WO2009105913A1 - Procédé pour empêcher une attaque par inondation de messages et élément de réseau - Google Patents

Procédé pour empêcher une attaque par inondation de messages et élément de réseau Download PDF

Info

Publication number
WO2009105913A1
WO2009105913A1 PCT/CN2008/000398 CN2008000398W WO2009105913A1 WO 2009105913 A1 WO2009105913 A1 WO 2009105913A1 CN 2008000398 W CN2008000398 W CN 2008000398W WO 2009105913 A1 WO2009105913 A1 WO 2009105913A1
Authority
WO
WIPO (PCT)
Prior art keywords
message
network element
diameter
difference
sending
Prior art date
Application number
PCT/CN2008/000398
Other languages
English (en)
Inventor
Zhigang Yang
Original Assignee
Lucent Technologies Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Lucent Technologies Inc. filed Critical Lucent Technologies Inc.
Priority to PCT/CN2008/000398 priority Critical patent/WO2009105913A1/fr
Priority to CN2008801275517A priority patent/CN101960812A/zh
Publication of WO2009105913A1 publication Critical patent/WO2009105913A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]

Definitions

  • the present invention relates to the field of communication, and more particularly to preventing attack of message flood coming from an attacker in a peer-to-peer network.
  • Diameter is designed as a Peer-To-Peer architecture, and every host who implements the Diameter protocol can act as either a client or a server depending on network deployment. So the term “Diameter node” is used to refer to a Diameter client, a Diameter server, or a Diameter agent.
  • Device Watchdog Request/Answer message defined in RFC 3588 is a Diameter watchdog message used to more quickly detect transport and application-layer failures, which is required by RFC 3539.
  • DWR Device Watchdog Request
  • DWA Device Watchdog Answer
  • the Watchdog algorithm in RFC 3539 does not define how to handle multiple DWR messages in a very short period. So it becomes a security hole that an attacker can issue as many as possible DWRs to a Diameter node to cause a deny of service attack. This kind of attack could use up resource of the machine to be attacked and cause it to stop/slow down responses to Diameter requests of other peers.
  • Diameter Even worse, the attacker can abuse the extensibility of Diameter to include as many as useless AVPs (Attribution Value Pairs) to reach the maximum size (16777216 bytes) of a Diameter message in order to waste the network bandwidth and crash the Diameter stack of the machine to be attacked.
  • AVPs Attribution Value Pairs
  • Figurei illustrates a situation in which a Diameter sever is attacked by DWR flood.
  • the attacker sends out as many as possible DWR messages, which is based on the network bandwidth between the attacker and the server being attacked.
  • the server receives the DWR message, it will decode the DWR message and then construct a DWA message before sending this answer message back to the attacker.
  • the resource used to handle this DWR flood in the server will slow down the response of the server to other normal Diameter clients.
  • the server might run out its capacity and have to reject other normal Diameter requests due to the protocol error DIAMETER_TOO_BUSY.
  • a method for preventing attack of message flood comprises, when a number of messages for detecting transport failure are sent from a first network element to a second network element: said second network element recording arrival time of a first message for detecting transport failure as soon as said first message is received from said first network element; said second network element determining difference between the respective arrival time of said first message and a second message for detecting transport failure after said second message is subsequently received from said first network element; said second network element sending a message for shutting down transport connection to said first network element if the difference is lower than a predefined threshold; and said second network element shutting down said transport connection.
  • a network element sending/receiving signaling messages to/from another network element comprises: recording means for recording arrival time of a first message for detecting transport failure as soon as said first message is received from said another network element; determining means for determining, when subsequently receiving a second message for detecting transport failure from said another network element, difference between the respective arrival time of said first message and said second message, and sending means for sending a message for shutting down transport connection to said another network element if said difference is lower than a predefined threshold.
  • - Fig.1 illustrates the problem which may occur in the prior art. i.e. a Diameter sever being attacked by DWR flood;
  • - Fig.3 is a flowchart of the method for preventing attack of DWR flood according to an embodiment of the present invention.
  • - Fig.4 is a block diagram of the network element according to an embodiment of the present invention.
  • the present invention proposes a method for preventing attack of message flood. This method may be for example applied to Diameter nodes. With reference to Figure 2, the basic idea of the present invention is illustrated.
  • the minimum interval to send Watchdog is 4 seconds. Therefore, this invention defines an algorithm to discover the DWR Flood by checking the interval for receiving DWR.
  • a Diameter server for example an AAA (Authentication, Authorization and Accounting) server
  • AAA Authentication, Authorization and Accounting
  • the DWR receiver shall record the arrival time of every received DWR message and compare it with the arrival time of the previous received DWR message.
  • the receiver If the difference between the two arrival times is less than 1 second, it means that a DWR attack is discovered and the receiver immediately sends a Disconnect-Peer-Request (DPR) message with Disconnect-Cause as "DO_NOT_WANT_TO_TALK_TO_YOU" to the DWR sender and then closes the connection.
  • DPR Disconnect-Peer-Request
  • the receiver may put the attacker's address in its user black list (permanently or for a period of time provisioned by network operator). Any Diameter connection request coming from a user in this black list will be rejected immediately.
