A sip DDoS attack distributed defense system and its load balancing method

Abstract

The invention relates to the fields of VoIP network security and IP communication, in particular to a SIP DDoS attack distributed defense system and a load balancing method thereof. The invention includes a defense detection node connected with a load balancer for notifying load information to the load balancer in real time and sharing a rule base; a load balancer connected with multiple defense detection nodes for distributing SIP messages to each defense The detection node updates the defense node load table according to the load information sent by the defense detection node. The invention adopts a distributed structure with high message processing capability and good scalability; based on the detection algorithm load balancing method, it has a high attack detection rate and a low false alarm rate; using a load distribution algorithm, each node It has good load balancing characteristics.

Description

technical field [0001] The invention relates to the fields of VoIP network security and IP communication, in particular to a SIP DDoS attack distributed defense system and a load balancing method thereof. Background technique [0002] With the diversification of people's communication needs, the scope of IP communication has been greatly expanded, and it has begun to evolve from a simple VoIP system (Voice Over IP) to a unified communication (EoIP, Everything Over IP). SIP (sessioninitiation protocol, a signaling control protocol of the application layer) is used to establish, modify and terminate two-party or multi-party multimedia sessions on the IP network. It has become the core protocol of VoIP, IMS, and IPTV because of its simple structure and convenient use. SIP is also used in the NGN architecture defined by ETSI and ITU-T. At the beginning of the design, the SIP protocol fully considered the ease of use and flexibility of the protocol, and did not focus on security...

AI Technical Summary

Problems solved by technology

A system that achieves defense by limiting the message request rate cannot distinguish between normal messages and attack messages, and can only weaken the attack intensity; the defense efficiency of the state firewall system on the SIP network depends on the set security rules, and can only defend against known attacks; flow-based Since the distributed defense system does not consider the characteristics of SIP messages, most of the detection algorithms cannot be used and high false positives and false negatives will be generated; the self-defense system of the SIP proxy server is embedded in the SIP proxy server, which increases the processing burden, which can cause the server to crash in the face of a large number of attack messages

[0005] None of the existing SIP DDoS defense models can achieve active and proactive detection of unknown attacks while effectively defending

At the same time, some main SIP DDoS attack detection algorithms, such as the cumulative sum algorithm and the detection method based on the SIP transaction state machine, etc., have high detection accuracy, but due to the large consumption of resources and slow detection speed, etc. Cannot be used for defense in the defense system

Images