Nothing Special   »   [go: up one dir, main page]

WO2009117968A1 - Illegal route attack defending method, system and equipment - Google Patents

Illegal route attack defending method, system and equipment Download PDF

Info

Publication number
WO2009117968A1
WO2009117968A1 PCT/CN2009/071033 CN2009071033W WO2009117968A1 WO 2009117968 A1 WO2009117968 A1 WO 2009117968A1 CN 2009071033 W CN2009071033 W CN 2009071033W WO 2009117968 A1 WO2009117968 A1 WO 2009117968A1
Authority
WO
WIPO (PCT)
Prior art keywords
request message
address
sip request
domain name
sip
Prior art date
Application number
PCT/CN2009/071033
Other languages
French (fr)
Chinese (zh)
Inventor
张喆
吴平
陈斌
赵武
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to BRPI0906521A priority Critical patent/BRPI0906521A2/en
Publication of WO2009117968A1 publication Critical patent/WO2009117968A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic

Definitions

  • the embodiments of the present invention relate to the field of network technologies, and in particular, to a method, system, and apparatus for preventing an illegal route attack. Background technique
  • IMS IP Multimedia Subsystem, IP Multimedia Subsystem
  • Generalized NGN Next Generation Network
  • IP Internet Protocol
  • VOIP Voice over IP, Voice IP
  • the IP network of the telecommunication network represented by the IMS solution faces more security threats.
  • the security threats of the series mainly cover network security vulnerabilities and application layer logic to implement security vulnerabilities such as SIP (Session Initiation Protocol) application layer logic.
  • SIP Session Initiation Protocol
  • Illegal routing attacks and protocol/standard security vulnerabilities Since VOIP solutions such as IMS/generalized NGN rely on many protocols, there may be insufficient consideration in the protocol development process. Early development protocols do not consider or have specific security problems. Later protocol standards directly refer to the protocol without Adaptation revisions and other circumstances have led to many security vulnerabilities.
  • the embodiment of the invention provides a method, a system and a device for preventing an illegal route attack, so as to solve the problem of the illegal application route attack of the SIP application layer.
  • an embodiment of the present invention provides a method for preventing an illegal route attack, which includes the following steps:
  • next hop in the SIP initial request is the IP address format
  • the SIP request message is checked for validity according to an IP barring list or an IP permission list in a pre-configured SIP application layer logical routing table.
  • the embodiment of the present invention further provides a system for preventing an illegal route attack, including:
  • the device for preventing an illegal routing attack is configured to perform a legality detection check and a routing process on a session initial protocol SIP request message according to a pre-configured application layer logical routing table.
  • the device for preventing an illegal route attack includes:
  • a detecting module configured to detect, when the next hop in the SIP request message is an IP address format, whether the IP address of the next hop in the SIP request message is a broadcast address;
  • the first checking module is configured to: when the IP address is a non-broadcast address, perform a validity check on the SIP request message according to an IP prohibition list or an IP permission list in a pre-configured SIP application layer logical routing table.
  • the embodiment of the present invention further provides an apparatus for preventing an illegal routing attack, including:
  • a detecting module configured to detect, when the next hop in the SIP request message is an IP address format, whether the IP address of the next hop in the SIP request message is a broadcast address;
  • the first checking module is configured to: when the IP address is a non-broadcast address, perform legality check on the SIP request message according to the IP prohibition list and the IP permission list in the pre-configured SIP application layer logical routing table.
  • the embodiment of the present invention further provides a system for preventing an illegal routing attack, including an application processor AM, a service data processor SDM, and a security processing device, where: the security processing device is configured to set a routing policy, Sending, by the SDM, the road fork field bundle, to send the routing policy to the AM according to the requirement of the AM;
  • the AM is configured to receive a routing policy from the SDM.
  • receive a SIP request message including a next hop address from the terminal determine whether to perform the next hop routing according to the routing policy.
  • the embodiment of the present invention has the following beneficial effects: the embodiment of the present invention checks the validity of the SIP request message by querying the pre-configured SIP application layer logical routing table, thereby solving the problem of illegal routing attack of the SIP request message. DRAWINGS
  • FIG. 1 is a flowchart of a method for preventing an illegal route attack according to Embodiment 1 of the present invention
  • FIG. 2 is a flowchart of a method for preprocessing a SIP request message according to Embodiment 1 of the present invention
  • FIG. 3 is a flowchart of an IP address according to Embodiment 1 of the present invention
  • FIG. 5 is a flowchart of a method for preventing an illegal route attack according to Embodiment 2 of the present invention
  • FIG. 6 is a flowchart of a method for performing attack detection and routing processing according to a domain name according to Embodiment 2 of the present invention
  • FIG. 7 is a flowchart of a method for preventing an illegal route attack according to Embodiment 3 of the present invention
  • FIG. 8 is a schematic structural diagram of a system for preventing an illegal route attack according to Embodiment 4 of the present invention
  • FIG. 9 is a schematic structural diagram of an apparatus for preventing an illegal route attack according to Embodiment 4 of the present invention
  • FIG. 10 is a schematic structural diagram of another apparatus for preventing an illegal route attack according to Embodiment 4 of the present invention.
  • FIG. 11 is a diagram of communication between network elements of an anti-authentic route attack network based on A-IMS according to an embodiment of the present invention.
  • FIG. 13 is a PULL route query data exchange diagram of SDM ⁇ ->AM according to an embodiment of the present invention.
  • 16 is a system diagram of preventing an illegal route attack according to an embodiment of the present invention.
  • FIG. 17 is a PULL route query data exchange diagram applied to an IMS network according to an embodiment of the present invention.
  • the technical solution provided by the embodiment of the invention provides protection against illegal routing attacks of SIP request messages, and provides security log recording capability.
  • the next hop routing format of the SIP request message is "username + @+hostname", ie user@host format, where host is called the host part.
  • the SIP message routing method based on the Route header field and the Request-URI (Uniform Resource Identifier) is based on the host part to obtain the next hop IP.
  • the IP address on which the illegal route attack is based may be the IP address from the SIP request message, or the domain name of the SIP request message may be parsed by the DNS (Domain Name Server). IP address.
  • the network element needs to use the SIP application layer logical routing table to perform routing legality analysis in the routing process of the SIP request message.
  • the embodiment of the present invention analyzes and proposes a routing control mechanism based on the application layer logic based on the IMS/generalized NGN SIP application layer logic, that is, adopts the SIP application layer logical routing table mechanism.
  • a routing control mechanism based on the application layer logic based on the IMS/generalized NGN SIP application layer logic, that is, adopts the SIP application layer logical routing table mechanism.
  • the application layer logical routing table format in the embodiment of the present invention is defined as shown in Table 1 below.
  • the method fills the SIP request message application layer logical routing table, and defines the allowed/rejected routing destination address (supporting host IP address, network IP address, and its wildcard) for each type of message. Since the SIP response message is directly discarded by the SIP server without a corresponding request, the embodiment of the present invention does not analyze the SIP response message.
  • the request method in Table 1 or Table 2 above mainly covers: INVITE I REGISTER / OPTION / SUBSCRIBE / NOTIFY I REFER I MESSAGE I CANCEL ( Cancel) I ACK (Confirm) / etc., and focus on the INVITE / REGISTER I SUBSCRIBE I MESSAGE (message) which is relatively complex on the network side and can cause more state and resource consumption.
  • the specific request method used to request the network element to route the SIP request message is determined by the request initiator of the SIP request message. As shown in FIG.
  • Step S101 Receive a SIP request message, and perform pre-processing to obtain a next hop of the SIP request message.
  • the pre-processing flow is as shown in FIG. 2, which is specifically: After the received SIP request message is decoded, the decoded SIP request message is internally processed by the SIP proxy. Then, it is determined whether the SIP request message is routed according to the Route header field. When the SIP request message is routed according to the Route header field, the next hop of the SIP request message is obtained according to the topmost Route header field. Otherwise, the SIP request message is obtained according to the Request-URI. The next hop.
  • Step S102 Determine whether the acquired next hop is an IP address. When the acquired next hop is an IP address, step S106 is performed, otherwise, steps S103 to S105 are performed.
  • Steps S103 to S105 perform DNS resolution processing.
  • the DNS resolves the IP address corresponding to the domain name.
  • step S106 is performed. Otherwise, the processing fails, and the process returns. error.
  • Step S106 Perform attack detection and routing processing according to the IP address.
  • the specific attack detection and routing processing is shown in Figure 3, which includes the following steps:
  • step S1061 the process starts.
  • step S1062 it is determined whether the IP address is a broadcast address. Checking whether the SIP request message includes a malicious attack feature with the broadcast IP address as the next hop according to the IP address. When the IP address includes the malicious attack feature with the broadcast IP address as the next hop, step S1063 is performed, otherwise step S1065 is performed. .
  • Step S1063 Record a security log according to the information of the request originator included in the SIP request message.
  • Step S1064 using the 403 response to reject the SIP request message, ending the current session.
  • Step S1065 Query an application layer logical routing table according to the IP address.
  • Step S1066 Determine, according to the request method name in the SIP request message, whether the IP address appears in the forbidden IP address list of the application layer logical routing table. When the IP address does not appear in the forbidden IP address list of the application layer logical routing table, step S1067 is performed; otherwise, step S1063 and step S1064 are performed.
  • Step S1067 Determine application layer logic according to the request method name in the SIP request message. Whether the IP address appears in the list of allowed IP addresses of the routing table. When the IP address appears in the list of allowed IP addresses of the application layer logical routing table, step S1068 is performed, otherwise step S1064 is performed.
  • Step S1068 Perform message routing according to the IP address.
  • Step S107 performing a message transmission process.
  • the packet sending process is shown in Figure 4:
  • the SIP request message is encoded, and the encoded SIP request message is routed to the next hop, and the next hop route is determined to be successful.
  • the next hop route succeeds, the SIP request message is processed by the next hop network element, otherwise, it is retransmitted until timeout, and the response 408 is responded.
  • the method of the embodiment of the present invention can adjust the sequence of each step according to actual needs.
  • the foregoing embodiment of the present invention determines whether the next hop in the SIP request message is an IP address format, and when the next hop in the SIP request message is in an IP address format, detecting whether the IP address of the next hop in the SIP request message is a broadcast address.
  • the IP address is a broadcast address, rejecting the SIP request message; when the IP address is a non-broadcast address, according to a pre-configured SIP application layer logical routing table, an IP prohibition list and an IP allow list list
  • the SIP request message is checked for validity.
  • the domain name is parsed, the IP address corresponding to the domain name is obtained, and corresponding processing is performed, thereby preventing the SIP request message.
  • Illegal routing attack is possible to be a broadcast address format.
  • FIG. 5 it is a flowchart of a method for preventing an illegal route attack according to Embodiment 2 of the present invention, which specifically includes the following steps:
  • Step S501 Receive a SIP request message, and perform pre-processing to obtain a next hop of the SIP request message.
  • the specific pre-processing procedure refers to the first embodiment.
  • Step S502 Determine whether the acquired next hop is an IP address. When the acquired next hop is not an IP address, that is, the acquired next hop is a domain name, step S503 is performed; otherwise, steps S504 and subsequent steps are performed.
  • Step S503 When the obtained next hop is a domain name, perform legality check on the SIP request message according to the forbidden domain name list and the allowed domain name list in the pre-configured SIP application layer logical routing table, as shown in FIG. Specifically, the following steps are included:
  • Step S5031 querying according to the request method name in the SIP request message. List of domain names is prohibited.
  • Step S5032 Determine whether the domain name appears in the forbidden domain name list. When the domain name appears in the forbidden domain name list, step S5033 is performed. Otherwise, step S5034 and subsequent steps are performed.
  • Step S5033 When the domain name appears in the forbidden domain name list, reject the SIP request message.
  • the security day step S5034 may be recorded.
  • the domain name does not appear in the forbidden domain name list
  • the allowed domain name list is queried according to the request method name.
  • Step S5035 Determine whether the domain name appears in the allowed domain name list. When the domain name appears in the list of allowed domain names, step S5036 is performed, otherwise, step S5037 is performed.
  • Step S5036 When the domain name appears in the allowed domain name list, the SIP request message is routed according to the domain name.
  • Step S5037 When the domain name does not appear in the allowed domain name list, reject the SIP request message.
  • step S504 if the acquired next hop is an IP address, the attack detection and the routing process are performed according to the IP address.
  • the specific attack detection and routing process refer to step S505 in the foregoing embodiment, and the packet sending process is performed, and the specific packet is sent.
  • the processing flow is referred to the first embodiment.
  • the foregoing embodiment of the present invention determines whether the next hop in the SIP request message is an IP address format, and when the next hop in the SIP request message is in an IP address format, detecting whether the IP address of the next hop in the SIP request message is a broadcast address.
  • the IP address is a broadcast address, rejecting the SIP request message; when the IP address is a non-broadcast address, according to a pre-configured SIP application layer logical routing table, an IP prohibition list and an IP allow list list.
  • the SIP request message is checked for legality.
  • the prohibited domain name When the next hop in the SIP request message is in the domain name format, according to the pre-configured SIP application layer logical routing table, the prohibited domain name The list and the allowed domain name list perform a legality check on the SIP request message to prevent an illegal routing attack of the SIP request message.
  • the method of the embodiment of the present invention can adjust the sequence of each step according to actual needs.
  • the network operator has fully considered the implementation of the network security, it is more difficult for the attacker to penetrate the network operator network to attack the IMS network, and the attack from the user side is relatively difficult. It is relatively easy, so the method considers implementing SIP request message illegal route attack detection from a PCSCF (Proxy Call Session Control Function) entity that is an IMS network entry.
  • PCSCF Proxy Call Session Control Function
  • Illegal routing attack detection and protection need to consider the following factors:
  • the third embodiment of the present invention proposes a method for processing a relatively single cartridge, which is specifically as follows.
  • the PCSCF entity has the ability to check the correctness of the Route header field.
  • the SIP request message routing on the network side is determined by DNS domain name resolution and service subscription, instead of using the Route header field for message routing. Therefore, you can not pay attention to the problem of the Route header field in the registration process.
  • the PCSCF entity can perform the correctness check on the SIP request message sent by the terminal in the route header mode. If the Route header field is incorrect, the PCSCF entity can be based on the actual situation. Fix the Route header field or reject the request to disable the SIP request message.
  • the PCSCF entity of the embodiment of the present invention only needs to consider the case of the Request-URI.
  • the network operator may use the network application layer logic and the local For a specific domain name, configure a list of allowed domain names for the PCSCF entity.
  • the embodiment of the present invention analyzes whether it is necessary to support the SIP request message in the IP address format of the terminal according to the application implementation details. If the IP address format is required, the IP address list is allowed to be configured, and the IP address list is strictly prohibited.
  • FIG. 7 is a flowchart of a method for preventing an illegal route attack according to Embodiment 3 of the present invention, which specifically includes the following steps:
