RU2580808C2 - Method for dynamic filtration of internet protocol datagrams - Google Patents

Abstract

FIELD: telecommunications.

SUBSTANCE: invention relates to communication and can be used in data networks for filtration and routing of Internet protocol fragmented datagrams. Said technical result is achieved by using time-varying filtration criterion, which is at least one of following parameters: IP-address of source, IP-address of recipient, subnet mask, source port, recipient port, range of source ports, range of recipient ports, protocol number, type of service for IP of version 4 (IPv4), class of traffic for IP of version 6 (IPv6), mark flow for IPv6, IPSec security parameter index (SPI), total length of IP datagrams or their combination.

EFFECT: technical result consists in improvement of efficiency of protection against DDoS attacks.

1 cl, 5 dwg

Description

The invention relates to the field of telecommunications and can be used in data networks for filtering and routing fragmented datagrams of the Internet Protocol.

Internet Protocol (IP) is a protocol that supports the transfer of blocks of data (packets), called datagrams, from sources to receivers in a packet-switched data network. Sources and recipients are host computers that are identified by fixed-length IP addresses. To transfer data to the recipient, the source generates a datagram with an IP header and a part corresponding to the payload. The source then sends the datagram as an IP packet towards the receiver based on the routing information that the source has for the receiver.

The standard IP-datagram filter (filtering node) is a separate network node with the software running on it (firewall, router), which is configured to filter incoming and outgoing data blocks. The rules for setting IP filters can be allowing, prohibiting, or others (route control, speed limits, etc.). IP traffic filtering is based on the information contained in the packet headers.

Known methods for filtering datagrams of the Internet protocol (Maftik, C. Protection mechanisms in computer networks / S. Maftik: transl. From English. - M .: Mir, 1993. - 216 p .; Stolings V. Fundamentals of network protection / V. Stolings : transl. from English - M.: Williams Publishing House, 2002. - 304 p.), in which the main filtering criteria are IP addresses and TCPIUDP port numbers of the sender and receiver. Using the information contained in the TCP and IP headers of datagrams at the present stage is becoming an increasingly less effective filtering criterion, because an attacker, for example, when organizing a DDoS attack, can create a header that satisfies the resolving filtering rules.

There is a method for classifying fragmented IP datagrams (patent US 2003126272 A1 dated 07/03/2003), according to which, in addition to information in the headers of the datagrams, data of other fields of the Internet protocol datagrams are used as a classification criterion (filtering). However, the application for filtering packet lifetimes (TTL) is quite difficult in practice and is limited by the number of network nodes on the route, and type of service (ToS) data is only effective temporarily until the segments of this field are correctly filled by the attacker. The ToS parameter occupies one byte, so the probability of its selection by an attacker is n / 2 ⁸ , where n is the number of attempts to match.

The closest in technical essence to the claimed method and selected as a prototype is a method for filtering and routing fragmented datagrams in a data network (RF Patent 2363108 of 06/29/2005), in which at least one filter parameter for the Internet protocol datagram is identified (IP ) sent as multiple fragments; storing one or more received fragments of the Internet Protocol (IP) datagram as stored fragments; obtaining said at least one filter parameter from said one or more received fragments; determining a filtering result for the Internet Protocol (IP) datagram based on the at least one filtering parameter, the filtering result being determined before all fragments of the Internet Protocol (IP) datagram are received, stored fragments are processed based on the filtering result; and processing additional fragments received after the filtering result is determined based on the at least one filtering parameter, said at least one filtering parameter for the IP datagram containing the IP address of the source, IP address of the recipient, subnet mask, port source, destination port, source port range, destination port range, protocol number, type of service for IP version 4 (IPv4), traffic class for IP version 6 (IPv6), stream label for IPv6, IPSec security parameter index (SPI), or combination.

The use of the mentioned filtering parameters at the present stage is becoming less and less effective criterion, because most attackers during the organization of DDOiS' attacks correctly recreate them. The probability of an attacker choosing filtering parameters for IPv4, for example, is:

P = P _{knocked adr.ist adr.pol} · P · P · P _{masks p.ist p.pol} · P · P · P _{diap.ist diap.pol prot} · P · _ToS,

where R _addr. is the probability of selection of the IP address of the source,

P _addr . _Floor - probability of selection IP address of the recipient,

P _masks - the probability of selecting a subnet mask,

P _pist - the probability of selecting the sender port,

R _p.pol - the probability of selecting the port of the recipient,

P _diap.ist - the probability of selecting a range of source ports,

P _diap.field - the probability of selecting the range of ports of the receiver,

R _prot - the probability of selecting a protocol number,

P _ToS - the probability of selecting the type of service.