  • the second network element records arrival time of a first message for detecting transport failure as soon as said first message is received from said first network element.
  • the first network element is for example the "Diameter Client", i.e. the attacker
  • the second network element is for example the "Diameter Server”
  • the first message is for example a "DWR” message
  • the responding message is for example a "DWA” message according to the Diameter protocol.
  • a responding message for example a DWA message is sent from the Diameter server to the Diameter client after that the Diameter server has received the first DWR message.
  • said second network element determines difference between the respective arrival time of said first message and a second message for detecting transport failure after said second message is subsequently received from said first network element.
  • the second message for detecting transport failure is for example also a DWR message.
  • the Diameter server compares the arrival time of the second received DWR message with the arrival time of the first received DWR message.
  • said second network element sends a message for shutting down transport connection to said first network element if the difference is lower than a predefined threshold.
  • the Diameter server decides that there is an attack of DWR flood.
  • said message for shutting down transport connection is for example a DPR message according the Diameter protocol with such a Disconnect-Cause as "DO_NOT_WANT_TO_TALK_TO_YOU".
  • the predefined threshold may be for example 1 second, while the difference between the respective arrival time of the two successive DWR messages is for example 0.000001 second.
  • step 304 said second network element shuts down said transport connection.
  • the Diameter server closes the Diameter connection to the Diameter Client.
  • the Diameter server could put the Diameter client's address into its black list permanently or for a period of time.
  • Diameter server and the Diameter client are distinguished in terms of their respective functionalities.
  • those above mentioned messages could be sent either from the client to the server, or from the server to the client.
  • the DWR flood attack can be detected and prevented in an economical and efficient way, and the Diameter implementation thus survives from the attack of DWR flood in the peer-to-peer network.
  • a network element sending/receiving signaling messages to/from another network element is proposed for preventing attack of message flood.
  • the network element will be described in the following with reference to Figure 4.
  • Fig.4 is a block diagram of the network element according to an embodiment of the present invention, which is for example a Diameter node, more particularly a Diameter client or a Diameter server.
  • the network element 400 includes a recording means 401 , a determining means 402 and a sending means 403.
  • the recording means 401 records the arrival time of a first DWR message as soon as said first DWR message is received from said another network element.
  • the determining means 402 determines the difference between the arrival time of the first DWR message and that of the second DWR message. If the difference is lower than a predefined threshold, that is to say, there is an attack of DWR flood, the sending means 403 will send a DPR message with a Disconnect-Cause for example
  • the predefined threshold is for example 1 second.
  • the network element 400 may further comprise a black list for incorporating said another network element's address if the difference is lower than said predefined threshold. That is to say, if said difference is lower than 1 second, the network element 400 decides that said another network element is an attacker and put its address into the black list.
  • the network element 400 of this embodiment as well as the recording means 401 , the determining means 402 and the sending means 403 it includes, may be implemented in software, hardware or a combination of them.
  • those skilled in the art are familiar with a variety of devices which may be used to implement these components, such as micro-processor, micro-controller, ASIC, PLD and/or FPGA etc..
  • the recording means 401 , the determining means 402 and the sending means 403 of the present embodiment may be either implemented as integrated into the network element 400, or implemented separately, and they may also be implemented separately physically but interconnected operatively.
  • said network element of the embodiment illustrated in connection with Figure 4 may detect and prevent the attack of DWR message flood by comparing the respective arrival time of two successive received DWR messages and disconnecting immediately after detecting an attack. It is economical and efficient, and the Diameter implementation thus survives from the attack of DWR flood in the peer-to-peer network.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

La présente invention concerne un procédé destiné à empêcher une attaque par inondation de messages et un élément de réseau envoyant/recevant des messages de signalisation vers/depuis un autre élément de réseau. Ledit procédé comprend, lorsqu'une quantité de messages permettant de détecter une défaillance de routage sont envoyés d'un premier élément de réseau vers un second élément de réseau, ledit second élément de réseau enregistre l'heure d'arrivée d'un premier message permettant de détecter une défaillance de routage dès que ledit premier message est reçu dudit premier élément de réseau ; ledit second élément de réseau détermine une différence entre l'heure d'arrivée respective dudit premier message et d'un second message permettant de détecter la défaillance de routage après que ledit second message est par la suite reçu du premier élément de réseau ; ledit second élément de réseau envoie un message d'arrêt de connexion de routage audit premier élément de réseau si la différence est inférieure à un seuil prédéfini ; ledit second élément de réseau arrête ladite connexion de routage.
PCT/CN2008/000398 2008-02-26 2008-02-26 Procédé pour empêcher une attaque par inondation de messages et élément de réseau WO2009105913A1 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2008/000398 WO2009105913A1 (fr) 2008-02-26 2008-02-26 Procédé pour empêcher une attaque par inondation de messages et élément de réseau
CN2008801275517A CN101960812A (zh) 2008-02-26 2008-02-26 用于防止消息泛洪攻击的方法和网络单元