  • Step S701 The PCSCF entity performs pre-processing on the SIP request message to obtain the next hop of the SIP request message.
  • pre-processing procedure refer to the foregoing Embodiment 1.
  • Step S702 The PCSCF entity determines whether the host part of the Request-URI is a domain name format. When the Request-URI host part is in the domain name format, step S703 is performed, otherwise, step S708 is performed.
  • Step S703 The PCSCF entity queries the allowed domain name list of the SIP application layer logical routing table according to the host part domain name of the Request-URI.
  • Step S704 The PCSCF entity determines whether it matches the host part domain name of the Request-URI. When the domain name is matched, step S705 is performed; otherwise, step S706 is performed.
  • Step S705 The PCSCF entity performs a legal SIP request message route according to the application logic.
  • Step S706 The PCSCF entity records the security log of the information of the request initiator in the SIP request message.
  • Step S707 the PCSCF entity rejects the current request and ends the current session.
  • Step S708 The PCSCF entity determines whether message routing according to the Request-URI in the IP address format is allowed on the PCSCF entity. When the message routing according to the Request-URI in the IP address format is allowed on the PCSCF entity, step S709 is performed; otherwise, step S706 and step S707 are performed.
  • Step S709 the PCSCF entity determines whether the IP address is a broadcast IP address. When the IP address is not a broadcast IP address, step S710 is performed, otherwise step S706 and step S707 are performed.
  • Step S710 the PCSCF entity queries the allowed IP list of the SIP application layer logical routing table according to the IP address.
  • Step S711 The PCSCF entity determines whether the IP address is matched. If the IP address is matched, step S705 is performed, otherwise step S707 is performed.
  • the method of the embodiment of the present invention can adjust the sequence of each step according to actual needs.
  • the SIP request message is preprocessed by the PCSCF entity of the IMS network entry, and the application layer logical routing table is queried according to the result of the pre-processing to perform attack detection and routing processing, thereby querying the SIP request message by using the query application layer logical routing table.
  • the routable range is effectively limited to prevent illegal routing attacks of SIP request messages.
  • FIG. 8 is a schematic diagram of a system structure for preventing an illegal route attack according to Embodiment 4 of the present invention, including: one or more devices for preventing an illegal route attack.
  • the device for preventing an illegal route attack is configured to perform legality detection check and route processing on the SIP request message according to the pre-configured application layer logical routing table.
  • the device 1 for preventing an illegal route attack includes: a detecting module 11 configured to detect, when the next hop in the SIP request message is an IP address format, whether the IP address of the next hop in the SIP request message is a broadcast address.
  • the rejecting module 12 is configured to reject the SIP request message when the IP address is a broadcast address.
  • the first checking module 13 is configured to: when the IP address is a non-broadcast address, perform legality check on the SIP request message according to an IP prohibition list and/or an IP permission list in a pre-configured SIP application layer logical routing table. .
  • the above apparatus 1 for preventing an illegal routing attack includes a PCSCF entity.
  • a schematic structural diagram of an apparatus for preventing an illegal route attack includes: a detecting module 1 configured to detect the SIP when a next hop in an SIP request message is in an IP address format Whether the IP address of the next hop in the request message is a broadcast address.
  • the reject module 2 is configured to reject the SIP request message when the IP address is a broadcast address.
  • the first checking module 3 is configured to perform a validity check on the SIP request message according to the IP barring list and the IP permission list in the pre-configured SIP application layer logical routing table when the IP address is a non-broadcast address.
  • the device for preventing an illegal route attack further includes: a determining module 4, configured to determine a format of a next hop in the SIP request message.
  • the obtaining module 5 is configured to: when the next hop in the SIP request message is in a domain name format, parse the domain name, and obtain the domain name corresponding to the IP address.
  • the configuration module 6 is configured to configure the SIP application layer logical routing table.
  • the first check module 3 of the foregoing apparatus includes: a first query submodule 31, configured to query, according to the request method name in the SIP request message, whether the IP address appears in the IP barring list.
  • the first rejecting submodule 32 is configured to: when the IP address appears in the IP barring list, instruct the rejecting the SIP request message.
  • the second query sub-module 33 is configured to query, according to the request method name, whether the IP address appears in the IP permission list.
  • the message routing sub-module 34 is configured to: when the IP address appears in the IP permission list, route the SIP request message according to the IP address. The first rejects the SIP request message.
  • the apparatus of the foregoing embodiment of the present invention determines whether the next hop in the SIP request message is an IP address format, and when the next hop in the SIP request message is in an IP address format, detecting whether the IP address of the next hop in the SIP request message is Broadcast address; when the IP address is a broadcast address, rejecting the SIP request message; when the IP address is a non-broadcast address, according to a pre-configured SIP application layer logical routing table IP prohibition list and IP allow list Checking the validity of the SIP request message.
  • the domain name is parsed, the IP address corresponding to the domain name is obtained, and corresponding processing is performed, thereby preventing the SIP request.
  • Illegal routing attack of messages When the next hop in the SIP request message is in the domain name format, the domain name is parsed, the IP address corresponding to the domain name is obtained, and corresponding processing is performed, thereby preventing the SIP request. Illegal routing attack of messages.
  • FIG. 10 is a schematic structural diagram of another apparatus for preventing an illegal route attack according to Embodiment 4 of the present invention, including: a detecting module 1 configured to detect when a next hop in an SIP request message is in an IP address format Whether the IP address of the next hop in the SIP request message is a broadcast address.
  • the reject module 2 is configured to reject the SIP request message when the IP address is a broadcast address.
  • the first checking module 3 is configured to check the validity of the SIP request message according to the IP barring list and the IP permission list in the pre-configured SIP application layer logical routing table when the IP address is a non-broadcast address.
  • the device for preventing an illegal route attack further includes: a determining module 4, configured to determine a format of a next hop in the SIP request message.
  • the second checking module 5 is configured to: when the next hop in the SIP request message is a domain name format, perform the combination of the forbidden domain name list and the allowed domain name list in the pre-configured SIP application layer logical routing table Legal inspection.
  • the configuration module 6 is configured to configure the SIP application layer logical routing table.
  • the second checking module 5 of the foregoing apparatus includes: a first query sub-module 51, configured to query, according to the request method name in the SIP request message, whether the domain name appears in the forbidden domain name list.
  • the first rejecting submodule 52 is configured to reject the SIP request message when the domain name appears in the forbidden domain name list.
  • the second query sub-module 53 is configured to query, according to the request method name, whether the domain name appears in the allowed domain name list.
  • the message routing sub-module 54 is configured to route the SIP request message according to the domain name when the domain name appears in the allowed domain name list.
  • the second rejecting sub-module 55 is configured to reject the SIP request message when the domain name does not appear in the allowed domain name list.
  • the apparatus of the foregoing embodiment of the present invention determines whether the next hop in the SIP request message is an IP address format, and when the next hop in the SIP request message is in an IP address format, detecting whether the IP address of the next hop in the SIP request message is Broadcast address; when the IP address is a broadcast address, rejecting the SIP request message; when the IP address is a non-broadcast address, according to a pre-configured SIP application layer logical routing table IP prohibition list and/or IP Allowing the list to check the validity of the SIP request message.
  • the prohibited domain name list and the allowed domain name list are The SIP request message performs a legality check to prevent an illegal routing attack of the SIP request message.
  • the apparatus in the fourth embodiment of the present invention may include a proxy call session control function PCSCF entity or Edge AM, and those skilled in the art may understand that the modules in the apparatus in the embodiment may be distributed in the apparatus according to the embodiment according to an embodiment, or may be Corresponding changes are made in one or more of the devices different from the present embodiment.
  • the modules of the above embodiments may be combined into one module, or may be further split into multiple sub-modules.
  • the A-IMS-based network architecture for preventing illegal route attacks is used in the embodiment of the present invention.
  • the architecture can include the following A-IMS network elements:
  • AM Application Manager, application processor
  • SDM Service Data Manager, Service Data Processor
  • SM Security Manager, Security Processor
  • SOC Security Operation Center
  • the communication between the network elements based on the network architecture is as shown in FIG. 11, and includes: Step S1101:
  • the SM/SOC defines a SIP legal/illegal routing policy and sends the policy to the SDM.
  • the delivery policy covers inserting, deleting, querying, and modifying specific application layer SIP routing entries.
  • the delivered routing policy includes two types: permanent routing policy and temporary routing policy.
  • Step S1102 The SDM sends a response message to the SM.
  • the response message includes a confirmation message that the modification is successful, a failure message that fails to be modified, and the failure message is required to carry the failure reason.
  • the SDM accepts the SIP legal/illegal routing policy from the SM and updates the local long-term stored application layer SIP routing table, and feeds the response message to the SM.
  • the data exchange between SM and SDM is as shown in Figure 12. It can include inserting, deleting, querying, and modifying specific application layer SIP routing entries.
  • Step S1103 Pulling PULL between the SDM and the AM or updating the UPDATE permanent/temporary routing policy.
  • the routing policy for receiving the SDM by the AM specifically includes two cases.
  • the PULL data exchange as shown in FIG. 13, includes,
  • the AM receives a SIP request sent by an AT (Access Terminal); the SIP request includes a domain name request or an IP address request.
  • AM queries the local route according to the SIP request sent by the AT.
  • step S11033 is performed.
  • AM sends a PULL route query request to SDM.
  • the SDM sends a temporary routing policy to the AM according to the PULL route query request.
  • the AM sends a PULL request to the SDM, which can be sent according to the needs of the AM.
  • AM receives a PULL response from SDM
  • the AM network element checks the application layer SIP routing table to perform the SIP request routing. SIP message routing, because the illegal SIP routing request can not find the corresponding entry in the application layer SIP routing table, the effect of rejecting the illegal SIP routing request is achieved.
  • the SDM sends an UPDATE routing update request to the AM;
  • the AM returns an UPDATE route update response to the SDM
  • the routing policy has a long-term existence on the AM.
  • the SDM is forced to update (UPDATE) or the SDM is forced to initiate an UPDATE when the AM is restarted.
  • UPDATE is forced to update
  • the mandatory UPDATE is also required after the SDM local storage permanent routing policy is successfully modified.
  • the temporary routing policy is temporarily stored on the AM.
  • SDM can also initiate an UPDATE for the temporary routing policy.
  • the SIP routing table format is defined as follows:
  • Request source IP address The source IP address of the route query is initiated, and the network element is configured to initiate the query. The reason is that different network elements have different routing capabilities.
  • Request method Design different routing strategies for different request methods such as REGISTER/INVITE/ SUBSCRIBER;
  • Whether to permit Whether the definition is a legal route or an illegal route
  • Destination host IP/network address Define the destination address of the route, including the host address and network address.
  • Temporary / Permanent Defines whether it is a temporary routing table or a permanent routing table.
  • the above parameters can be set for SM/SOC, can be requested by AM on demand, or can be actively UPDATE to AM by SDM.
  • the AM queries the locally stored temporary routing policy and the permanent routing policy based on the next hop IP address of the SIP request (or the next hop IP address obtained through DNS resolution). If the local query fails, the routing policy is requested to the SDM. When the SDM has a routing policy update, the updated permanent routing policy and temporary routing policy are updated to the AM based on the UPDATE.
  • the terminal initiates a malicious call to the illegal routing destination address, thereby causing malicious refresh of the application layer SIP routing table, and consuming SDM ⁇ ->AM communication resources through the bump of the routing table and Increase network latency.
  • This attack requires a signaling-based flood prevention DoS attack mechanism at the AM network boundary.
  • the use of independent storage space for the permanent routing table, the temporary routing table legal SIP routing definition part, and the temporary routing table illegal SIP routing definition part also helps to protect against this attack.
  • Step S1501 Receive a SIP request message from the AT, where The SIP request message contains the IP address of the next hop, which is @1? Routing information;
  • the above AT may be an AT entity or a UE entity.
  • Step S1502 determining whether the IP address is a broadcast address; when the judgment result is yes Go to step S1507, and when the result of the determination is no, go to step S1503.
  • Step S1503 Query an AM logical routing table according to an IP address.
  • Step S1504 determining whether the AM local has a matching route; if the determination result is yes, then proceeding to step S1505, if the determination result is otherwise, proceeding to step S1509;
  • Step S1505 Determine whether to grant the route according to the SIP routing table; if the determination result is yes, go to step S1506, and if the result of the determination is otherwise, go to step S1507.
  • Step S1506 Perform message routing according to the IP address.
  • step S1507 the request initiator information in the request message is recorded in the security log.
  • step S1508 The 403 response is used to reject the SIP request message, and the current session is ended.
  • Step S1509 Initiating an inquiry for the SDM according to the destination IP.
  • the routing table information is found from the SDM, and is written into the AM local routing table.
  • Step S1510 determining whether the SDM application layer has a matching route; when the determination result is yes, the process goes to step S1511, and when the determination result is no, the process goes to step S1508;
  • Step S1511 The routing table information is found from the SDM, and is written into the AM local routing table.
  • the implementation of the combination of PULL and UPDATE reduces the consumption of the storage resources of the SIP routing table on the AM device as much as possible, and improves the efficiency of routing table query through the AM local temporary storage routing table, and reduces the Cx interface. Performance requirements.
  • a system for preventing an illegal routing attack includes an application processor AM 1610, a service data processor SDM 1620, and a security management device 1630.
  • the security management device 1630 is configured to set a routing policy and send a routing policy to the SDM.
  • the SDM 1620 is configured to store a routing policy and send a routing policy to the AM 1610 according to the requirements of the AM 1610.
  • the AM 1610 is configured to determine whether to perform the next hop route when receiving the SIP request message including the next hop address sent by the access terminal 1640.
  • the various units of the system of the embodiments of the present invention may be integrated into one device or may be distributed to multiple devices.
  • the above units may be combined into one unit, or may be further split into a plurality of subunits.
  • the present invention can be implemented by hardware, or can be implemented by means of software plus necessary general hardware platform, and the technical solution of the present invention. It can be embodied in the form of a software product that can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.), including a number of instructions for making a computer device (may It is a personal computer, a server, or a network device, etc.) that performs the methods described in various embodiments of the present invention.
  • a non-volatile storage medium which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.
  • a computer device may It is a personal computer, a server, or a network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

An illegal route attack defending method, system and equipment. The method includes detecting whether a next-hop IP address of a SIP request message is a broadcast address when the next-hop of the SIP request message is IP address format; carrying out validity checking to the SIP request message according to an IP forbidding list and an IP permitting list configured in advance in a SIP application layer logic route table when the IP address is a non-broadcast address.