Moreover, if any filtering parameter is not defined, then the corresponding probability of selection is equal to unity.

DDoS (Distributed Denial of Service) is a type of network attack based on the unrestricted resources of the attacked service, to which a host of requests will be organized, which it obviously will not be able to handle, and will be forced to refuse service (or make waiting unacceptably long )

The objective of the invention is to develop a method for dynamic filtering of Internet protocol datagrams, which allows to increase the effectiveness of the protection system against DDoS attacks by reducing the likelihood of an attacker selecting filtering parameters.

In the claimed method, this problem is solved as follows. In the method for dynamically filtering Internet Protocol datagrams, at least one filtering parameter is identified for the Internet Protocol (IP) datagram sent as multiple fragments. Save one or more received fragments of the Internet Protocol (IP) datagram as stored fragments. The at least one filter parameter is obtained from said one or more received fragments. The filtering result for the Internet Protocol (IP) datagram is determined based on the at least one filtering parameter, the filtering result being determined before all fragments of the Internet Protocol (IP) datagram are received. The stored fragments are processed based on the filtering result and the additional fragments received after the filtering result is determined based on the at least one filtering parameter are processed. At the same time, the at least one filtering parameter for the IP datagram contains the source IP address, destination IP address, subnet mask, source port, destination port, source port range, destination port range, protocol number, type of service for IP version 4 (IPv4), traffic class for IP version 6 (IPv6), stream label for IPv6, IPSec security parameter index (SPI), total IP datagram length, or a combination thereof. The mentioned filtering criteria in said at least one filtering parameter for IP datagrams are transformed in a pseudo-random manner at time intervals that vary independently according to the pseudo-random law.

A new set of essential features allows you to achieve the specified technical result through the use of pseudo-random dependencies of the filtering parameters of the IP datagram in conjunction with other filtering parameters (Fig. 1).

For example, the “total length” field of an IP datagram occupies two bytes and means the total packet length, taking into account the header and data field. The maximum packet length is limited by the bit depth of the field determining this value. When transmitting over networks of various types, the length of the datagram is selected taking into account the maximum length of the packet of the lower level protocol. If these are Ethernet frames, then packets with a maximum length of 1500 bytes fit in the data field of the Ethernet frame are selected. The standard provides that all network nodes should be ready to receive packets up to 576 bytes in length. When organizing and configuring the connection parameters, the total length of the IP datagram is set by the network administrator, who can set not only one strictly defined value, but a range of possible values, within which, in accordance with the pseudo-random control algorithm, the packet length in the filtering rules will change its value. Similar actions can be defined for other fields of the IP datagram.

The analysis of the prior art made it possible to establish that there are no analogues that are characterized by a combination of features identical to all the features of the claimed method for dynamic filtering of Internet protocol datagrams. Therefore, the claimed invention meets the condition of patentability "novelty."

Search results for known solutions in this and related fields of technology in order to identify features that match the distinctive features of the claimed object from the prototype showed that they do not follow explicitly from the prior art. The prior art also did not reveal the popularity of the impact provided for by the essential features of the claimed invention, the transformations to achieve the specified technical result. Therefore, the claimed invention meets the condition of patentability "inventive step".

The claimed invention is illustrated by the following figures:

figure 1 - IP packet for the datagram;

figure 2 is a process performed by a network node for filtering a fragmented datagram and routing its fragments;

figure 3 is a functional diagram of the organization of protection against DDoS attacks of FTW routers according to the claimed method;

4 is a set of filtering rules for the header of the IP packet and the length of the packet;

5 is a functional diagram of a dynamic filter of IP traffic.

The implementation of the claimed method is illustrated by a flowchart of a process performed by a network node for filtering a fragmented datagram and routing its fragments. A fragmented datagram is composed of many fragments, and each fragment is sent as one IP packet (figure 2). Thus, for a fragmented datagram, fragments and IP packets are synonymous terms.

Initially, the filtering node receives the IP packet (step 201). It then determines whether the IP packet is a fragmented datagram (step 203), for example, by checking the MF bit and the fragment offset field in the IP header of the IP packet. An IP packet is an unfragmented datagram if the fragment offset field is set to “0” and the MF bit is set to “0”. If the IP packet is an unfragmented datagram (the answer “no” is received at step 203), then the node applies one or more filters to the IP packet and processes and / or forwards the IP packet based on the filtering result (step 202). Then, the filtering node returns to step 201 to process the next IP packet.

