging whether the malicious node notification message is legal can be performed according to whether the node A is a trusted node, or according to the evidence that the certification node D carried in the malicious node notification message is a malicious node. If the evidence can prove that node D is not the root node responsible for the key requested by node A, then node D is considered to be a malicious node.
  • Node C records node D as a malicious node. It is also possible to record the number of times Node D is notified as a malicious node.
  • the node C After receiving the request for forwarding the P2P data packet, the node C first calculates the possible next hop. Point, and then select a non-malicious node from these nodes or a node that is notified that the number of malicious nodes is small to forward the data message.
  • FIG. 3 is a schematic structural diagram of a network node according to the present invention. Determined by the structural characteristics of the network, the network node can be any one of the A-Gs in Figure 4. This node includes:
  • a first receiving unit configured to receive a malicious behavior notification message
  • a first determining unit configured to determine a legality of the malicious behavior notification message received by the first receiving unit
  • a first storage unit configured to store, after the first determining unit determines that the malicious behavior notification message is legal, storing malicious behavior information of the node, where the malicious behavior information includes a number of times the node behavior is determined to be malicious;
  • a first calculating unit configured to calculate and select a next hop node of the forwarding file that has no malicious behavior record or has less malicious records
  • a first sending unit configured to forward the data packet
  • a second receiving unit configured to receive a response message
  • a second determining unit configured to determine whether the behavior of the node of the response message received by the second receiving unit is a malicious behavior
  • a second storage unit configured to store, after the second determining unit determines that the behavior of the node that sends the response message is a malicious behavior, storing the behavior as evidence of malicious behavior;
  • a second calculating unit configured to calculate an upstream node of the node that performs the malicious behavior
  • a second sending unit configured to send a malicious behavior notification message to an upstream node of the node that performs the malicious behavior.
  • the first receiving unit in the network node of the present invention is further configured to receive a malicious node notification message; the first determining unit is further configured to determine the evil received by the first receiving unit
  • the first storage unit is further configured to store the malicious node information after the first determining unit determines that the malicious node notification message is legal, and the malicious node information includes the number of times the node is determined to be malicious;
  • the first calculating unit is further configured to calculate and select a next hop node of the non-malicious or maliciously recorded packet with less frequent number of records;
  • the first sending unit is further configured to forward the P2P data packet;
  • the second receiving unit is further configured to receive a second determining unit is further configured to determine whether the node of the response message received by the second receiving unit is a malicious node;
  • the second storage unit is further configured to determine, by the second determining unit, the sending response message After the node is a malicious node, the node is stored as a malicious node;
  • the second computing unit is further configured to

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Cette invention se rapporte à un procédé, à un nœud de réseau et à un système qui évitent des attaques dans un réseau P2P. Le procédé inclut : l'envoi de la preuve qui prouve qu'un nœud présente un comportement malveillant à un nœud situé en amont du nœud qui présente un comportement malveillant en détectant que le nœud présente un comportement malveillant dans le réseau P2P ; le nœud situé en amont enregistre les informations du nœud qui présente un comportement malveillant ou le nombre de fois où le nœud a enregistré la présence d'un comportement malveillant ; et quand il doit acheminer un message de données, il sélectionne un nœud qui ne présente aucun enregistrement de comportement malveillant ou un nœud qui a le moins présenté de comportements malveillants afin de transmettre le message de données.
PCT/CN2008/072506 2007-11-16 2008-09-25 Procédé, nœud de réseau et système évitant des attaques dans un réseau p2p WO2009062429A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200710124641.8 2007-11-16
CN200710124641.8A CN101436926B (zh) 2007-11-16 2007-11-16 一种在p2p网络中防止攻击的方法、网络节点及系统

Publications (1)

Publication Number Publication Date
WO2009062429A1 true WO2009062429A1 (fr) 2009-05-22

Family

ID=40638338

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/072506 WO2009062429A1 (fr) 2007-11-16 2008-09-25 Procédé, nœud de réseau et système évitant des attaques dans un réseau p2p

Country Status (2)

Country Link
CN (1) CN101436926B (fr)
WO (1) WO2009062429A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102291371B (zh) * 2010-06-21 2015-09-16 中兴通讯股份有限公司 一种路由攻击防御方法和装置
CN106611137B (zh) * 2015-10-22 2020-09-15 阿里巴巴集团控股有限公司 一种风险控制方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1455569A (zh) * 2002-04-29 2003-11-12 微软公司 对等网络名字解析协议(pnrp)的安全基础结构和方法
CN1703045A (zh) * 2005-06-09 2005-11-30 清华大学 对等网络中基于二元意见的局部信任模型的建立方法
US20060215575A1 (en) * 2005-03-25 2006-09-28 Microsoft Corporation System and method for monitoring and reacting to peer-to-peer network metrics

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1455569A (zh) * 2002-04-29 2003-11-12 微软公司 对等网络名字解析协议(pnrp)的安全基础结构和方法
US20060215575A1 (en) * 2005-03-25 2006-09-28 Microsoft Corporation System and method for monitoring and reacting to peer-to-peer network metrics
CN1703045A (zh) * 2005-06-09 2005-11-30 清华大学 对等网络中基于二元意见的局部信任模型的建立方法

Also Published As

Publication number Publication date
CN101436926A (zh) 2009-05-20
CN101436926B (zh) 2011-11-16

Similar Documents

Publication Publication Date Title
EP2164207B1 (fr) Procédé, système de routage de message et équipement de noeud
Koponen et al. A data-oriented (and beyond) network architecture
Wang et al. Mobiccn: Mobility support with greedy routing in content-centric networks
Chai et al. Cache “less for more” in information-centric networks
US8694675B2 (en) Generalized dual-mode data forwarding plane for information-centric network
EP2705645B1 (fr) Découverte de voisins par nom et découverte de service à plusieurs bonds dans des réseaux centrés sur l'information
US20070233832A1 (en) Method of distributed hash table node ID collision detection
JP5048134B2 (ja) パケットルーティングの方法、システム、装置、及びバックアップリソースを選択する方法、システム
WO2013029569A1 (fr) Plan bimode généralisé de transmission de données pour réseau axé sur l'information
Ma et al. APCN: A scalable architecture for balancing accountability and privacy in large-scale content-based networks
WO2009059525A1 (fr) Méthode, dispositif et système de demande et de réponse dans un réseau de recouvrement p2p
Signorello et al. Advanced interest flooding attacks in named-data networking
WO2008128449A1 (fr) Procédé, système et dispositif d'accès permettant la mise en oeuvre d'une intercommunication à deux couches de service spécial
Luo et al. Decoupling the design of identifier-to-locator mapping services from identifiers
Mirkovic et al. Building accountability into the future Internet
Barrera et al. Scion five years later: Revisiting scalability, control, and isolation on next-generation networks
WO2009062429A1 (fr) Procédé, nœud de réseau et système évitant des attaques dans un réseau p2p
CN111327628B (zh) 一种基于sdn的匿名通信系统
JP5022412B2 (ja) 経路情報管理システム、経路情報管理方法、およびプログラム
JP5784234B2 (ja) 情報中心ネットワークのための一般化デュアルモードデータ転送プレーン
Lee et al. A lightweight prefix-based routing for content-centric networking
Chuat et al. Control Plane
Zima et al. Cryptography enhanced ad-hoc approach to P2P overlays
Pelsser et al. Scalable support of interdomain routes in a single as
Ma Application of Named Data Networking on InterPlanetary File System

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08800979

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08800979

Country of ref document: EP

Kind code of ref document: A1