Description

一种防止非法路由攻击的方法、 系统和装置 本申请要求于 2008 年 3 月 28 日提交中国专利局, 申请号为 200810090362.9, 发明名称为 "一种防止非法路由攻击的方法、 系统 和装置" 的中国专利申请的优先权, 其全部内容通过引用结合在本申 请中。 技术领域  The present invention claims to be filed on March 28, 2008, the Chinese Patent Office, the application number is 200810090362.9, and the invention name is "a method, system and device for preventing illegal routing attacks" Priority of Chinese Patent Application, the entire contents of which is incorporated herein by reference. Technical field
本发明实施例涉及网络技术领域,特别涉及一种防止非法路由攻 击的方法、 系统和装置。 背景技术  The embodiments of the present invention relate to the field of network technologies, and in particular, to a method, system, and apparatus for preventing an illegal route attack. Background technique
随着网络技术的发展, IMS ( IP Multimedia Subsystem, IP多媒体 子系统 ) /广义 NGN ( Next Generation Network , 下一代网络)的解决 方案代表了电信解决方案向 IP ( Internet Protocol , 因特网协议 )化发 展的趋势, 基于 VOIP ( Voice over IP, 语音 IP ) 的电信解决方案由于 其开放性以及与 IP通信的结合, 出现了相对传统较为封闭的电信网络 所未有的安全威胁。  With the development of network technology, IMS (IP Multimedia Subsystem, IP Multimedia Subsystem) / Generalized NGN (Next Generation Network) solutions represent the development of telecom solutions to IP (Internet Protocol). Trends, VOIP (Voice over IP, Voice IP)-based telecommunications solutions, due to their openness and integration with IP communications, have emerged from the security threats of traditional closed telecommunications networks.
在实现本发明的过程中, 发明人发现现有技术至少存在以下问 题:  In carrying out the process of the present invention, the inventors have found that the prior art has at least the following problems:
目前以 IMS解决方案为代表的电信网络 IP化面对较多安全威胁, 该系列安全威胁主要覆盖组网安全漏洞、应用层逻辑实现安全漏洞如 SIP ( Session Initiation Protocol, 会话初始协议 )应用层逻辑非法路由 攻击和协议 /标准安全漏洞等多个方面。 由于 IMS/广义 NGN等 VOIP解 决方案依赖的协议较多, 可能存在协议制定过程中考虑不充分, 早期 开发的协议没有考虑到或不存在特定安全问题,后期的协议标准直接 引用该协议而没有进行适应性修订等情况, 导致存在诸多的安全漏 洞。  At present, the IP network of the telecommunication network represented by the IMS solution faces more security threats. The security threats of the series mainly cover network security vulnerabilities and application layer logic to implement security vulnerabilities such as SIP (Session Initiation Protocol) application layer logic. Illegal routing attacks and protocol/standard security vulnerabilities. Since VOIP solutions such as IMS/generalized NGN rely on many protocols, there may be insufficient consideration in the protocol development process. Early development protocols do not consider or have specific security problems. Later protocol standards directly refer to the protocol without Adaptation revisions and other circumstances have led to many security vulnerabilities.
目前还没有解决 SIP应用层逻辑非法路由攻击的技术方案。 发明内容 At present, there is no technical solution for solving the illegal application route attack of the SIP application layer logic. Summary of the invention
本发明实施例提供一种防止非法路由攻击的方法、 系统和装置, 以解决 SIP应用层逻辑非法路由攻击问题。  The embodiment of the invention provides a method, a system and a device for preventing an illegal route attack, so as to solve the problem of the illegal application route attack of the SIP application layer.
为达到目的,本发明实施例一方面提供一种防止非法路由攻击的 方法, 包括以下步骤:  To achieve the objective, an embodiment of the present invention provides a method for preventing an illegal route attack, which includes the following steps:
当会话初始协议 SIP请求消息中下一跳为 IP地址格式时, 检测 所述 SIP请求消息中下一跳的 IP地址是否为广播地址;  When the next hop in the SIP initial request is the IP address format, detecting whether the IP address of the next hop in the SIP request message is a broadcast address;
当所述 IP地址为非广播地址时, 根据预先配置的 SIP应用层逻 辑路由表中的 IP禁止列表或 IP允许列表对所述 SIP请求消息进行合 法性检查。  When the IP address is a non-broadcast address, the SIP request message is checked for validity according to an IP barring list or an IP permission list in a pre-configured SIP application layer logical routing table.
另一方面, 本发明实施例还提供一种防止非法路由攻击的系统, 包括:  On the other hand, the embodiment of the present invention further provides a system for preventing an illegal route attack, including:
防止非法路由攻击的装置,用于根据预先配置的应用层逻辑路由 表对会话初始协议 SIP请求消息进行合法性检测检查和路由处理; 所述防止非法路由攻击的装置, 包括:  The device for preventing an illegal routing attack is configured to perform a legality detection check and a routing process on a session initial protocol SIP request message according to a pre-configured application layer logical routing table. The device for preventing an illegal route attack includes:
检测模块, 用于当 SIP请求消息中下一跳为 IP地址格式时, 检 测所述 SIP请求消息中下一跳的 IP地址是否为广播地址;  a detecting module, configured to detect, when the next hop in the SIP request message is an IP address format, whether the IP address of the next hop in the SIP request message is a broadcast address;
第一检查模块, 用于当所述 IP地址为非广播地址时, 根据预先 配置的 SIP应用层逻辑路由表中的 IP禁止列表或 IP允许列表对所述 SIP请求消息进行合法性检查。  The first checking module is configured to: when the IP address is a non-broadcast address, perform a validity check on the SIP request message according to an IP prohibition list or an IP permission list in a pre-configured SIP application layer logical routing table.
再一方面, 本发明实施例还提供一种防止非法路由攻击的装置, 包括:  In another aspect, the embodiment of the present invention further provides an apparatus for preventing an illegal routing attack, including:
检测模块, 用于当 SIP请求消息中下一跳为 IP地址格式时, 检 测所述 SIP请求消息中下一跳的 IP地址是否为广播地址;  a detecting module, configured to detect, when the next hop in the SIP request message is an IP address format, whether the IP address of the next hop in the SIP request message is a broadcast address;
第一检查模块, 用于当所述 IP地址为非广播地址时, 根据预先 配置的 SIP应用层逻辑路由表中的 IP禁止列表和 IP允许列表对所述 SIP请求消息进行合法性检查。 再一方面, 本发明实施例还提供一种防止非法路由攻击的系统, 包括应用处理器 AM, 服务数据处理器 SDM, 安全处理设备, 其中: 所述安全处理设备用于设置路由策略, 向所述 SDM发送所述路 叉命 田束 , 才艮 据所述 AM的需求, 向所述 AM发送所述路由策略; The first checking module is configured to: when the IP address is a non-broadcast address, perform legality check on the SIP request message according to the IP prohibition list and the IP permission list in the pre-configured SIP application layer logical routing table. In another aspect, the embodiment of the present invention further provides a system for preventing an illegal routing attack, including an application processor AM, a service data processor SDM, and a security processing device, where: the security processing device is configured to set a routing policy, Sending, by the SDM, the road fork field bundle, to send the routing policy to the AM according to the requirement of the AM;
所述 AM用于接收来自所述 SDM的路由策略; 当接收到来自终 端的包括下一跳地址的 SIP请求消息时,根据所述路由策略判断是否 进行下一跳路由。  The AM is configured to receive a routing policy from the SDM. When receiving a SIP request message including a next hop address from the terminal, determine whether to perform the next hop routing according to the routing policy.
本发明实施例具有以下有益效果:本发明实施例通过查询预先配 置的 SIP应用层逻辑路由表对所述 SIP请求消息进行合法性检查,从 而解决了 SIP请求消息的非法路由攻击问题。 附图说明  The embodiment of the present invention has the following beneficial effects: the embodiment of the present invention checks the validity of the SIP request message by querying the pre-configured SIP application layer logical routing table, thereby solving the problem of illegal routing attack of the SIP request message. DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面 将对实施例或现有技术描述中所需要使用的附图作筒单地介绍,显而 易见地, 下面描述中的附图仅仅是本发明的一些实施例, 对于本领域 普通技术人员来讲, 在不付出创造性劳动性的前提下, 还可以根据这 些附图获得其他的附图。 图 1为本发明实施例一中防止非法路由攻击的方法流程图; 图 2为本发明实施例一中 SIP请求消息预处理的方法流程图; 图 3为本发明实施例一中按照 IP地址进行攻击检测及路由处理 的方法流程图;  In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the embodiments or the description of the prior art will be briefly described below. Obviously, the drawings in the following description For some embodiments of the present invention, other drawings may be obtained from those skilled in the art without departing from the drawings. 1 is a flowchart of a method for preventing an illegal route attack according to Embodiment 1 of the present invention; FIG. 2 is a flowchart of a method for preprocessing a SIP request message according to Embodiment 1 of the present invention; FIG. 3 is a flowchart of an IP address according to Embodiment 1 of the present invention; Flow chart of method for attack detection and routing processing;
图 4为本发明实施例一中报文发送处理的方法流程图;  4 is a flowchart of a method for sending a message according to Embodiment 1 of the present invention;
图 5为本发明实施例二中防止非法路由攻击的方法流程图; 图 6 为本发明实施例二中按照域名进行攻击检测及路由处理的 方法流程图;  FIG. 5 is a flowchart of a method for preventing an illegal route attack according to Embodiment 2 of the present invention; FIG. 6 is a flowchart of a method for performing attack detection and routing processing according to a domain name according to Embodiment 2 of the present invention;
图 7为本发明实施例三中防止非法路由攻击的方法流程; 图 8为本发明实施例四中防止非法路由攻击的系统结构示意图; 图 9 为本发明实施例四中一种防止非法路由攻击的装置结构示 意图; FIG. 7 is a flowchart of a method for preventing an illegal route attack according to Embodiment 3 of the present invention; FIG. 8 is a schematic structural diagram of a system for preventing an illegal route attack according to Embodiment 4 of the present invention; FIG. 9 is a schematic structural diagram of an apparatus for preventing an illegal route attack according to Embodiment 4 of the present invention;
图 10为本发明实施例四中另一种防止非法路由攻击的装置结构 示意图;  FIG. 10 is a schematic structural diagram of another apparatus for preventing an illegal route attack according to Embodiment 4 of the present invention; FIG.
图 11为本发明实施例基于 A-IMS的防止非法路由攻击网络网元 间通信图;  FIG. 11 is a diagram of communication between network elements of an anti-authentic route attack network based on A-IMS according to an embodiment of the present invention;
图 12为本发明实施例 SM<->SDM数据交换图;  12 is a SM<->SDM data exchange diagram according to an embodiment of the present invention;
图 13为本发明实施例 SDM<->AM的 PULL路由查询数据交换 图;  13 is a PULL route query data exchange diagram of SDM<->AM according to an embodiment of the present invention;
图 14为本发明实施例 SDM<->AM的 UPDATE路由配置数据交 换图;  14 is an exchange diagram of an UPDATE route configuration data of an SDM<->AM according to an embodiment of the present invention;
图 15为本发明实施例 SIP路由处理过程流程图;  15 is a flowchart of a SIP routing process according to an embodiment of the present invention;
图 16为本发明实施例防止非法路由攻击的系统图;  16 is a system diagram of preventing an illegal route attack according to an embodiment of the present invention;
图 17为本发明实施例应用于 IMS网络的 PULL路由查询数据交 换图。  FIG. 17 is a PULL route query data exchange diagram applied to an IMS network according to an embodiment of the present invention.
具体实施方式 detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方 案进行清楚、 完整地描述, 显然, 所描述的实施例是本发明一部分实 施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技 术人员在没有作出创造性劳动前提下所获得的所有其他实施例,都属 于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
本发明实施例提供的技术方案实现对 SIP请求消息非法路由攻 击的防护, 并提供安全日志记录能力。 SIP请求消息的下一跳路由格 式为 "用户名 + @+主机名" 即 user@host格式, 其中 host称为主机 部分。 基于 Route头域和 Request-URI ( Uniform Resource Identifier, 通用资源标识) 的 SIP 消息路由方式是根据主机部分取得下一跳 IP 地址或域名进行消息路由的, 非法路由攻击所基于的 IP地址可能是 来自 SIP请求消息自带的 IP地址, 也可能是 SIP请求消息自带的域 名经 DNS ( Domain Name Server, 域名服务器)解析得到的 IP地址。 网元需要在 SIP请求消息的路由过程中, 利用 SIP应用层逻辑路由表 进行路由合法性分析。 The technical solution provided by the embodiment of the invention provides protection against illegal routing attacks of SIP request messages, and provides security log recording capability. The next hop routing format of the SIP request message is "username + @+hostname", ie user@host format, where host is called the host part. The SIP message routing method based on the Route header field and the Request-URI (Uniform Resource Identifier) is based on the host part to obtain the next hop IP. If the address or domain name is used for message routing, the IP address on which the illegal route attack is based may be the IP address from the SIP request message, or the domain name of the SIP request message may be parsed by the DNS (Domain Name Server). IP address. The network element needs to use the SIP application layer logical routing table to perform routing legality analysis in the routing process of the SIP request message.