If the current IP packet is a fragmented datagram, as determined in step 203, then the filtering node determines whether this IP packet is the first received for the datagram (step 206) by:

1) obtaining a datagram identifier, for example, as a concatenation of identification values, protocol, source address and recipient address in the IP header of the IP packet;

2) search for routing table entries for the identifier of this datagram;

3) indicate the current IP packet as the first received fragment, if the datagram identifier is not found in any of the elements of the routing table.

If the current IP packet is the first received fragment, then the filtering node creates a new routing table entry for the datagram, initializes the fields of the new routing table entry, and starts the timer for the datagram (step 205). The routing table entry for the datagram is indexed by the datagram identifier. The routing table entry includes a pointer that indicates the location of the fragment memory used to store fragments of the datagram. The filtering node then proceeds to step 208.

If the current IP packet is not the first received fragment, as determined at step 206, then the filtering node determines whether the filter result is available for the datagram in the routing table entry for the datagram (step 207). If the filter result exists, then the node processes / forwards the IP packet in accordance with the filter result (step 209) and then proceeds to step 211. Otherwise, if the filter result is not available, the node determines whether all filter parameters for the datagram were received from the current IP packet and whether all IP packets that are also fragments of this datagram have already been received (step 432). If all filtering parameters have not been received, then the node allocates a buffer in the fragment memory for the current IP packet and stores the IP packet in the buffer (step 215). The node then returns to step 201 to process the next IP packet. Otherwise, if all filtering parameters have been obtained, the node applies filters with respect to the filtering parameters, obtains the filtering result for the datagram, and saves the filtering result in the routing table entry created for the datagram (step 210). The node then processes / forwards the current IP packet, as well as all already received IP packets, which are also a fragment of this datagram and stored in the fragment memory, in accordance with the filtering result (step 212). The node then proceeds to step 211.

For the embodiment shown in FIG. 2, the filtering node also keeps track of which fragments were received for the datagram, and updates this information whenever a new fragment is received for the datagram (step 211). A node can perform this registration based on the fragment offset of each fragment (which is obtained from the fragment offset field) and the payload size of each fragment (which is obtained based on the IHL fields and the total length). The node then determines whether all fragments of the datagram have been received based on the updated fragment information (step 213). An entire datagram is accepted if:

1) the last fragment of the datagram was received (the last fragment has the MF bit set to "0");

2) all other fragments of the datagram were also accepted (which can be determined based on the fragment offset and the payload size of each received fragment).

If the whole datagram was accepted, then the node deletes the routing table entry for the datagram and deletes all fragments of the datagram from the fragment memory (step 214). From steps 213 and 214, the node returns to step 201 to process the next IP packet.

Using the claimed method for organizing protection against DDoS attacks is shown in figure 3.

A filtering device based on the claimed method is located in front of the VPN router for its immediate protection. The filtering device has established rules based on which IP packets will pass through the device. IP packets whose structure complies with the established rules will go through this device, and the rest will be filtered out.

To check it, simulation was carried out on three PCs using the C # programming environment. The first PC simulated the sender node (source, VPN router 1), the second - the receiver node (VPN router 2). A PTW tunnel has been configured between these nodes. The third PC implemented a source of DDoS attacks. Software tools on the first and second PCs implemented a datagram filter with variable filtering parameters. When configuring it, rules were established on the basis of which packets passed through this device.

An example of a datagram filter setting is shown in FIG. 4.

The first rule allows TCP packets from the source 129.6.48.254, which has any sender port, to pass to the address 123.4.5.92 if the connection is established with port 1024 and the packet length should be 150 bytes. The second rule prohibits all other packets.

