Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

A method and firewall for preventing dos attack

A firewall and anti-attack technology, applied in electrical components, transmission systems, etc., can solve problems such as system crashes, large computing resources, and memory resource consumption, and achieve the effect of preventing DoS attacks

Active Publication Date: 2018-02-13
OPZOON TECH
View PDF6 Cites 0 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0002] The negotiation process of IKE (Internet Key Exchange) includes main mode and aggressive mode. In IKE negotiation, the initiator does not know the cookie value of the responder in advance, and the cookie value of the responder will be set to 0, so it is impossible for the responder to know whether this message is a false exchange request. Since the responder creates a state when it receives the first message, a malicious attacker can send a large number of initial messages to make the responder stop Create state, consume memory resources, and eventually lead to memory exhaustion and system crash, so IKE is vulnerable to DoS (Denial of Service) attacks that consume memory resources
In addition, in the aggressive mode, IKE needs to conduct key agreement through Dffie-Hellman exchange in the first negotiation, and the modular exponentiation operation will take up large computing resources
DoS attackers will initiate a large number of false exchange requests through IP spoofing. If the responder cannot distinguish these forged requests, they have to perform a large number of modular exponentiation calculations on the forged requests, resulting in a DoS attack that consumes CPU resources.
Therefore, the initial exchange of the main mode and the aggressive mode will be subject to DoS attacks that consume memory resources, and the aggressive mode will also be subject to DoS attacks that consume CPU resources.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • A method and firewall for preventing dos attack
  • A method and firewall for preventing dos attack
  • A method and firewall for preventing dos attack

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0035] In order to make the object, technical solution and advantages of the present invention clearer, the present invention will be further described in detail below in conjunction with specific embodiments and with reference to the accompanying drawings. It should be understood that these descriptions are exemplary only, and are not intended to limit the scope of the present invention. Also, in the following description, descriptions of well-known structures and techniques are omitted to avoid unnecessarily obscuring the concept of the present invention.

[0036] The invention provides a method for preventing DoS attack and a firewall, which can effectively prevent the responder from being attacked by DoS during the IKE negotiation process.

[0037] The negotiation process of IKE (Internet Key Exchange) includes main mode and aggressive mode. The specific negotiation process is as follows:

[0038] Main mode negotiation:

[0039] Initiator a ------------------------------...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses a method and a firewall for preventing DoS attacks. The method comprises steps: step S1, receiving IKE message; step S2, checking whether the cookie value in the IKE message is complete; step S3, if the cookie value is complete And there is corresponding value in IKE SA database, then continue IKE negotiation process, otherwise described IKE message is discarded; Step S4, if there is only source cookie value in the described cookie value, and there is corresponding value in IKE SA database, then Send the response message again; step S5, if there is only the source cookie value in the cookie value, and there is no corresponding value in the IKE SA database, then according to whether the anti-DoS function is opened, the IKE message is processed, which can effectively To prevent the responder from DoS attacks during IKE negotiation.

Description

technical field [0001] The invention relates to the field of preventing DoS attacks, in particular to a method and a firewall for preventing DoS attacks. Background technique [0002] The negotiation process of IKE (Internet Key Exchange) includes main mode and aggressive mode. In IKE negotiation, the initiator does not know the cookie value of the responder in advance, and the cookie value of the responder will be set to 0, so it is impossible for the responder to know whether this message is a false exchange request. Since the responder creates a state when it receives the first message, a malicious attacker can send a large number of initial messages to make the responder stop Creating states and consuming memory resources will eventually lead to memory exhaustion and system crashes. Therefore, IKE is vulnerable to DoS (Denial of Service) attacks that consume memory resources. In addition, in the aggressive mode, IKE needs to conduct key agreement through Dffie-Hellman e...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
Patent Type & Authority Patents(China)
IPC IPC(8): H04L29/06
Inventor 陈海滨刘鹏章敏王禹王智民
Owner OPZOON TECH
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com