CN103166926A - A SIP DDoS attack distributed defense system and its load balancing method - Google Patents

Abstract

The invention relates to the field of VoIP network security and IP communication, in particular to a SIP DDoS attack distributed defense system and a load balancing method thereof. The invention comprises a defense detection node, a load balancer and a rule base, wherein the defense detection node is connected with the load balancer and is used for reporting load information to the load balancer in real time and sharing the rule base; and the load balancer is connected with the plurality of defense detection nodes and used for distributing the SIP message to each defense detection node and updating the defense node load table according to the load information sent by the defense detection nodes. The invention adopts a distributed structure, and has higher message processing capacity and better expandability; the load balancing method based on the detection algorithm has higher attack detection rate and lower false alarm rate; by using a load distribution algorithm, each node has good load balancing characteristics.

Description

A SIP DDoS attack distributed defense system and its load balancing method

technical field

The invention relates to the fields of VoIP network security and IP communication, in particular to a SIP DDoS attack distributed defense system and a load balancing method thereof.

Background technique

With the diversification of people's communication needs, the scope of IP communication has been greatly expanded, and it has begun to evolve from a simple VoIP system (Voice Over IP) to a unified communication (EoIP, Everything Over IP). SIP (session initiation protocol, the signaling control protocol of the application layer) is used to establish, modify and terminate two-party or multi-party multimedia sessions on the IP network. It has become the core protocol of VoIP, IMS, and IPTV because of its simple structure and convenient use. SIP is also used in the NGN architecture defined by ETSI and ITU-T. At the beginning of the design, the SIP protocol fully considered the ease of use and flexibility of the protocol, and did not focus on security, which made it have certain defects in security. DoS (Denial of Service, denial of service) attacks are the most serious problems faced by the SIP protocol. One of the main security threats. NIST, the American Institute of Standards and Technology, regards DoS attack as a serious security threat in the VoIP network architecture. In the security threat analysis of converged networks, DoS attacks have become the primary security issue considered in converged networks. German fixed-line operator Arcor, which is deploying SIP-based NGN networks on a large scale, claims that defense against DoS attacks has become an urgent need for service providers.

DDoS (Distributed Denial of Service, Distributed Denial of Service) attacks are more difficult to defend and cause more damage, which poses a greater threat to the application of the SIP protocol. In a DDoS attack, the attacker uses multiple hosts to send a large number of attack messages to the server. Faced with a large amount of network traffic, the detection efficiency of the defense system will be greatly reduced, and the system itself may become the target of the DDoS attack.

There are very few studies on the defense model of SIP DDoS attacks. The existing SIP DDoS defense systems can be divided into four categories: the defense system that achieves defense by limiting the message request rate, the defense system based on the stateful firewall of the SIP network, and the flow-based defense system. Distributed defense system and SIP proxy server self-defense system. A system that achieves defense by limiting the message request rate cannot distinguish between normal messages and attack messages, and can only weaken the attack intensity; the defense efficiency of the state firewall system on the SIP network depends on the set security rules, and can only defend against known attacks; flow-based Since the distributed defense system does not consider the characteristics of SIP messages, most of the detection algorithms cannot be used and high false positives and false negatives will be generated; the self-defense system of the SIP proxy server is embedded in the SIP proxy server, which increases the processing load, which can cause the server to crash in the face of a large number of attack messages.

None of the existing SIP DDoS defense models can actively and proactively detect unknown attacks while effectively defending. At the same time, some main SIP DDoS attack detection algorithms, such as the cumulative sum algorithm and the detection method based on the SIP transaction state machine, etc., have high detection accuracy, but due to the large consumption of resources and slow detection speed, etc. Cannot be used for defense in the defense system. If the defense system adopts a distributed architecture and assigns detection tasks to multiple hosts for simultaneous execution, it will be possible to use these algorithms for real-time defense.

Contents of the invention

For the defects existing in the intrusion prevention system of the existing SIP DDoS attack, the technical problem to be solved in the present invention is to provide a distributed defense system that can use detection algorithms to detect unknown attacks while efficiently defending against the SIP DDoS attack, and for this defense The system provides a load balancing method that can meet the requirements of the detection algorithm.

The technical solution adopted by the present invention for realizing the above object is: a kind of SIP DDoS attack distributed defense system, comprising

The defense detection node is connected to the load balancer and is used to report the load information to the load balancer in real time and share the rule base;

The load balancer is connected with multiple defense detection nodes, and is used for distributing SIP messages to each defense detection node, and updating the defense node load table according to the load information sent by the defense detection nodes.