An IP packet arrives at one of the ports, we denote it by P _i . The filtering device performs an analysis, i.e. comparing the values of the package fields with the values specified in the filtering rules. First, the information contained in the packet header Р _{i is} checked. The IP addresses of the sender and recipient must correspond to the IP addresses specified in the filtering rules (based on the example, 129.6.48.254 and 123.4.5.92 must be met), and the condition n _i = N _port = 1024, i.e. the value in the field “receiver port” of the packet Р _i is equal to the value specified in the rules, based on the example - 1024. Even if these rules are followed, it is impossible to draw a correct conclusion about the origin of the packet (VPN packet or DDoS attack), because an attacker with a probability of P _sub can correctly fill in the header, indicating the correct values of IP addresses and port numbers of the sender and receiver. Therefore, the received IP packet is analyzed according to the following criteria specified in the rules, according to the length of the packet. If the last condition is satisfied, L _i = L _p , i.e. the length of the received packet P _i coincides with the value of the packet length specified in the filtering rules, then the packet is passed through the filtering device. If the rule is not fulfilled, then the received IP packet is discarded (Fig. 5).

, где n_t - количество попыток подбора длины пакета за время t.The probability of matching the length of the received packet with the value specified in the filtering rules is very small. For an Ethernet frame, for example, the value of this parameter can be any in the range from 1 to 576 bytes, and the attacker is likely to select the length of the packet $$P_{\mathrm{from}\mathrm{about}\mathrm{at}P}=\frac{n_t}{576}$$

, where n _t is the number of attempts to select the packet length over time t.

In case of a prolonged attack and provided that the DDoS attack is manageable, the attacker, having significant resources and an appropriate level of training, is able to adapt to the packet length value, which is used as a filtering criterion.

To increase the efficiency of this system, a group of additional filtering rules is introduced. For example, the parameter total packet length becomes a function of time L _p (t) and can change its value according to a predefined packet length control algorithm. When configuring a filtering device, the network administrator can set not only one strictly defined value, but a range of values. For example, in accordance with the control algorithm, the packet length in the filtering rules can change its value within a given range after a certain time interval.

The advantages of such a protection system is that an attacker will need a large amount of resources and time to organize an attack that will meet all filtering rules. In addition, the DDoS attack must be manageable, which unmasks the location of the attacker.

The disadvantage of this system is the complexity of the practical implementation of the synchronization of filtering devices. To avoid this problem, the packet length control algorithm can be implemented in such a way that the value of the packet length will change after a certain amount of information is transmitted and received in the algorithm.

As a dynamic filtering criterion (i.e., changing over time), it is possible to set not one parameter, but several. For example, as a time-varying criterion, you can also use the port numbers of the sender and receiver, because they are set by the administrator when setting up a virtual private network. Thus, the probability of an attacker selecting dynamic filtering parameters is:

, $$P_{P\mathrm{about}db}^d=P_{P\mathrm{about}db}\cdot P_{\mathrm{one}}^{t_{\mathrm{one}}}\cdot P_2^{{\mathrm{<figure-callout\; id="2"\; label="t"\; filenames="00000008.png,00000009.png"\; state="\{\{state\}\}">t</figure-callout>}}_2}...P_k^{t_k}$$

,

where P _subb is the probability of selecting static filtering parameters,

- вероятность подбора динамического параметра 1 за время t₁, $$P_{\mathrm{one}}^{t_{\mathrm{one}}}$$

- the probability of selecting a dynamic parameter 1 over time t ₁ ,

- вероятность подбора динамического параметра 2 за время t₂, $$P_2^{t_2}$$

- the probability of selecting a dynamic parameter 2 over time t ₂ ,

- вероятность подбора динамического параметра k за время t_k. $$P_k^{tk}$$

is the probability of selecting a dynamic parameter k over time t _k .

Protection against DDoS attacks, using the parameter the total length of the IP packet and others whose values are dynamic, significantly increases the effectiveness of the protection system.

Claims (1)

A method for dynamically filtering Internet Protocol datagrams in which at least one filtering parameter is identified for an Internet Protocol (IP) datagram sent as multiple fragments; storing one or more received fragments of the Internet Protocol (IP) datagram as stored fragments; obtaining said at least one filter parameter from said one or more received fragments; determining a filtering result for an Internet Protocol (IP) datagram based on said at least one filtering parameter, the filtering result being determined before all fragments of the Internet Protocol (IP) datagram are received; process the stored fragments based on the filtering result; and processing additional fragments received after the filtering result is determined based on the at least one filtering parameter, wherein said at least one filtering parameter for the IP datagram contains a source IP address, a recipient IP address, a subnet mask, source port, destination port, source port range, destination port range, protocol number, type of service for IP version 4 (IPv4), traffic class for IP version 6 (IPv6), stream label for IPv6, IPSec security parameter index (SPI) or them a combination, characterized in that said at least one filter parameter for the IP datagram is a function of time and further comprises the total length of the IP datagram.

Images