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2008/000398 WO2009105913A1 (fr) 2008-02-26 2008-02-26 Procédé pour empêcher une attaque par inondation de messages et élément de réseau

Publications (1)

Publication Number Publication Date
WO2009105913A1 true WO2009105913A1 (fr) 2009-09-03

Family

ID=41015495

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2008/000398 WO2009105913A1 (fr) 2008-02-26 2008-02-26 Procédé pour empêcher une attaque par inondation de messages et élément de réseau

Country Status (2)

Country Link
CN (1) CN101960812A (fr)
WO (1) WO2009105913A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917733A (zh) * 2010-08-06 2010-12-15 深圳市兆讯达科技实业有限公司 无线自组织网络路由查询泛洪攻击的检测方法

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104113519B (zh) * 2013-04-16 2017-07-14 阿里巴巴集团控股有限公司 网络攻击检测方法及其装置
CN109309928B (zh) * 2017-07-26 2021-01-29 华为技术有限公司 D2d链路检测方法、相关装置及系统

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1941775A (zh) * 2006-07-19 2007-04-04 华为技术有限公司 一种防止网络消息攻击的方法及设备
CN101035034A (zh) * 2007-04-02 2007-09-12 华为技术有限公司 一种检测报文攻击的方法及装置
CN101099320A (zh) * 2005-02-15 2008-01-02 思科技术公司 基于时钟的重发保护

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100438473C (zh) * 2007-01-29 2008-11-26 成都金山数字娱乐科技有限公司 一种通过网络数据包控制输入的远程协助其他网络用户的方法

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101099320A (zh) * 2005-02-15 2008-01-02 思科技术公司 基于时钟的重发保护
CN1941775A (zh) * 2006-07-19 2007-04-04 华为技术有限公司 一种防止网络消息攻击的方法及设备
CN101035034A (zh) * 2007-04-02 2007-09-12 华为技术有限公司 一种检测报文攻击的方法及装置

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101917733A (zh) * 2010-08-06 2010-12-15 深圳市兆讯达科技实业有限公司 无线自组织网络路由查询泛洪攻击的检测方法

Also Published As

Publication number Publication date
CN101960812A (zh) 2011-01-26

Similar Documents

Publication Publication Date Title
RU2726279C1 (ru) Защищенный способ запуска устройства связи машинного типа
US9125130B2 (en) Blacklisting based on a traffic rule violation
US8918660B2 (en) Power sourcing network port reset
CN101771564B (zh) 会话上下文的处理方法、装置和系统
WO2009134265A1 (fr) Restriction de message pour des serveurs diameter
CN108471369B (zh) 一种网络拨号方法、装置及存储介质
CN108605264B (zh) 用于网络管理的方法和设备
US20090288162A1 (en) System and method for defending against denial of service attacks on virtual talk groups
WO2011020363A1 (fr) Procédé et système de réalisation d'équilibrage de charge et client diamètre
CN105812318A (zh) 用于在网络中防止攻击的方法、控制器和系统
US20140283057A1 (en) Tcp validation via systematic transmission regulation and regeneration
CN110191104A (zh) 一种安全防护的方法及装置
WO2009105913A1 (fr) Procédé pour empêcher une attaque par inondation de messages et élément de réseau
US11689928B2 (en) Detecting unauthorized access to a wireless network
EP3053321A1 (fr) Technique de restauration d'un service dans un réseau
EP3641268A1 (fr) Procédé de communication d'un objet avec un réseau d'objets connectés pour signaler qu'un clone se fait potentiellement passer pour l'objet dans le réseau
CN101854333B (zh) 对不完整会话攻击进行检测的方法和装置
CN103856571B (zh) 一种自适应网路连接方法和系统
CN100450018C (zh) 提高Diameter节点间通信可靠性的方法
US20070140268A1 (en) Network with distributed authentication control
CN105592036B (zh) 一种优化fc端口安全的方法和装置
McMurry et al. Diameter overload control requirements
KR102027438B1 (ko) Ddos 공격 차단 장치 및 방법
WO2016058631A1 (fr) Prévention d'une défaillance de service, due à une surcharge, d'un point d'agrégation de sécurité
CN118353811B (zh) 网络状态的检测方法、装置、计算机设备及存储介质

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200880127551.7

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08714856

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08714856

Country of ref document: EP

Kind code of ref document: A1