Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Method for preventing fragment attack of IP (Internet Protocol) datagram

An IP datagram and message technology, applied in electrical components, transmission systems, etc., can solve problems such as error datagrams, fragmented message attacks of IP datagrams, and the system cannot handle them, and achieve the effect of preventing fragmentation attacks.

Inactive Publication Date: 2012-06-20
OPZOON TECH
View PDF7 Cites 14 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

In this way, the host will consume a large amount of CPU to reorganize these fragments. After the reorganization is completed, it finds that it is a wrong datagram and discards it! If there are many such datagrams, the system cannot handle them, resulting in a crash!
[0008] If the means of the above-mentioned prior art 1 is used to set a threshold to limit the flow rate per second of the fragmented message of the IP datagram, the flow beyond the threshold can be discarded, but the legality and validity of the passed and discarded fragmented message cannot be identified. integrity;
[0009] If the method of the above-mentioned prior art 2 is adopted, the initial fragment packet can be released on the network and subsequent fragment packets can be rejected by using the access control list, but this method cannot correctly identify normal fragment packets.
[0010] It can be seen from the above description that the prior art only defines a switch or current limiting to control the fragmented message of the IP datagram in the process of passing through the network device, but does not control the fragmented message of the IP datagram. The legitimacy and integrity of the fragmented packets of IP datagrams cannot be prevented fundamentally from the attack of fragmented packets of IP datagrams.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Method for preventing fragment attack of IP (Internet Protocol) datagram
  • Method for preventing fragment attack of IP (Internet Protocol) datagram
  • Method for preventing fragment attack of IP (Internet Protocol) datagram

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0026] The specific embodiments of the present invention will be described in further detail below in conjunction with the drawings and embodiments. The following examples are used to illustrate the present invention, but not to limit the scope of the present invention.

[0027] In this embodiment, the firewall executes the method of the present invention as an example. In order to avoid the firewall (similar to other network devices), each service module (address translation, access control, data encryption and decryption) separately processes fragmented packets of IP datagrams. This situation leads to high complexity. The firewall temporarily reorganizes the received fragmented packets (that is, before the firewall interface receives the fragmented packet and submits it to the subsequent upper-layer business module for reorganization, each interface is defined The fragmented message is reorganized in the buffer space). During the temporary reorganization process, the fragmente...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method for preventing the fragment attack of an IP (Internet Protocol) datagram, relating to the technical field of network security. In the method, fragment messages of the received IP datagram are temporarily recombined before reaching a corresponding processing module; and in the process of temporary recombination, if the number of the fragment messages belonging to the same IP datagram exceeds a fragment threshold, the IP datagram is discarded. In the invention, by storing each IP fragment message in a cache and virtually recombining the fragments, the original datagram can be detected. Thus, network equipment can verify the sequence and integrality of each fragment and discover the hostile attack performed by utilizing the fragments, thereby more effectively preventing the IP fragment message attack.

Description

Technical field [0001] The invention relates to the technical field of computer network security, in particular to a method for preventing IP datagram fragmentation attacks. Background technique [0002] The maximum transmission unit (Maximum Transmission Unit, MTU) is the protocol data unit (Protocol Data Unit, PDU) of the data link layer, that is, the size of the frame. For the most common Ethernet, the data link layer protocol is based on IEEE802.2 / 802.3, and the length of the data (effective) field in the Ethernet frame ranges from 46 to 1500 bytes. This 1500 is the MTU of the Ethernet. When the upper layer protocol of the link layer, such as the IP datagram (including IP Header) to be transmitted by the IP protocol, exceeds this length range, the IP datagram must be divided into multiple pieces for transmission and reorganized in the target system. This process is Fragmentation, where each fragment that is divided is a fragment or fragmented message Fragment. [0003] It ca...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06
Inventor 王瑞
Owner OPZOON TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products