为增强对 SIP请求消息非法路由攻击的控制和防护,本发明实施 例基于 IMS/广义 NGN SIP应用层逻辑分析并提出基于应用层逻辑的 路由控制机制, 即采用 SIP应用层逻辑路由表机制的形式实现, 并辅 以安全日志以提供对 SIP非法路由攻击行为的记录。为方便后续追查 和分析, 本发明实施例中的应用层逻辑路由表格式定义如下表 1 所 表 1  In order to enhance the control and protection against the SIP routing message illegal routing attack, the embodiment of the present invention analyzes and proposes a routing control mechanism based on the application layer logic based on the IMS/generalized NGN SIP application layer logic, that is, adopts the SIP application layer logical routing table mechanism. Implemented with a security log to provide a record of SIP illegal routing attacks. To facilitate subsequent tracing and analysis, the application layer logical routing table format in the embodiment of the present invention is defined as shown in Table 1 below.
Figure imgf000007_0001
Figure imgf000007_0001
IMS/广义 NGN网络中不同网元有着不同的应用层逻辑, 因此不 同的网元有着独立的应用层逻辑路由表,特定网元根据不同的请求方 法填充 SIP请求消息应用层逻辑路由表, 对于每类消息定义允许 /拒 绝的路由目的地址(支持主机 IP地址、 网络 IP地址及其通配)。 由 于 SIP响应消息在没有对应请求的情况下会被 SIP服务器直接丟弃, 因此本发明实施例不对 SIP响应消息进行分析。 Different network elements in the IMS/generalized NGN network have different application layer logics. Therefore, different network elements have separate application layer logical routing tables, and specific network elements are based on different requesters. The method fills the SIP request message application layer logical routing table, and defines the allowed/rejected routing destination address (supporting host IP address, network IP address, and its wildcard) for each type of message. Since the SIP response message is directly discarded by the SIP server without a corresponding request, the embodiment of the present invention does not analyze the SIP response message.
同样, 对每类消息定义允许 /拒绝的路由目的域名 (支持通配), 如表 2所示。  Similarly, define the allowed/denied routing destination domain name (support for wildcards) for each type of message, as shown in Table 2.
表 2  Table 2
Figure imgf000008_0001
上述表 1 或表 2 中的请求方法主要覆盖: INVITE (呼叫) I REGISTER (注册) / OPTION (选择) / SUBSCRIBE (订阅) / NOTIFY (通知) I REFER (咨询) I MESSAGE (消息) I CANCEL (取消) I ACK (确认) /等, 并重点关注网络侧处理相对复杂, 能够造成较多状态 和资源消耗的 INVITE (呼叫) / REGISTER (注册 ) I SUBSCRIBE (订 阅) I MESSAGE (消息)等。 而具体采用哪一种请求方法来请求网 元路由 SIP请求消息, 则由 SIP请求消息的请求发起方决定。 如图 1 所示, 为本发明实施例一中防止非法路由攻击的方法流程图, 具体包 括以下步骤: 步骤 S101 , 接收 SIP请求消息, 并进行预处理, 获取 SIP请求 消息的下一跳。 其中的预处理流程如图 2所示, 具体为: 将接收到的 SIP请求消息解码后, 通过 SIP代理对解码后的 SIP请求消息进行内 部处理。 然后判断是否按照 Route头域进行 SIP请求消息路由, 当按 照 Route头域进行 SIP请求消息路由时, 根据最顶层 Route头域获取 SIP请求消息的下一跳, 否则, 根据 Request-URI获取 SIP请求消息 的下一跳。
Figure imgf000008_0001
The request method in Table 1 or Table 2 above mainly covers: INVITE I REGISTER / OPTION / SUBSCRIBE / NOTIFY I REFER I MESSAGE I CANCEL ( Cancel) I ACK (Confirm) / etc., and focus on the INVITE / REGISTER I SUBSCRIBE I MESSAGE (message) which is relatively complex on the network side and can cause more state and resource consumption. The specific request method used to request the network element to route the SIP request message is determined by the request initiator of the SIP request message. As shown in FIG. 1 , it is a flowchart of a method for preventing an illegal route attack in the first embodiment of the present invention, which specifically includes the following steps: Step S101: Receive a SIP request message, and perform pre-processing to obtain a next hop of the SIP request message. The pre-processing flow is as shown in FIG. 2, which is specifically: After the received SIP request message is decoded, the decoded SIP request message is internally processed by the SIP proxy. Then, it is determined whether the SIP request message is routed according to the Route header field. When the SIP request message is routed according to the Route header field, the next hop of the SIP request message is obtained according to the topmost Route header field. Otherwise, the SIP request message is obtained according to the Request-URI. The next hop.
步骤 S102, 判断获取的下一跳是否为 IP地址。 当获取的下一跳 是 IP地址时, 执行步骤 S106, 否则, 执行步骤 S103 ~ S105。  Step S102: Determine whether the acquired next hop is an IP address. When the acquired next hop is an IP address, step S106 is performed, otherwise, steps S103 to S105 are performed.
步骤 S103 ~ S105, 进行 DNS解析处理。 当所述获取的下一跳不 是 IP地址, 即所述获取的下一跳是域名时, DNS解析获取该域名对 应的 IP地址, 当解析域名成功时, 执行步骤 S106, 否则, 处理失败, 返回错误。  Steps S103 to S105 perform DNS resolution processing. When the acquired next hop is not an IP address, that is, the acquired next hop is a domain name, the DNS resolves the IP address corresponding to the domain name. When the domain name is successfully resolved, step S106 is performed. Otherwise, the processing fails, and the process returns. error.
步骤 S106, 按照 IP地址进行攻击检测及路由处理。 具体的攻击 检测及路由处理如图 3所示, 具体包括以下步骤:  Step S106: Perform attack detection and routing processing according to the IP address. The specific attack detection and routing processing is shown in Figure 3, which includes the following steps:
步骤 S1061 , 处理开始。  In step S1061, the process starts.
步骤 S1062,判断 IP地址是否为广播地址。根据 IP地址检查 SIP 请求消息中是否包含以广播 IP地址为下一跳的恶意攻击特征当所述 IP地址包含以广播 IP地址为下一跳的恶意攻击特征时, 执行步骤 S1063 , 否则执行步骤 S1065。  In step S1062, it is determined whether the IP address is a broadcast address. Checking whether the SIP request message includes a malicious attack feature with the broadcast IP address as the next hop according to the IP address. When the IP address includes the malicious attack feature with the broadcast IP address as the next hop, step S1063 is performed, otherwise step S1065 is performed. .
步骤 S1063 ,根据 SIP请求消息中包含的请求发起方的信息记录 安全日志。  Step S1063: Record a security log according to the information of the request originator included in the SIP request message.
步骤 S1064, 使用 403响应拒绝 SIP请求消息, 结束当前会话。 步骤 S1065 , 根据 IP地址查询应用层逻辑路由表。  Step S1064, using the 403 response to reject the SIP request message, ending the current session. Step S1065: Query an application layer logical routing table according to the IP address.
步骤 S1066, 根据 SIP请求消息中的请求方法名称判断应用层逻 辑路由表的禁止 IP地址列表中是否出现该 IP地址。 当所述应用层逻 辑路由表的禁止 IP地址列表中未出现该 IP地址时,执行步骤 S1067, 否则执行步骤 S1063和步骤 S1064。  Step S1066: Determine, according to the request method name in the SIP request message, whether the IP address appears in the forbidden IP address list of the application layer logical routing table. When the IP address does not appear in the forbidden IP address list of the application layer logical routing table, step S1067 is performed; otherwise, step S1063 and step S1064 are performed.
步骤 S1067 , 根据 SIP请求消息中的请求方法名称判断应用层逻 辑路由表的允许 IP地址列表中是否出现该 IP地址。 当所述应用层逻 辑路由表的允许 IP地址列表中出现该 IP地址时, 执行步骤 S1068, 否则执行步骤 S1064。 Step S1067: Determine application layer logic according to the request method name in the SIP request message. Whether the IP address appears in the list of allowed IP addresses of the routing table. When the IP address appears in the list of allowed IP addresses of the application layer logical routing table, step S1068 is performed, otherwise step S1064 is performed.
步骤 S1068 , 根据 IP地址进行消息路由。  Step S1068: Perform message routing according to the IP address.
步骤 S107, 进行报文发送处理。 其中, 报文发送处理流程如图 4 所示: 对 SIP请求消息进行编码, 并将编码后的 SIP请求消息进行下 一跳路由, 并判断下一跳路由是否成功。 当下一跳路由成功时, 由下 一跳网元处理 SIP请求消息,否则,再重传直至超时, 回应 408响应。  Step S107, performing a message transmission process. The packet sending process is shown in Figure 4: The SIP request message is encoded, and the encoded SIP request message is routed to the next hop, and the next hop route is determined to be successful. When the next hop route succeeds, the SIP request message is processed by the next hop network element, otherwise, it is retransmitted until timeout, and the response 408 is responded.
本发明实施例方法可以根据实际需要对各个步骤顺序进行调整。 上述发明实施例通过判断 SIP请求消息中下一跳是否为 IP地址 格式, 当 SIP请求消息中下一跳为 IP地址格式时, 检测所述 SIP请 求消息中下一跳的 IP地址是否为广播地址; 当所述 IP地址为广播地 址时, 拒绝所述 SIP请求消息; 当所述 IP地址为非广播地址时, 根 据预先配置的 SIP应用层逻辑路由表中的 IP禁止列表和 IP允许列表 对所述 SIP请求消息进行合法性检查; 当所述 SIP请求消息中下一跳 为域名格式时, 解析所述域名, 获取所述域名对应的 IP地址, 再进 行相应处理, 从而防止了 SIP请求消息的非法路由攻击。  The method of the embodiment of the present invention can adjust the sequence of each step according to actual needs. The foregoing embodiment of the present invention determines whether the next hop in the SIP request message is an IP address format, and when the next hop in the SIP request message is in an IP address format, detecting whether the IP address of the next hop in the SIP request message is a broadcast address. When the IP address is a broadcast address, rejecting the SIP request message; when the IP address is a non-broadcast address, according to a pre-configured SIP application layer logical routing table, an IP prohibition list and an IP allow list list The SIP request message is checked for validity. When the next hop in the SIP request message is in the domain name format, the domain name is parsed, the IP address corresponding to the domain name is obtained, and corresponding processing is performed, thereby preventing the SIP request message. Illegal routing attack.
如图 5所示,为本发明实施例二中防止非法路由攻击的方法流程 图, 具体包括以下步骤:  As shown in FIG. 5, it is a flowchart of a method for preventing an illegal route attack according to Embodiment 2 of the present invention, which specifically includes the following steps:
步骤 S501 , 接收 SIP请求消息, 并进行预处理, 获取 SIP请求 消息的下一跳。 具体预处理流程参照上述实施例一。  Step S501: Receive a SIP request message, and perform pre-processing to obtain a next hop of the SIP request message. The specific pre-processing procedure refers to the first embodiment.
步骤 S502, 判断获取的下一跳是否为 IP地址。 当所述获取的下 一跳不是 IP地址, 即所述获取的下一跳为域名时, 执行步骤 S503, 否则, 执行步骤 S504及其以后的步骤。  Step S502: Determine whether the acquired next hop is an IP address. When the acquired next hop is not an IP address, that is, the acquired next hop is a domain name, step S503 is performed; otherwise, steps S504 and subsequent steps are performed.
步骤 S503, 当所述获取的下一跳为域名时, 根据预先配置的 SIP 应用层逻辑路由表中的禁止域名列表和允许域名列表对所述 SIP请 求消息进行合法性检查, 如图 6所示, 具体包括以下步骤:  Step S503: When the obtained next hop is a domain name, perform legality check on the SIP request message according to the forbidden domain name list and the allowed domain name list in the pre-configured SIP application layer logical routing table, as shown in FIG. Specifically, the following steps are included:
步骤 S5031 , 根据所述 SIP请求消息中的请求方法名称查询所述 禁止域名列表。 Step S5031, querying according to the request method name in the SIP request message. List of domain names is prohibited.
步骤 S5032, 判断所述禁止域名列表中是否出现所述域名, 当所 述禁止域名列表中出现所述域名时, 执行步骤 S5033 , 否则, 执行步 骤 S5034及其以后的步骤。  Step S5032: Determine whether the domain name appears in the forbidden domain name list. When the domain name appears in the forbidden domain name list, step S5033 is performed. Otherwise, step S5034 and subsequent steps are performed.
