IP fast hopping protocol design
暂无分享,去创建一个
Denial-of-Service attacks are the largest threat to Internet and the Internet of Things despite the fact that a large number of defense approaches has been proposed by the research community. In this paper we introduce IP Fast Hopping, effective network layer software solution against DDoS attacks. Our technology hides real IP address of a server behind a large pool of IP addresses belongs to a number of routers in different networks. Our method provides a network layer approach to prevent unauthorized access to a server that sometimes is important for the Internet of Things. Our approach implies real-time changing of server's IP address according to a schedule which is available only for authorized clients (so, our method is not applicable for publicly available Internet resources). This schedule is unique for each client connection and each entry in this schedule is being calculated dynamically on both edges of secured connection independently using a special pseudo-random function. To implement this requirement, during connection establishing between a new authorized client and the server, the client receives initial server's IP (which will be used for high level protocols on client side), pool of IP addresses (unordered set of IP address related to a set of "edge" routers) and unique session ID. The special network layer software installed on client's terminal changes destination IP address of the packet on an address from the IP pool according to value of a special pseudo-random function with the following arguments: session unique ID and time of packet's creation (value of timestamp field into TCP header). After that, this packet is being traversed to one of "edge" routers according to common switching protocols. The router checks (using the same pseudo-random function) that destination address is correct and, if yes, redirects this packet to real server IP or, otherwise, drops the packet. The same procedure is applied for server's responses to clients. After applying of our technology, for an external observer of client's traffic there are several independent data streams (without an internal per-stream logic correlation) between the client and a number of terminals in the Internet instead of a single data stream between the client and the server. So, our method prevents processing of intercepted client's traffic and prevents identification of a destination of this traffic. Also, a botnet have to attack all addresses from the pool of IP addresses to prevent legitimate using of the protected server.
[1] Prateek Mittal,et al. Mirage: Towards Deployable DDoS Defense for Web Applications , 2011 .
[2] Peter Reiher,et al. A taxonomy of DDoS attack and DDoS defense mechanisms , 2004, CCRV.
[3] Владимир Владимирович Крылов,et al. Method for interaction of terminal client device with server over internet with high level of security from ddos attack and system for realising said method , 2012 .
[4] Paul Ferguson,et al. Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing , 1998, RFC.