A method and firewall for preventing dos attack

Abstract

The invention discloses a method and a firewall for preventing DoS attacks. The method comprises steps: step S1, receiving IKE message; step S2, checking whether the cookie value in the IKE message is complete; step S3, if the cookie value is complete And there is corresponding value in IKE SA database, then continue IKE negotiation process, otherwise described IKE message is discarded; Step S4, if there is only source cookie value in the described cookie value, and there is corresponding value in IKE SA database, then Send the response message again; step S5, if there is only the source cookie value in the cookie value, and there is no corresponding value in the IKE SA database, then according to whether the anti-DoS function is opened, the IKE message is processed, which can effectively To prevent the responder from DoS attacks during IKE negotiation.

Description

technical field [0001] The invention relates to the field of preventing DoS attacks, in particular to a method and a firewall for preventing DoS attacks. Background technique [0002] The negotiation process of IKE (Internet Key Exchange) includes main mode and aggressive mode. In IKE negotiation, the initiator does not know the cookie value of the responder in advance, and the cookie value of the responder will be set to 0, so it is impossible for the responder to know whether this message is a false exchange request. Since the responder creates a state when it receives the first message, a malicious attacker can send a large number of initial messages to make the responder stop Creating states and consuming memory resources will eventually lead to memory exhaustion and system crashes. Therefore, IKE is vulnerable to DoS (Denial of Service) attacks that consume memory resources. In addition, in the aggressive mode, IKE needs to conduct key agreement through Dffie-Hellman e...

AI Technical Summary

Problems solved by technology

[0002] The negotiation process of IKE (Internet Key Exchange) includes main mode and aggressive mode. In IKE negotiation, the initiator does not know the cookie value of the responder in advance, and the cookie value of the responder will be set to 0, so it is impossible for the responder to know whether this message is a false exchange request. Since the responder creates a state when it receives the first message, a malicious attacker can send a large number of initial messages to make the responder stop Create state, consume memory resources, and eventually lead to memory exhaustion and system crash, so IKE is vulnerable to DoS (Denial of Service) attacks that consume memory resources

In addition, in the aggressive mode, IKE needs to conduct key agreement through Dffie-Hellman exchange in the first negotiation, and the modular exponentiation operation will take up large computing resources

DoS attackers will initiate a large number of false exchange requests through IP spoofing. If the responder cannot distinguish these forged requests, they have to perform a large number of modular exponentiation calculations on the forged requests, resulting in a DoS attack that consumes CPU resources.

Therefore, the initial exchange of the main mode and the aggressive mode will be subject to DoS attacks that consume memory resources, and the aggressive mode will also be subject to DoS attacks that consume CPU resources.

Images