步骤 S5033 , 当所述禁止域名列表中出现所述域名时, 拒绝所述 SIP请求消息。  Step S5033: When the domain name appears in the forbidden domain name list, reject the SIP request message.
在本步骤中, 当拒绝所述 SIP请求消息时, 可以同时记录安全日 士 步骤 S5034, 当所述禁止域名列表中不出现所述域名时, 根据所 述请求方法名称查询所述允许域名列表。  In this step, when the SIP request message is rejected, the security day step S5034 may be recorded. When the domain name does not appear in the forbidden domain name list, the allowed domain name list is queried according to the request method name.
步骤 S5035 , 判断所述允许域名列表中是否出现所述域名。 当所 述允许域名列表中出现所述域名时, 执行步骤 S5036, 否则, 执行步 骤 S5037。  Step S5035: Determine whether the domain name appears in the allowed domain name list. When the domain name appears in the list of allowed domain names, step S5036 is performed, otherwise, step S5037 is performed.
步骤 S5036, 当所述允许域名列表中出现所述域名时, 根据所述 域名将所述 SIP请求消息进行路由。  Step S5036: When the domain name appears in the allowed domain name list, the SIP request message is routed according to the domain name.
步骤 S5037, 当所述允许域名列表中未出现所述域名时, 拒绝所 述 SIP请求消息。  Step S5037: When the domain name does not appear in the allowed domain name list, reject the SIP request message.
步骤 S504,如果获取的下一跳为 IP地址, 则按照 IP地址进行攻 击检测及路由处理,具体的攻击检测及路由处理流程参照上述实施例 步骤 S505 , 进行报文发送处理, 具体的报文发送处理流程参照 上述实施例一。  In step S504, if the acquired next hop is an IP address, the attack detection and the routing process are performed according to the IP address. For the specific attack detection and routing process, refer to step S505 in the foregoing embodiment, and the packet sending process is performed, and the specific packet is sent. The processing flow is referred to the first embodiment.
上述发明实施例通过判断 SIP请求消息中下一跳是否为 IP地址 格式, 当 SIP请求消息中下一跳为 IP地址格式时, 检测所述 SIP请 求消息中下一跳的 IP地址是否为广播地址; 当所述 IP地址为广播地 址时, 拒绝所述 SIP请求消息; 当所述 IP地址为非广播地址时, 根 据预先配置的 SIP应用层逻辑路由表中的 IP禁止列表和 IP允许列表 对所述 SIP请求消息进行合法性检查。 当所述 SIP请求消息中下一跳 为域名格式时,根据预先配置的 SIP应用层逻辑路由表中的禁止域名 列表和允许域名列表对所述 SIP请求消息进行合法性检查从而防止 了 SIP请求消息的非法路由攻击。 The foregoing embodiment of the present invention determines whether the next hop in the SIP request message is an IP address format, and when the next hop in the SIP request message is in an IP address format, detecting whether the IP address of the next hop in the SIP request message is a broadcast address. When the IP address is a broadcast address, rejecting the SIP request message; when the IP address is a non-broadcast address, according to a pre-configured SIP application layer logical routing table, an IP prohibition list and an IP allow list list The SIP request message is checked for legality. When the next hop in the SIP request message is in the domain name format, according to the pre-configured SIP application layer logical routing table, the prohibited domain name The list and the allowed domain name list perform a legality check on the SIP request message to prevent an illegal routing attack of the SIP request message.
本发明实施例方法可以根据实际需要对各个步骤顺序进行调整。 考虑到在实际的商用网络环境中,网络运营商已经充分考虑到网 络安全实施的情况下, 攻击者渗透到网络运营商网络内部对 IMS 网 络实施攻击的难度相对较大, 而从用户侧发起攻击则相对容易, 因此 本方法考虑从作为 IMS网络入口的 PCSCF( Proxy Call Session Control Function, 代理呼叫会话控制功能) 实体上实施 SIP请求消息非法路 由攻击检测。 一般情况下, 在 PCSCF实体上实施 SIP请求消息非法 路由攻击检测和防护需要考虑到以下因素:  The method of the embodiment of the present invention can adjust the sequence of each step according to actual needs. Considering that in the actual commercial network environment, the network operator has fully considered the implementation of the network security, it is more difficult for the attacker to penetrate the network operator network to attack the IMS network, and the attack from the user side is relatively difficult. It is relatively easy, so the method considers implementing SIP request message illegal route attack detection from a PCSCF (Proxy Call Session Control Function) entity that is an IMS network entry. In general, implementing SIP request messages on PCSCF entities. Illegal routing attack detection and protection need to consider the following factors:
( 1 )、 PCSCF实体在注册 /会话中的不同处理方式。  (1) Different processing methods of PCSCF entities in registration/session.
( 2 )、 PCSCF实体在本地域、 漫游域的不同处理方式。  (2) Different processing methods of the PCSCF entity in the local domain and the roaming domain.
然而, 若 PCSCF实体充分考虑到 Route头域/ Request-URI两部 分的攻击、 本地 PCSCF实体 /漫游 PCSCF实体的注册 /会话的不同流 程下的不同处理方法, 将导致本部分 PCSCF路由相关应用层逻辑相 当复杂, 因此本发明实施例三提出相对筒单的处理办法, 具体如下所 述。  However, if the PCSCF entity fully considers the different methods of the route header/Request-URI attack, the local PCSCF entity/roaming PCSCF entity registration/session different processes, this part of the PCSCF routing related application layer logic will be caused. It is quite complicated. Therefore, the third embodiment of the present invention proposes a method for processing a relatively single cartridge, which is specifically as follows.
PCSCF实体有能力对 Route头域进行正确性检查。根据现有相关 技术标准, 用户在未注册状态下, 网络侧的 SIP请求消息路由通过 DNS域名解析和业务签约来确定,而不是使用 Route头域进行消息路 由。 因此, 在注册流程中可以不关注 Route头域的问题。 在普通会话 流程中, 由于 PCSCF实体能够感知业务, 因此 PCSCF实体能够对终 端发送的以 Route 头域方式进行路由的 SIP请求消息实施正确性检 查, 若 Route头域不正确, PCSCF实体能够根据实际情况修正 Route 头域或者拒绝该请求, 使 SIP请求消息丧失攻击能力。  The PCSCF entity has the ability to check the correctness of the Route header field. According to the existing related technical standards, in the unregistered state, the SIP request message routing on the network side is determined by DNS domain name resolution and service subscription, instead of using the Route header field for message routing. Therefore, you can not pay attention to the problem of the Route header field in the registration process. In the normal session, the PCSCF entity can perform the correctness check on the SIP request message sent by the terminal in the route header mode. If the Route header field is incorrect, the PCSCF entity can be based on the actual situation. Fix the Route header field or reject the request to disable the SIP request message.
因此, 本发明实施例的 PCSCF实体仅需要考虑 Request-URI的 情况。本发明实施例中网络运营商可以根据本网络应用层逻辑以及本 特定域名, 为 PCSCF实体配置允许域名列表。 本发明实施例对于 IP 地址的情况,则根据应用实施细节分析是否有必要支持来自终端的 IP 地址格式的 SIP请求消息, 在需要支持 IP地址格式的情况下, 配置 允许 IP地址列表, 且严格禁止广播 IP地址的 Request-URI。 Therefore, the PCSCF entity of the embodiment of the present invention only needs to consider the case of the Request-URI. In the embodiment of the present invention, the network operator may use the network application layer logic and the local For a specific domain name, configure a list of allowed domain names for the PCSCF entity. In the case of the IP address, the embodiment of the present invention analyzes whether it is necessary to support the SIP request message in the IP address format of the terminal according to the application implementation details. If the IP address format is required, the IP address list is allowed to be configured, and the IP address list is strictly prohibited. The Request-URI of the broadcast IP address.
如图 7所示,为本发明实施例三中防止非法路由攻击的方法流程 图, 具体包括以下步骤:  FIG. 7 is a flowchart of a method for preventing an illegal route attack according to Embodiment 3 of the present invention, which specifically includes the following steps:
步骤 S701 , PCSCF实体对 SIP请求消息进行预处理, 获取 SIP 请求消息的下一跳, 具体预处理流程参照上述实施例一。  Step S701: The PCSCF entity performs pre-processing on the SIP request message to obtain the next hop of the SIP request message. For the specific pre-processing procedure, refer to the foregoing Embodiment 1.
步骤 S702, PCSCF实体判断 Request-URI的主机部分是否为域 名格式。 当 Request-URI主机部分为域名格式时, 执行步骤 S703, 否 则, 执行步骤 S708。  Step S702: The PCSCF entity determines whether the host part of the Request-URI is a domain name format. When the Request-URI host part is in the domain name format, step S703 is performed, otherwise, step S708 is performed.
步骤 S703 , PCSCF实体根据 Request-URI的主机部分域名查询 SIP应用层逻辑路由表的允许域名列表。  Step S703: The PCSCF entity queries the allowed domain name list of the SIP application layer logical routing table according to the host part domain name of the Request-URI.
步骤 S704, PCSCF实体判断是否匹配到 Request-URI的主机部 分域名。当匹配到上述域名时,执行步骤 S705,否则,执行步骤 S706 。  Step S704: The PCSCF entity determines whether it matches the host part domain name of the Request-URI. When the domain name is matched, step S705 is performed; otherwise, step S706 is performed.
步骤 S705, PCSCF实体按照应用逻辑进行合法 SIP请求消息路 由。  Step S705: The PCSCF entity performs a legal SIP request message route according to the application logic.
步骤 S706, PCSCF实体将 SIP请求消息中的请求发起方的信息 记录安全日志。  Step S706: The PCSCF entity records the security log of the information of the request initiator in the SIP request message.
步骤 S707, PCSCF实体拒绝本次请求, 结束当前会话。  Step S707, the PCSCF entity rejects the current request and ends the current session.
步骤 S708, PCSCF实体判断在所述 PCSCF实体上是否允许按照 IP地址格式的 Request-URI进行消息路由。 当在所述 PCSCF实体上 允许按照 IP 地址格式的 Request-URI 进行消息路由时, 执行步骤 S709, 否则, 执行步骤 S706及步骤 S707。  Step S708: The PCSCF entity determines whether message routing according to the Request-URI in the IP address format is allowed on the PCSCF entity. When the message routing according to the Request-URI in the IP address format is allowed on the PCSCF entity, step S709 is performed; otherwise, step S706 and step S707 are performed.
步骤 S709, PCSCF实体判断 IP地址是否为广播 IP地址。 当所 述 IP地址不是广播 IP地址, 则执行步骤 S710 , 否则执行步骤 S706 及步骤 S707。  Step S709, the PCSCF entity determines whether the IP address is a broadcast IP address. When the IP address is not a broadcast IP address, step S710 is performed, otherwise step S706 and step S707 are performed.
步骤 S710, PCSCF实体根据 IP地址查询 SIP应用层逻辑路由表 的允许 IP列表。 步骤 S711 , PCSCF实体判断是否匹配到所述 IP地址。 如果匹配 到所述 IP地址, 则执行步骤 S705 , 否则执行步骤 S707。 Step S710, the PCSCF entity queries the allowed IP list of the SIP application layer logical routing table according to the IP address. Step S711: The PCSCF entity determines whether the IP address is matched. If the IP address is matched, step S705 is performed, otherwise step S707 is performed.
本发明实施例方法可以根据实际需要对各个步骤顺序进行调整。 本发明实施例通过 IMS网络入口的 PCSCF实体对 SIP请求消息 进行预处理,根据预处理的结果查询应用层逻辑路由表进行攻击检测 及路由处理,从而利用查询应用层逻辑路由表对 SIP请求消息的可路 由范围进行有效限制, 防止了 SIP请求消息非法路由攻击。  The method of the embodiment of the present invention can adjust the sequence of each step according to actual needs. In the embodiment of the present invention, the SIP request message is preprocessed by the PCSCF entity of the IMS network entry, and the application layer logical routing table is queried according to the result of the pre-processing to perform attack detection and routing processing, thereby querying the SIP request message by using the query application layer logical routing table. The routable range is effectively limited to prevent illegal routing attacks of SIP request messages.
如图 8所示,为本发明实施例四的防止非法路由攻击的系统结构 示意图, 包括: 一个或多个防止非法路由攻击的装置 1。 防止非法路 由攻击的装置 1 , 用于根据预先配置的应用层逻辑路由表对 SIP请求 消息进行合法性检测检查和路由处理。  FIG. 8 is a schematic diagram of a system structure for preventing an illegal route attack according to Embodiment 4 of the present invention, including: one or more devices for preventing an illegal route attack. The device for preventing an illegal route attack is configured to perform legality detection check and route processing on the SIP request message according to the pre-configured application layer logical routing table.
