Method for defending against DDos in address disjunction mapping network

An address and network technology, applied in the network field, can solve problems such as the inability to effectively prevent DDoS attacks, the inability to provide information support for network security technology, and the complexity of computing, to eliminate the possibility of DDoS attacks, and to facilitate deployment and technological innovation. Effects with low computational complexity

Inactive Publication Date: 2010-05-05
BEIJING JIAOTONG UNIV
View PDF0 Cites 4 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0002] Since the IP address in the Internet serves as the dual function of terminal identification and routing location identification at the same time, this exposes the network core to the dynamically changing edge network. The Internet routing system is facing a serious scalability problem, which is manifested in: (1) The routing table of the Default Free Zone (DFZ) grows super-linearly, far exceeding the current hardware design capabilities
(2) The number of Border Gateway Protocol (BGP) update messages in the DFZ surged, consuming a large amount of network bandwidth and computing resources
Packet marking technology often fills in the router address information directly into the "Identification" field and "TOS" field in the IP header, which is not conducive to the receiver's reassembly of data packets and conflicts with the "Quality of Service Guarantee" requirement
[0016] (2) Complicated calculation
At the receiving end, a large amount of routing address information from different attack paths is mixed together. The victim can only reconstruct the attack path through enumeration and calculation. There is a serious combination explosion problem, which is not practical for defending against large-scale DDoS
[0017] (3) Unable to provide information support for other network security technologies
[0021] (1) Unable to adapt to the asymmetry of round-trip paths that exist in the Internet, TVA technology cannot effectively prevent DDoS attacks in most cases
[0022] (2) The path identification information carried by the data packet is too large, which wastes a lot of network bandwidth, and since the average length of the network path in the Internet is 15, the request message must exceed the path MTU, resulting in fragmentation and seriously reducing communication performance
[0023] (3) The authenticity of the source of the "communication permission message" cannot be verified, and malicious network nodes can use the TVA scheme to launch a new type of DDoS attack
[0025] To sum up, the packet marking technology can be applied to the "Address Separation Mapping" network system, but the packet marking technology is an after-the-fact mechanism with complex calculations, and the obtained path information cannot be used to distinguish attack packets from ordinary packets. , and cannot block malicious traffic based on this information, only legal means can be used to deter attackers, which is time-consuming and laborious, and it is difficult to meet the security requirements of Internet dynamic defense in depth
TVA technology can be applied to the "Address Separation Mapping" network system, but in TVA technology, the path identification information carried by the data packet is too large, the communication efficiency is low, and there are serious security threats

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for defending against DDos in address disjunction mapping network
  • Method for defending against DDos in address disjunction mapping network
  • Method for defending against DDos in address disjunction mapping network

Examples

Experimental program
Comparison scheme
Effect test

Embodiment 1

[0063] Such as figure 2 As shown, assume that host A is located in the edge network EN 1 , whose identity is CA A , host B is located in the edge network EN 2 , identified as CA B , and the corresponding routing addresses are RA A and RA B . see image 3 In the flow chart of protocol interaction in the present invention, the steps of the defense method of the present invention are as follows: Step 1: A sends a "request message" P to B request , whose source address is CA A , the destination address is CA B . P request It is an IP data packet with only a header, and in particular, the first bit of its "Flag" field is set to 1.

[0064] Step 2: P request Reaching the Border Router BR 1 After, BR 1 Generate puzzles N, K and package them into payloads P puzzle Send to A. where N is BR 1 A pseudo-random number updated periodically (every 60s), K is BR 1 Puzzle difficulty set according to its load.

[0065] Step 3: P received puzzle Finally, A performs enumerati...

Embodiment 2

[0087] In the deployment of the present invention, it is necessary to expand the functions of some network components in the "address separation mapping" network, mainly including:

[0088] (1) Terminals A and B: support the new access mechanism proposed by the present invention, that is, be able to solve puzzles and send messages (3); support the new token-based flow control mechanism proposed by the present invention, that is, be able to send messages (1) ), receive and process the request message, generate Token, verify the source of the Token, and send data packets according to the content of the Token.

[0089] (2)BR 1 : Support the new access mechanism proposed by the present invention, that is, the pseudo-random number N that can be periodically updated (every 60s), the puzzle difficulty K that can be set according to the load status, and the puzzle that can be generated and sent according to the request message sent by the end user Message (2), can verify the puzzle a...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention relates to a method for defending against DDos in an address disjunction mapping network, which belongs to the technical field of networks. In the method, a data packet access mechanism and a flow control mechanism for giving a token are included. The method provides the data packet access mechanism to defend against DDos attacks on an access router, launched by malicious nodes, thereby ensuring the safety of the network; and on such a basis, by designing the flow control mechanism based on the token in the address disjunction mapping network the purpose that a data source end can transmit data to a receiving end for fundamentally preventing the probability of the DDoS attacks only after obtaining the permission of the receiving end can be effectively ensured. According to a border router and the access router deployed in the method, the distributed denial of service (DDoS) attack can be effectively defended even though the network is in an environment of an asymmetric roundtrip path.

Description

technical field [0001] The invention relates to a distributed denial of service attack (Distributed Denial of Service, DDoS for short) defense method in an address separation mapping network, which belongs to the field of network technology. Background technique [0002] Since the IP address in the Internet serves as the dual function of terminal identity and routing location at the same time, this exposes the network core to the dynamically changing edge network. Wide application, the Internet routing system is facing serious scalability problems, specifically in: (1) Default Free Zone (DFZ) routing table super-linear growth, far beyond the current hardware design capabilities. (2) The number of Border Gateway Protocol (BGP) update messages in the DFZ increases sharply, consuming a large amount of network bandwidth and computing resources. [0003] The scalability problem seriously restricts the healthy development of the Internet, so researchers have proposed a series of ...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): H04L29/06H04L12/56H04L9/32H04L9/30
Inventor 张宏科卢宁周华春刘颖
Owner BEIJING JIAOTONG UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap