DoS (Denial of Service) attack defense method based on identity and location separation-and-mapping mechanism

Abstract

The invention provides a DoS (Denial of Service) attack defense method based on an identity and location separation-and-mapping mechanism. The DoS attack defense method comprises the following steps: on the basis of a mapping system of an identity and location separation network architecture, an additional communication status flag is added to mapping information in an xTR mapping cache; a proxy server integrates the communication status flag with the mapping system of the identity and location separation network architecture, and the communication status flag of the mapping information in the xTR mapping cache is obtained by inquiring the proxy server, wherein, the proxy server collects and maintains the communication status of a terminal and responds to inquiry of the xTR communication status by inquiring the terminal within the management range of the proxy server; when the terminal finds to be vulnerable to malicious attack, the terminal requires to stop transmission of attack data stream; and when the terminal sets the communication status to be allowable partial connection, a sending end completes the connection establishment process. By adopting the DoS attack defense method, DoS attack defense can be realized, and the terminal can actively require defense in case of malicious attack so as to prevent further hazard without affecting other communication connection of the terminal.

Description

technical field [0001] The invention relates to a DoS attack defense method based on a separation and mapping mechanism of identity and location, so that when a terminal is attacked maliciously, it can actively request defense to avoid further damage without affecting other communication connections of the terminal. It belongs to the field of network security technology. Background technique [0002] The network system of separating identity and location can solve the problem of routing scalability. However, just like the security problems faced by traditional networks, the network system of separating identity and location still faces many network security problems. DoS and DDoS attacks are the main attack methods in traditional networks, and they will also be the main security threats to the identity and location separation network system. [0003] When a connection is established in a traditional network, the receiving end does not know the communication intention of the...

AI Technical Summary

Problems solved by technology

When dealing with large-scale DoS attacks, routers need to maintain a huge number of filtering rules, and a large number of complex filtering rules may seriously affect the packet processing speed of the router

[0013] 2) The StopIt system only allows the terminal to send a request to prevent malicious attacks when it is under attack, and cannot provide the terminal with the ability to allow or deny when the communication connection is established

[0014] 3) StopIt is poorly integrated with the identity and location separation network system

[0015] 4) StopIt does not have the function of storing terminal policies

When the terminal needs to maintain a certain policy state for a long time, such as denying or allowing some communication data, StopIt cannot provide this support

Images