上述防止非法路由攻击的装置 1 , 包括: 检测模块 11 , 用于当 SIP请求消息中下一跳为 IP地址格式时,检测所述 SIP请求消息中下 一跳的 IP地址是否为广播地址。拒绝模块 12, 用于当所述 IP地址为 广播地址时, 拒绝所述 SIP请求消息。 第一检查模块 13, 用于当所 述 IP地址为非广播地址时, 根据预先配置的 SIP应用层逻辑路由表 中的 IP禁止列表和 /或 IP允许列表对所述 SIP请求消息进行合法性检 查。 上述防止非法路由攻击的装置 1包括 PCSCF实体。  The device 1 for preventing an illegal route attack includes: a detecting module 11 configured to detect, when the next hop in the SIP request message is an IP address format, whether the IP address of the next hop in the SIP request message is a broadcast address. The rejecting module 12 is configured to reject the SIP request message when the IP address is a broadcast address. The first checking module 13 is configured to: when the IP address is a non-broadcast address, perform legality check on the SIP request message according to an IP prohibition list and/or an IP permission list in a pre-configured SIP application layer logical routing table. . The above apparatus 1 for preventing an illegal routing attack includes a PCSCF entity.
如图 9所示,为本发明实施例四的一种防止非法路由攻击的装置 结构示意图, 包括: 检测模块 1 , 用于当 SIP请求消息中下一跳为 IP 地址格式时, 检测所述 SIP请求消息中下一跳的 IP地址是否为广播 地址。 拒绝模块 2, 用于当所述 IP地址为广播地址时, 拒绝所述 SIP 请求消息。 第一检查模块 3, 用于当所述 IP地址为非广播地址时, 根 据预先配置的 SIP应用层逻辑路由表中的 IP禁止列表和 IP允许列表 对所述 SIP请求消息进行合法性检查。  As shown in FIG. 9, a schematic structural diagram of an apparatus for preventing an illegal route attack according to Embodiment 4 of the present invention includes: a detecting module 1 configured to detect the SIP when a next hop in an SIP request message is in an IP address format Whether the IP address of the next hop in the request message is a broadcast address. The reject module 2 is configured to reject the SIP request message when the IP address is a broadcast address. The first checking module 3 is configured to perform a validity check on the SIP request message according to the IP barring list and the IP permission list in the pre-configured SIP application layer logical routing table when the IP address is a non-broadcast address.
上述防止非法路由攻击的装置, 还包括: 判断模块 4, 用于判断 所述 SIP请求消息中下一跳的格式。 获取模块 5, 用于当所述 SIP请 求消息中下一跳为域名格式时, 解析所述域名, 获取所述域名对应的 IP地址。 配置模块 6, 用于配置所述 SIP应用层逻辑路由表。 The device for preventing an illegal route attack further includes: a determining module 4, configured to determine a format of a next hop in the SIP request message. The obtaining module 5 is configured to: when the next hop in the SIP request message is in a domain name format, parse the domain name, and obtain the domain name corresponding to the IP address. The configuration module 6 is configured to configure the SIP application layer logical routing table.
上述装置中的第一检查模块 3, 包括: 第一查询子模块 31 , 用于 根据所述 SIP请求消息中的请求方法名称查询所述 IP禁止列表中是 否出现所述 IP地址。 第一拒绝子模块 32, 用于当所述 IP禁止列表中 出现所述 IP地址时, 指示所述拒绝所述 SIP请求消息。 第二查询子 模块 33, 用于根据所述请求方法名称查询所述 IP允许列表中是否出 现所述 IP地址。 消息路由子模块 34, 用于当所述 IP允许列表中出现 所述 IP地址时, 根据所述 IP地址将所述 SIP请求消息进行路由。 第 拒绝所述 SIP请求消息。  The first check module 3 of the foregoing apparatus includes: a first query submodule 31, configured to query, according to the request method name in the SIP request message, whether the IP address appears in the IP barring list. The first rejecting submodule 32 is configured to: when the IP address appears in the IP barring list, instruct the rejecting the SIP request message. The second query sub-module 33 is configured to query, according to the request method name, whether the IP address appears in the IP permission list. The message routing sub-module 34 is configured to: when the IP address appears in the IP permission list, route the SIP request message according to the IP address. The first rejects the SIP request message.
上述发明实施例的装置通过判断 SIP请求消息中下一跳是否为 IP地址格式, 当 SIP请求消息中下一跳为 IP地址格式时, 检测所述 SIP请求消息中下一跳的 IP地址是否为广播地址; 当所述 IP地址为 广播地址时, 拒绝所述 SIP请求消息; 当所述 IP地址为非广播地址 时, 根据预先配置的 SIP应用层逻辑路由表中的 IP禁止列表和 IP允 许列表对所述 SIP请求消息进行合法性检查, 当所述 SIP请求消息中 下一跳为域名格式时, 解析所述域名, 获取所述域名对应的 IP地址, 再进行相应处理, 从而防止了 SIP请求消息的非法路由攻击。  The apparatus of the foregoing embodiment of the present invention determines whether the next hop in the SIP request message is an IP address format, and when the next hop in the SIP request message is in an IP address format, detecting whether the IP address of the next hop in the SIP request message is Broadcast address; when the IP address is a broadcast address, rejecting the SIP request message; when the IP address is a non-broadcast address, according to a pre-configured SIP application layer logical routing table IP prohibition list and IP allow list Checking the validity of the SIP request message. When the next hop in the SIP request message is in the domain name format, the domain name is parsed, the IP address corresponding to the domain name is obtained, and corresponding processing is performed, thereby preventing the SIP request. Illegal routing attack of messages.
如图 10所示, 为本发明实施例四的另一种防止非法路由攻击的 装置结构示意图, 包括: 检测模块 1 , 用于当 SIP请求消息中下一跳 为 IP地址格式时, 检测所述 SIP请求消息中下一跳的 IP地址是否为 广播地址。拒绝模块 2, 用于当所述 IP地址为广播地址时, 拒绝所述 SIP请求消息。第一检查模块 3,用于当所述 IP地址为非广播地址时, 根据预先配置的 SIP应用层逻辑路由表中的 IP禁止列表和 IP允许列 表对所述 SIP请求消息进行合法性检查。  As shown in FIG. 10, FIG. 10 is a schematic structural diagram of another apparatus for preventing an illegal route attack according to Embodiment 4 of the present invention, including: a detecting module 1 configured to detect when a next hop in an SIP request message is in an IP address format Whether the IP address of the next hop in the SIP request message is a broadcast address. The reject module 2 is configured to reject the SIP request message when the IP address is a broadcast address. The first checking module 3 is configured to check the validity of the SIP request message according to the IP barring list and the IP permission list in the pre-configured SIP application layer logical routing table when the IP address is a non-broadcast address.
上述防止非法路由攻击的装置, 还包括: 判断模块 4, 用于判断 所述 SIP请求消息中下一跳的格式。第二检查模块 5,用于当所述 SIP 请求消息中下一跳为域名格式时,根据预先配置的 SIP应用层逻辑路 由表中的禁止域名列表和允许域名列表对所述 SIP请求消息进行合 法性检查。 配置模块 6, 用于配置所述 SIP应用层逻辑路由表。 The device for preventing an illegal route attack further includes: a determining module 4, configured to determine a format of a next hop in the SIP request message. The second checking module 5 is configured to: when the next hop in the SIP request message is a domain name format, perform the combination of the forbidden domain name list and the allowed domain name list in the pre-configured SIP application layer logical routing table Legal inspection. The configuration module 6 is configured to configure the SIP application layer logical routing table.
上述装置中的第二检查模块 5, 包括: 第一查询子模块 51 , 用于 根据所述 SIP请求消息中的请求方法名称查询所述禁止域名列表中 是否出现所述域名。 第一拒绝子模块 52, 用于当所述禁止域名列表 中出现所述域名时, 拒绝所述 SIP请求消息。 第二查询子模块 53 , 用于根据所述请求方法名称查询所述允许域名列表中是否出现所述 域名。 消息路由子模块 54, 用于当所述允许域名列表中出现所述域 名时, 根据所述域名将所述 SIP请求消息进行路由。 第二拒绝子模块 55, 用于当所述允许域名列表中未出现所述域名时, 拒绝所述 SIP请 求消息。  The second checking module 5 of the foregoing apparatus includes: a first query sub-module 51, configured to query, according to the request method name in the SIP request message, whether the domain name appears in the forbidden domain name list. The first rejecting submodule 52 is configured to reject the SIP request message when the domain name appears in the forbidden domain name list. The second query sub-module 53 is configured to query, according to the request method name, whether the domain name appears in the allowed domain name list. The message routing sub-module 54 is configured to route the SIP request message according to the domain name when the domain name appears in the allowed domain name list. The second rejecting sub-module 55 is configured to reject the SIP request message when the domain name does not appear in the allowed domain name list.
上述发明实施例的装置通过判断 SIP请求消息中下一跳是否为 IP地址格式, 当 SIP请求消息中下一跳为 IP地址格式时, 检测所述 SIP请求消息中下一跳的 IP地址是否为广播地址; 当所述 IP地址为 广播地址时, 拒绝所述 SIP请求消息; 当所述 IP地址为非广播地址 时, 根据预先配置的 SIP应用层逻辑路由表中的 IP禁止列表和 /或 IP 允许列表对所述 SIP请求消息进行合法性检查, 当所述 SIP请求消息 中下一跳为域名格式时,根据预先配置的 SIP应用层逻辑路由表中的 禁止域名列表和允许域名列表对所述 SIP请求消息进行合法性检查 从而防止了 SIP请求消息的非法路由攻击。  The apparatus of the foregoing embodiment of the present invention determines whether the next hop in the SIP request message is an IP address format, and when the next hop in the SIP request message is in an IP address format, detecting whether the IP address of the next hop in the SIP request message is Broadcast address; when the IP address is a broadcast address, rejecting the SIP request message; when the IP address is a non-broadcast address, according to a pre-configured SIP application layer logical routing table IP prohibition list and/or IP Allowing the list to check the validity of the SIP request message. When the next hop in the SIP request message is in the domain name format, according to the pre-configured SIP application layer logical routing table, the prohibited domain name list and the allowed domain name list are The SIP request message performs a legality check to prevent an illegal routing attack of the SIP request message.
本发明实施例四的装置可以包括代理呼叫会话控制功能 PCSCF 实体或 Edge AM,而且本领域技术人员可以理解实施例中的装置中的 模块可以按照实施例描述分布于实施例的装置中,也可以进行相应变 化位于不同于本实施例的一个或多个装置中。上述实施例的模块可以 合并为一个模块, 也可以进一步拆分成多个子模块。  The apparatus in the fourth embodiment of the present invention may include a proxy call session control function PCSCF entity or Edge AM, and those skilled in the art may understand that the modules in the apparatus in the embodiment may be distributed in the apparatus according to the embodiment according to an embodiment, or may be Corresponding changes are made in one or more of the devices different from the present embodiment. The modules of the above embodiments may be combined into one module, or may be further split into multiple sub-modules.
如图 11所示, 为本发明实施例基于 A-IMS的防止非法路由攻击 网络架构。 该架构可以包括以下 A-IMS网元:  As shown in FIG. 11, the A-IMS-based network architecture for preventing illegal route attacks is used in the embodiment of the present invention. The architecture can include the following A-IMS network elements:
AM ( Application Manager, 应用处理器),  AM (Application Manager, application processor),
SDM ( Service Data Manager, 服务数据处理器),  SDM (Service Data Manager, Service Data Processor),
SM ( Security Manager, 安全处理器) SOC ( Security Operation Center, 安全控制中心) 基于该网络架构的网元间通信具体如图 11所示, 包括: 步骤 S1101 , SM/SOC 定义 SIP 合法 /非法路由策略并下发给 SDM。 下发策略覆盖插入、 删除、 查询、 修改特定应用层 SIP路由表 项。 下发的路由策略包括永久路由策略和临时路由策略两类。 SM (Security Manager, Security Processor) SOC (Security Operation Center) The communication between the network elements based on the network architecture is as shown in FIG. 11, and includes: Step S1101: The SM/SOC defines a SIP legal/illegal routing policy and sends the policy to the SDM. The delivery policy covers inserting, deleting, querying, and modifying specific application layer SIP routing entries. The delivered routing policy includes two types: permanent routing policy and temporary routing policy.
步骤 S1102, SDM向 SM发送响应消息。响应消息包括修改成功 的确认消息、修改失败的 failure消息, failure消息中要求携带失败原 因。 SDM接受来自 SM的 SIP合法 /非法路由策略并更新本地长期存 储的应用层 SIP路由表, 反馈响应消息给 SM。  Step S1102: The SDM sends a response message to the SM. The response message includes a confirmation message that the modification is successful, a failure message that fails to be modified, and the failure message is required to carry the failure reason. The SDM accepts the SIP legal/illegal routing policy from the SM and updates the local long-term stored application layer SIP routing table, and feeds the response message to the SM.
SM与 SDM之间的数据交换如图 12所示,可以包括插入、删除、 查询、 修改特定应用层 SIP路由表项。  The data exchange between SM and SDM is as shown in Figure 12. It can include inserting, deleting, querying, and modifying specific application layer SIP routing entries.
步骤 S1103, SDM与 AM间进行拉取 PULL或更新 UPDATE 永久 /临时路由策略。  Step S1103: Pulling PULL between the SDM and the AM or updating the UPDATE permanent/temporary routing policy.
步骤 S 1103中, AM接收 SDM的路由策略具体包括两种情况, 情况一, PULL数据交换, 如图 13所示, 包括,  In step S1103, the routing policy for receiving the SDM by the AM specifically includes two cases. In the first case, the PULL data exchange, as shown in FIG. 13, includes,
511031 , AM接收到 AT ( Access Terminal, 接入终端)发送的 SIP请求; 该 SIP请求包括域名请求或 IP地址请求。  511031, the AM receives a SIP request sent by an AT (Access Terminal); the SIP request includes a domain name request or an IP address request.
511032, AM根据 AT发送的 SIP请求, 查询本地路由。  511032, AM queries the local route according to the SIP request sent by the AT.
当本地具有与 AT的 SIP请求匹配的路由时, 判断该路由是否准 许, 如果准许, 则进入下一跳(Next Node );  When the local route has a match with the SIP request of the AT, it is judged whether the route is permitted, and if permitted, the next hop is entered;
当本地没有查询到匹配路由时, 进行步骤 S 11033。  When the matching route is not queried locally, step S11033 is performed.
511033 , AM向 SDM发送 PULL路由查询请求。 SDM根据所述 PULL路由查询请求, 向 AM发送临时路由策略。 AM向 SDM发送 PULL请求, 可以按照 AM 的需求发送该请求。  511033, AM sends a PULL route query request to SDM. The SDM sends a temporary routing policy to the AM according to the PULL route query request. The AM sends a PULL request to the SDM, which can be sent according to the needs of the AM.
511034, AM接收来自 SDM的 PULL响应;  511034, AM receives a PULL response from SDM;
511035 ,当该 PULL响应中具有与 AT的 SIP请求匹配的路由时, AM路由到下一跳。  511035, when the PULL response has a route matching the AT's SIP request, the AM routes to the next hop.
AM网元在进行 SIP请求路由的时候查应用层 SIP路由表进行合 法 SIP消息路由, 由于非法 SIP路由请求在应用层 SIP路由表中查不 到对应的表项, 达到拒绝非法 SIP路由请求的效果。 The AM network element checks the application layer SIP routing table to perform the SIP request routing. SIP message routing, because the illegal SIP routing request can not find the corresponding entry in the application layer SIP routing table, the effect of rejecting the illegal SIP routing request is achieved.
情况二, UPDATE数据交换, 如图 14所示, 包括,  Case 2, UPDATE data exchange, as shown in Figure 14, including,
S11031', 当 SDM的路由策略被 SM/SOC更新后, SDM向 AM 发送 UPDATE路由更新请求;  S11031', after the SDM routing policy is updated by the SM/SOC, the SDM sends an UPDATE routing update request to the AM;
S 11032', AM向 SDM返回 UPDATE路由更新响应;  S 11032', the AM returns an UPDATE route update response to the SDM;
7j久路由策略在 AM上长期存在, 由 SDM强制更新 ( UPDATE ) 或当 AM发生重启时 SDM强制发起 UPDATE, 当 SDM本地存储的 永久路由策略被成功修改后也要求发起强制 UPDATE 。 The routing policy has a long-term existence on the AM. The SDM is forced to update (UPDATE) or the SDM is forced to initiate an UPDATE when the AM is restarted. The mandatory UPDATE is also required after the SDM local storage permanent routing policy is successfully modified.
临时路由策略在 AM上临时存储, SDM同样可以对临时路由策 略发起 UPDATE。  The temporary routing policy is temporarily stored on the AM. SDM can also initiate an UPDATE for the temporary routing policy.
SIP路由表格式定义如下: The SIP routing table format is defined as follows:
Figure imgf000018_0001
请求源 IP: 发起该路由查询的源 IP地址, 配置为由哪个网元发 起该查询, 原因是不同的网元其路由能力也是存在差异的;
Figure imgf000018_0001
Request source IP address: The source IP address of the route query is initiated, and the network element is configured to initiate the query. The reason is that different network elements have different routing capabilities.
请求方法: 针对 REGISTER/ INVITE/ SUBSCRIBER等不同的请 求方法设计不同的路由策略;  Request method: Design different routing strategies for different request methods such as REGISTER/INVITE/ SUBSCRIBER;
是否准许: 定义是合法路由还是非法路由;  Whether to permit: Whether the definition is a legal route or an illegal route;
目的主机 IP/网络地址: 定义路由的目的地址, 包括主机地址和 网络地址,  Destination host IP/network address: Define the destination address of the route, including the host address and network address.
临时 /永久: 定义是临时路由表还是永久路由表。  Temporary / Permanent: Defines whether it is a temporary routing table or a permanent routing table.
上述参数可以为 SM/ SOC所设置, 可为 AM所按需请求, 也可 以由 SDM主动 UPDATE到 AM。  The above parameters can be set for SM/SOC, can be requested by AM on demand, or can be actively UPDATE to AM by SDM.
AM基于 SIP请求的下一跳 IP地址(或者基于域名通过 DNS解 析获取的下一跳 IP地址)查询本地存储的临时路由策略和永久路由 策略, 若本地查询失败做向 SDM请求该路由策略, 若 SDM发生路 由策略的更新, 则将更新的永久路由策略和临时路由策略基于 UPDATE更新到 AM。  The AM queries the locally stored temporary routing policy and the permanent routing policy based on the next hop IP address of the SIP request (or the next hop IP address obtained through DNS resolution). If the local query fails, the routing policy is requested to the SDM. When the SDM has a routing policy update, the updated permanent routing policy and temporary routing policy are updated to the AM based on the UPDATE.
在使用 LRU/ N-LRU老化算法的情况下,终端发起到非法路由目 的地址的恶意呼叫, 从而导致对应用层 SIP路由表的恶意刷新, 通过 路由表的颠簸消耗 SDM<->AM通信资源和加大网络延迟。 该攻击要 求 AM网络边界实施基于信令的防 flooding型 DoS攻击机制。 对永 久路由表、 临时路由表合法 SIP路由定义部分、 临时路由表非法 SIP 路由定义部分使用独立的存储空间亦有助于对该攻击实施防护。  In the case of using the LRU/N-LRU aging algorithm, the terminal initiates a malicious call to the illegal routing destination address, thereby causing malicious refresh of the application layer SIP routing table, and consuming SDM<->AM communication resources through the bump of the routing table and Increase network latency. This attack requires a signaling-based flood prevention DoS attack mechanism at the AM network boundary. The use of independent storage space for the permanent routing table, the temporary routing table legal SIP routing definition part, and the temporary routing table illegal SIP routing definition part also helps to protect against this attack.
图 15为 SIP路由处理过程流程图, 进行应用层 SIP路由表查询 和攻击检测, 输入为下一跳的 IP地址, 即@ 的路由信息, 包括: 步骤 S1501 , 接收来自 AT的 SIP请求消息, 该 SIP请求消息中 包含下一跳的 IP地址, 即@1?的路由信息; 上述 AT可以为 AT实体 或 UE实体。  15 is a flow chart of a SIP routing process, which performs an application layer SIP routing table query and attack detection, and inputs an IP address that is a next hop, that is, the routing information of @, and includes: Step S1501: Receive a SIP request message from the AT, where The SIP request message contains the IP address of the next hop, which is @1? Routing information; The above AT may be an AT entity or a UE entity.
步骤 S1502, 判断 IP地址是否为广播地址; 当判断结果为是时 转到步骤 S1507 , 当判断结果为否时转到步骤 S1503。 Step S1502, determining whether the IP address is a broadcast address; when the judgment result is yes Go to step S1507, and when the result of the determination is no, go to step S1503.
步骤 S1503 , 根据 IP地址查询 AM逻辑路由表;  Step S1503: Query an AM logical routing table according to an IP address.
步骤 S1504, 判断 AM本地是否具有匹配路由; 如果判断结果为 是则转步骤 S1505, 如果判断结果为否则转步骤 S1509;  Step S1504, determining whether the AM local has a matching route; if the determination result is yes, then proceeding to step S1505, if the determination result is otherwise, proceeding to step S1509;
步骤 S1505 , 根据 SIP路由表判断是否准许路由; 如果判断结果 为是则转步骤 S1506, 如果判断结果为否则转步骤 S1507。  Step S1505: Determine whether to grant the route according to the SIP routing table; if the determination result is yes, go to step S1506, and if the result of the determination is otherwise, go to step S1507.
步骤 S1506 , 根据 IP地址进行消息路由。  Step S1506: Perform message routing according to the IP address.
步骤 S1507, 将请求消息中的请求发起方信息记录安全日志; 步骤 S1508, 使用 403响应拒绝 SIP请求消息, 结束当前会话; 步骤 S1509, 根据该目的 IP对 SDM发起查询。 从 SDM上查到 路由表信息, 写入 AM本地路由表;  In step S1507, the request initiator information in the request message is recorded in the security log. Step S1508: The 403 response is used to reject the SIP request message, and the current session is ended. Step S1509: Initiating an inquiry for the SDM according to the destination IP. The routing table information is found from the SDM, and is written into the AM local routing table.
步骤 S1510, 判断 SDM应用层是否具有匹配路由; 当判断结果 为是时转步骤 S1511 , 当判断结果为否时转步骤 S1508;  Step S1510, determining whether the SDM application layer has a matching route; when the determination result is yes, the process goes to step S1511, and when the determination result is no, the process goes to step S1508;
步骤 S1511 , 从 SDM上查到路由表信息,写入 AM本地路由表。 本实施例基于 PULL和 UPDATE相结合的实现方式尽可能的减 少了 AM设备上对 SIP路由表存储资源的消耗,同时通过 AM本地临 时存储路由表提高了路由表查询的效率, 降低了对 Cx接口的性能要 求。  Step S1511: The routing table information is found from the SDM, and is written into the AM local routing table. In this embodiment, the implementation of the combination of PULL and UPDATE reduces the consumption of the storage resources of the SIP routing table on the AM device as much as possible, and improves the efficiency of routing table query through the AM local temporary storage routing table, and reduces the Cx interface. Performance requirements.
如图 16所示, 一种防止非法路由攻击的系统, 包括应用处理器 AM 1610, 服务数据处理器 SDM 1620, 安全管理设备 1630,  As shown in FIG. 16, a system for preventing an illegal routing attack includes an application processor AM 1610, a service data processor SDM 1620, and a security management device 1630.
安全管理设备 1630用于设置路由策略,并向 SDM发送路由策略; The security management device 1630 is configured to set a routing policy and send a routing policy to the SDM.
SDM 1620用于存储路由策略, 并根据 AM 1610的需求, 向 AM 1610发送路由策略; The SDM 1620 is configured to store a routing policy and send a routing policy to the AM 1610 according to the requirements of the AM 1610.
AM 1610用于当接收到接入终端 1640发送的包括下一跳地址的 SIP请求消息时, 判断是否进行下一跳路由。  The AM 1610 is configured to determine whether to perform the next hop route when receiving the SIP request message including the next hop address sent by the access terminal 1640.
SOC 1632。 SOC 1632.
将 SM/ SOC和 SDM之间的接口删除, 将 SDM的路由表项插入 /删除 /查询 /修改等功能集成到 IMS网络 BMS系统后,应用于 IMS网 络的 PULL路由查询数据交换图如图 17所示, Delete the interface between the SM/SOC and the SDM, and insert the routing entry of the SDM. After the functions such as /delete/query/modify are integrated into the IMS network BMS system, the data exchange diagram of the PULL route query applied to the IMS network is as shown in FIG.
本发明实施例系统的各个单元可以集成于一个装置,也可以分布 于多个装置。 上述单元可以合并为一个单元, 也可以进一步拆分成多 个子单元。  The various units of the system of the embodiments of the present invention may be integrated into one device or may be distributed to multiple devices. The above units may be combined into one unit, or may be further split into a plurality of subunits.
通过以上的实施方式的描述,本领域的技术人员可以清楚地了解 到本发明可以通过硬件实现,也可以可借助软件加必要的通用硬件平 台的方式来实现基于这样的理解,本发明的技术方案可以以软件产品 的形式体现出来, 该软件产品可以存储在一个非易失性存储介质(可 以是 CD-ROM, U盘, 移动硬盘等) 中, 包括若干指令用以使得一 台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行 本发明各个实施例所述的方法。  Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by hardware, or can be implemented by means of software plus necessary general hardware platform, and the technical solution of the present invention. It can be embodied in the form of a software product that can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.), including a number of instructions for making a computer device (may It is a personal computer, a server, or a network device, etc.) that performs the methods described in various embodiments of the present invention.
总之, 以上所述仅为本发明的较佳实施例而已, 并非用于限定本 发明的保护范围。 凡在本发明的精神和原则之内, 所作的任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。  In conclusion, the above description is only a preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.

Claims

权利要求 Rights request
1、 一种防止非法路由攻击的方法, 其特征在于, 包括以下步骤: 当会话初始协议 SIP请求消息中下一跳为 IP地址格式时, 检测 所述 SIP请求消息中下一跳的 IP地址是否为广播地址; A method for preventing an illegal route attack, comprising the steps of: detecting an IP address of a next hop in the SIP request message when a next hop in the SIP protocol request message is in an IP address format Is the broadcast address;
当所述 IP地址为非广播地址时, 根据预先配置的 SIP应用层逻 辑路由表中的 IP禁止列表或 IP允许列表对所述 SIP请求消息进行合 法性检查。  When the IP address is a non-broadcast address, the SIP request message is checked for validity according to an IP barring list or an IP permission list in a pre-configured SIP application layer logical routing table.
2、 如权利要求 1所述防止非法路由攻击的方法, 其特征在于, 所述检测所述 SIP请求消息中下一跳的 IP地址是否为广播地址之后 还包括: 当所述 IP地址为广播地址时, 拒绝所述 SIP请求消息。  The method for preventing an illegal route attack according to claim 1, wherein the detecting whether the IP address of the next hop in the SIP request message is a broadcast address further comprises: when the IP address is a broadcast address When the SIP request message is rejected.
3、 如权利要求 1所述防止非法路由攻击的方法, 其特征在于, 当 SIP请求消息中下一跳为 IP地址格式时, 检测所述 SIP请求消息 中下一跳的 IP地址是否为广播地址之前, 还包括:  The method for preventing an illegal route attack according to claim 1, wherein when the next hop in the SIP request message is in an IP address format, detecting whether the IP address of the next hop in the SIP request message is a broadcast address Previously, it also included:
判断所述 SIP请求消息中下一跳的格式。  Determining the format of the next hop in the SIP request message.
4、 如权利要求 3所述防止非法路由攻击的方法, 其特征在于, 还包括:  The method for preventing an illegal route attack according to claim 3, further comprising:
当所述 SIP请求消息中下一跳为域名格式时, 解析所述域名, 获 取所述域名对应的 IP地址;  When the next hop in the SIP request message is in the domain name format, the domain name is parsed, and the IP address corresponding to the domain name is obtained;
或者, 当所述 SIP请求消息中下一跳为域名格式时, 根据预先配 置的 SIP应用层逻辑路由表中的禁止域名列表和允许域名列表对所 述 SIP请求消息进行合法性检查。  Alternatively, when the next hop in the SIP request message is in the domain name format, the legality check is performed on the SIP request message according to the forbidden domain name list and the allowed domain name list in the pre-configured SIP application layer logical routing table.
5、 如权利要求 1所述防止非法路由攻击的方法, 其特征在于, 所述根据预先配置的 SIP应用层逻辑路由表中的 IP禁止列表或 IP允 许列表对所述 SIP请求消息进行合法性检查, 具体包括:  The method for preventing an illegal route attack according to claim 1, wherein the legality check is performed on the SIP request message according to an IP prohibition list or an IP permission list in a pre-configured SIP application layer logical routing table. Specifically, including:
根据所述 SIP请求消息中的请求方法名称查询所述 IP禁止列表 中是否出现所述 IP地址; 当所述 IP禁止列表中出现所述 IP地址时, 拒绝所述 SIP请求消息;  Querying, according to the request method name in the SIP request message, whether the IP address appears in the IP barring list; when the IP address appears in the IP barring list, rejecting the SIP request message;
否则, 根据所述请求方法名称查询所述 IP允许列表中是否出现 所述 IP地址; 当所述 IP允许列表中出现所述 IP地址时, 根据所述 IP地址将所述 SIP请求消息进行路由,否则,拒绝所述 SIP请求消息。 Otherwise, querying whether the IP permission list appears in the IP address according to the request method name The IP address; when the IP address appears in the IP permission list, the SIP request message is routed according to the IP address, otherwise, the SIP request message is rejected.
6、 如权利要求 4所述防止非法路由攻击的方法, 其特征在于, 所述根据预先配置的 SIP应用层逻辑路由表中的禁止域名列表和允 许域名列表对所述 SIP请求消息进行合法性检查包括:  The method for preventing an illegal route attack according to claim 4, wherein the legality check is performed on the SIP request message according to the forbidden domain name list and the allowed domain name list in the pre-configured SIP application layer logical routing table. Includes:
根据所述 SIP请求消息中的请求方法名称查询所述禁止域名列 表中是否出现所述域名; 当所述禁止域名列表中出现所述域名时, 拒 绝所述 SIP请求消息;  Querying, according to the request method name in the SIP request message, whether the domain name appears in the forbidden domain name list; when the domain name appears in the forbidden domain name list, rejecting the SIP request message;
否则,根据所述请求方法名称查询所述允许域名列表中是否出现 所述域名; 当所述允许域名列表中出现所述域名时, 根据所述域名将 所述 SIP请求消息进行路由, 否则, 拒绝所述 SIP请求消息。  Otherwise, querying whether the domain name appears in the allowed domain name list according to the request method name; when the domain name appears in the allowed domain name list, routing the SIP request message according to the domain name, otherwise, rejecting The SIP request message.
7、 一种防止非法路由攻击的系统, 其特征在于, 包括: 防止非法路由攻击的装置,用于根据预先配置的应用层逻辑路由 表对会话初始协议 SIP请求消息进行合法性检测检查和路由处理; 所述防止非法路由攻击的装置, 包括:  A system for preventing an illegal route attack, comprising: a device for preventing an illegal route attack, configured to perform a legality detection check and a route processing on a session initial protocol SIP request message according to a pre-configured application layer logical routing table. The device for preventing an illegal routing attack includes:
检测模块, 用于当 SIP请求消息中下一跳为 IP地址格式时, 检 测所述 SIP请求消息中下一跳的 IP地址是否为广播地址;  a detecting module, configured to detect, when the next hop in the SIP request message is an IP address format, whether the IP address of the next hop in the SIP request message is a broadcast address;
第一检查模块, 用于当所述 IP地址为非广播地址时, 根据预先 配置的 SIP应用层逻辑路由表中的 IP禁止列表或 IP允许列表对所述 SIP请求消息进行合法性检查。  The first checking module is configured to: when the IP address is a non-broadcast address, perform a validity check on the SIP request message according to an IP prohibition list or an IP permission list in a pre-configured SIP application layer logical routing table.
8、 如权利要求 7所述的系统, 其特征在于, 所述装置还包括: 拒绝模块, 用于当所述 IP地址为广播地址时, 拒绝所述 SIP请求消 息。  The system according to claim 7, wherein the device further comprises: a rejecting module, configured to reject the SIP request message when the IP address is a broadcast address.
9、 一种防止非法路由攻击的装置, 其特征在于, 包括: 检测模块, 用于当 SIP请求消息中下一跳为 IP地址格式时, 检 测所述 SIP请求消息中下一跳的 IP地址是否为广播地址;  A device for preventing an illegal route attack, comprising: a detecting module, configured to: when the next hop in the SIP request message is in an IP address format, detecting whether an IP address of a next hop in the SIP request message is Is the broadcast address;
第一检查模块, 用于当所述 IP地址为非广播地址时, 根据预先 配置的 SIP应用层逻辑路由表中的 IP禁止列表和 IP允许列表对所述 SIP请求消息进行合法性检查。 The first checking module is configured to: when the IP address is a non-broadcast address, perform legality check on the SIP request message according to the IP prohibition list and the IP permission list in the pre-configured SIP application layer logical routing table.
10、如权利要求 9所述的装置,其特征在于,还包括: 拒绝模块, 用于当所述 IP地址为广播地址时, 拒绝所述 SIP请求消息。 10. The apparatus of claim 9, further comprising: a rejecting module, configured to reject the SIP request message when the IP address is a broadcast address.
11、 如权利要求 9所述防止非法路由攻击的装置, 其特征在于, 还包括:  The device for preventing an illegal route attack according to claim 9, further comprising:
判断模块, 用于判断所述 SIP请求消息中下一跳的格式。  The determining module is configured to determine a format of a next hop in the SIP request message.
12、 如权利要求 11所述防止非法路由攻击的装置, 其特征在于, 还包括:  The device for preventing an illegal route attack according to claim 11, further comprising:
获取模块, 用于当所述 SIP请求消息中下一跳为域名格式时, 解 析所述域名, 获取所述域名对应的 IP地址;  An obtaining module, configured to: when the next hop in the SIP request message is in a domain name format, parse the domain name, and obtain an IP address corresponding to the domain name;
或者, 第二检查模块, 用于当所述 SIP请求消息中下一跳为域名 格式时,根据预先配置的 SIP应用层逻辑路由表中的禁止域名列表和 允许域名列表对所述 SIP请求消息进行合法性检查。  Or the second checking module is configured to: when the next hop in the SIP request message is a domain name format, perform the SIP request message according to the forbidden domain name list and the allowed domain name list in the pre-configured SIP application layer logical routing table. Legality check.
13、 如权利要求 9所述防止非法路由攻击的装置, 其特征在于, 所述第一检查模块, 包括:  The device for preventing an illegal route attack according to claim 9, wherein the first checking module comprises:
第一查询子模块,用于根据所述 SIP请求消息中的请求方法名称 查询所述 IP禁止列表中是否出现所述 IP地址;  a first query submodule, configured to query, according to the request method name in the SIP request message, whether the IP address appears in the IP barring list;
第一拒绝子模块,用于当所述 IP禁止列表中出现所述 IP地址时, 指示所述拒绝所述 SIP请求消息;  a first rejecting submodule, configured to: when the IP address appears in the IP barring list, instructing to reject the SIP request message;
第二查询子模块, 用于根据所述请求方法名称查询所述 IP允许 列表中是否出现所述 IP地址;  a second query submodule, configured to query, according to the request method name, whether the IP address appears in the IP permission list;
消息路由子模块,用于当所述 IP允许列表中出现所述 IP地址时, 根据所述 IP地址将所述 SIP请求消息进行路由;  a message routing submodule, configured to: when the IP address appears in the IP permission list, route the SIP request message according to the IP address;
第二拒绝子模块, 用于当所述 IP允许列表中未出现所述 IP地址 时, 拒绝所述 SIP请求消息。  And a second rejecting submodule, configured to reject the SIP request message when the IP address does not appear in the IP permission list.
14、如权利要求 12所述防止非法路由攻击的装置, 其特征在于, 所述第二检查模块, 包括:  The device for preventing an illegal route attack according to claim 12, wherein the second checking module comprises:
第一查询子模块,用于根据所述 SIP请求消息中的请求方法名称 查询所述禁止域名列表中是否出现所述域名;  a first query submodule, configured to query, according to the request method name in the SIP request message, whether the domain name appears in the forbidden domain name list;
第一拒绝子模块, 用于当所述禁止域名列表中出现所述域名时, 拒绝所述 SIP请求消息; a first reject submodule, configured to: when the domain name appears in the forbidden domain name list, Rejecting the SIP request message;
第二查询子模块,用于根据所述请求方法名称查询所述允许域名 列表中是否出现所述域名;  a second query submodule, configured to query, according to the request method name, whether the domain name appears in the allowed domain name list;
消息路由子模块, 用于当所述允许域名列表中出现所述域名时, 根据所述域名将所述 SIP请求消息进行路由;  a message routing submodule, configured to: when the domain name appears in the allowed domain name list, route the SIP request message according to the domain name;
第二拒绝子模块, 用于当所述允许域名列表中未出现所述域名 时, 拒绝所述 SIP请求消息。  And a second rejecting submodule, configured to reject the SIP request message when the domain name does not appear in the allowed domain name list.
15、 如权利要求 9所述防止非法路由攻击的装置, 其特征在于, 所述装置的类型包括: 代理呼叫会话控制功能 PCSCF实体。  15. The apparatus for preventing an illegal route attack according to claim 9, wherein the type of the apparatus comprises: a proxy call session control function PCSCF entity.
16、 一种防止非法路由攻击的系统, 其特征在于, 包括应用处理 器 AM, 服务数据处理器 SDM, 安全处理设备, 其中: A system for preventing an illegal route attack, comprising: an application processor AM, a service data processor SDM, and a security processing device, wherein:
所述安全处理设备用于设置路由策略, 向所述 SDM发送所述路 叉命 田束 , 才艮 据所述 AM的需求, 向所述 AM发送所述路由策略;  And the security processing device is configured to send a routing policy to the SDM, and send the routing policy to the AM according to the requirement of the AM;
所述 AM用于接收来自所述 SDM的路由策略; 当接收到来自终 端的包括下一跳地址的 SIP请求消息时,根据所述路由策略判断是否 进行下一跳路由。  The AM is configured to receive a routing policy from the SDM. When receiving a SIP request message including a next hop address from the terminal, determine whether to perform the next hop routing according to the routing policy.
17、 如权利要求 16所述的系统, 其特征在于, 所述安全管理设 备的类型包括: 安全处理器 SM或安全控制中心 SOC。  17. The system of claim 16, wherein the type of security management device comprises: a security processor SM or a security control center SOC.
PCT/CN2009/071033 2008-03-26 2009-03-26 Illegal route attack defending method, system and equipment WO2009117968A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
BRPI0906521A BRPI0906521A2 (en) 2008-03-26 2009-03-26 coding and decoding method and apparatus

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810090362A CN101547124A (en) 2008-03-28 2008-03-28 Method, system and device for preventing illegal routing attacks
CN200810090362.9 2008-03-28

Publications (1)

Publication Number Publication Date
WO2009117968A1 true WO2009117968A1 (en) 2009-10-01

Family

ID=41112984

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/071033 WO2009117968A1 (en) 2008-03-26 2009-03-26 Illegal route attack defending method, system and equipment

Country Status (2)

Country Link
CN (1) CN101547124A (en)
WO (1) WO2009117968A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102075924B (en) * 2010-11-22 2013-03-27 北京邮电大学 Session state based method and system for detecting vulnerability of internet protocol (IP) multimedia subsystem (IMS)
CN104539590A (en) * 2014-12-10 2015-04-22 深圳市共进电子股份有限公司 Message processing method and device
CN109743470A (en) * 2019-02-28 2019-05-10 上海市共进通信技术有限公司 The method for realizing non-proxy IP refusal incoming call function based on Session Initiation Protocol

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1605661A1 (en) * 2004-06-07 2005-12-14 Alcatel Method and device for preventing attacks on a call server
JP2007060379A (en) * 2005-08-25 2007-03-08 Nippon Telegr & Teleph Corp <Ntt> Defense method, system, and program against attack in sip server
CN101005465A (en) * 2006-06-23 2007-07-25 华为技术有限公司 Transmission method and device for request message in SIP multimedia system
CN101079818A (en) * 2007-06-28 2007-11-28 华为技术有限公司 Message forwarding method and network device

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1605661A1 (en) * 2004-06-07 2005-12-14 Alcatel Method and device for preventing attacks on a call server
JP2007060379A (en) * 2005-08-25 2007-03-08 Nippon Telegr & Teleph Corp <Ntt> Defense method, system, and program against attack in sip server
CN101005465A (en) * 2006-06-23 2007-07-25 华为技术有限公司 Transmission method and device for request message in SIP multimedia system
CN101079818A (en) * 2007-06-28 2007-11-28 华为技术有限公司 Message forwarding method and network device

Also Published As

Publication number Publication date
CN101547124A (en) 2009-09-30

Similar Documents

Publication Publication Date Title
JP6926317B2 (en) Session handling method and device
US8108677B2 (en) Method and apparatus for authentication of session packets for resource and admission control functions (RACF)
JP5885757B2 (en) Method, system, and computer-readable medium for screening Diameter messages in a Diameter signaling router (DSR) having a distributed message processor architecture
KR101242995B1 (en) Method and system for supporting sip session policy using existing authorization architecture and protocols
US8929360B2 (en) Systems, methods, media, and means for hiding network topology
US11627467B2 (en) Methods, systems, and computer readable media for generating and using single-use OAuth 2.0 access tokens for securing specific service-based architecture (SBA) interfaces
EP4183154A1 (en) Methods, systems, and computer readable media for mitigating 5g roaming security attacks using security edge protection proxy (sepp)
US20100037309A1 (en) Method and apparatus for providing security in an intranet network
WO2010048865A1 (en) A method and device for preventing network attack
JP2006025354A (en) Method and apparatus for managing access
WO2006114037A1 (en) A communication system with session border controller and a method for the transmission of the signaling
WO2022206268A1 (en) Reporting control method and apparatus, and device, medium and computer program product
US20110258682A1 (en) Method, apparatus, and system for processing session context
US20230396624A1 (en) Extending border gateway protocol (bgp) flowspec origination authorization using path attributes
US8955088B2 (en) Firewall control for public access networks
WO2021057348A1 (en) Server security defense method and system, communication device, and storage medium
US20220174085A1 (en) Data Processing Method and Apparatus
WO2007062557A1 (en) A security control method,device for the communication border and the security control system
EP4335077A1 (en) Methods, systems, and computer readable media for single-use authentication messages
WO2009117968A1 (en) Illegal route attack defending method, system and equipment
US20240137338A1 (en) Border gateway protocol (bgp) flowspec origination authorization using route origin authorization (roa)
US20180337950A1 (en) Originator-based network restraint system for identity-oriented networks
EP2068508A1 (en) Method, device and system for synchronizing user data in next generation network
WO2009056022A1 (en) Method, apparatus and system for obtaining network security state
WO2023060881A1 (en) Method and apparatus for identifying source address of message

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09724067

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 09724067

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: PI0906521

Country of ref document: BR

Kind code of ref document: A2

Effective date: 20100721