The defense detection node includes

The SIP firewall module parses the SIP message and matches the rule base to determine the next step of processing the SIP message;

The detection algorithm module uses a specific detection algorithm to detect suspicious SIP messages, determines the processing of suspicious SIP messages, and adds the found attack generation rules to the rule base;

The traffic forwarding module sends the normal SIP message to the target server;

The load update module sends the load information of the defense detection node to the load balancer in real time.

The load balancer includes

SIP message filter, only forwards SIP messages to the access rate controller, and ignores all other messages;

The access rate controller detects the arrival rate of SIP requests, and discards SIP messages if it is higher than the rate threshold that the defense system can handle;

The load balancing algorithm module queries the defense node load table and history table to determine the distribution destination of SIP messages;

The traffic distribution module sends the SIP message to the corresponding defense detection node according to the distribution direction determined by the load balancing algorithm module.

The load balancer adopts master-slave redundancy backup, and the active load balancer and the standby load balancer share the history record table and the defense detection node load table;

The historical record table includes a Call-ID historical record table and a source IP address pair historical record table;

The historical record table only records historical records within a period of time.

A load balancing method of a SIP DDoS attack distributed defense system, comprising the following steps:

Forward the SIP message to the access rate controller, and let go of other messages;

Detect the arrival rate of SIP requests, and discard SIP messages if it is higher than the rate threshold that the defense system can handle;

Query the defense node load table and history table to determine the distribution destination of SIP messages;

Send the SIP message to the corresponding defense detection node according to the distribution direction determined by the two-level load balancing algorithm module;

The defense detection node processes the SIP message;

Update the defense node load table according to the load information sent by the defense detection node.

The load balancing algorithm is a two-level load balancing algorithm, specifically:

Parsing the SIP message, extracting the Call-ID header field and the source IP address matching header field;

The first-level load balancing module distributes according to the Call-ID history record table;

For messages that are not recorded in the Call-ID history record table, the first-level load balancing module distributes the header domain history record table according to the source IP address;

For messages not distributed by the first-level load balancing module, the second-level load balancing module sends them to the appropriate defense detection node according to the load distribution method;

The history table is updated according to the distribution results.

The load distribution method uses a Round-Robin algorithm to distribute SIP messages.

Before sending the message to a certain defense detection node, the load distribution method needs to check the availability of the defense detection node according to the load table, specifically:

Detect the load of the defense detection node. If the load of the defense detection node is greater than the upper limit of the secondary forwarding load, stop forwarding the secondary load to the defense detection node;

Detect the load of the defense detection node. If the load of the defense detection node is greater than the upper limit of the first-level forwarding load, stop forwarding the first-level load to the defense detection node;

Calculate the lower limit of recovery forwarding, and if the load of the defense detection node is less than the lower limit of recovery forwarding, resume forwarding messages to the defense detection node.

The processing of the SIP message by the defense detection node is specifically:

The SIP firewall module parses the message and matches the rule base, decides the next step to process the message, discards the attack message, sends the suspicious message to the detection algorithm module, and sends the normal message to the traffic forwarding module;

The traffic forwarding module sends the messages determined to be normal to the target server;

The detection algorithm module uses a specific detection algorithm to detect suspicious messages, determines the processing of suspicious messages, and adds the found attack generation rules to the rule base.

The method for updating the defense node load table according to the load information sent by the defense detection node is:

The load balancer waits for the load information of all defensive detection nodes;

If no SIP message from a defense detection node is received within the response period, the number of non-response times of the defense detection node is increased by 1;

If the non-response times of a defense detection node is greater than the upper limit of non-response, the availability of the node is set to No;

If the load information of an unavailable defense detection node is received, the availability of the node is set to yes, the number of non-responses is set to zero, and the load information of the node is updated in the defense node load table.

The present invention has the following advantages:

1. The present invention has set up a kind of distributed defense detection system to be used to resist SIP DDoS attack, set up a kind of SIP DDoS attack defense system that the number of defense detection nodes can be expanded, make this system have higher message processing ability and better scalability.

2. The present invention establishes a defense detection method based on rule filtering and rule addition, so that the system has higher defense efficiency and lower processing delay.

3. The present invention establishes a load balancing method based on a detection algorithm, which meets the requirements of the detection algorithm for detection messages, and makes the system have a higher attack detection rate and a lower false alarm rate.

4. The present invention establishes a load distribution algorithm for the secondary load balancing module, and distributes messages according to the load of the defense detection nodes, so that the defense detection nodes of the system have good load balancing characteristics.

Description of drawings

Fig. 1 is a network topology structure diagram of the present invention;

Fig. 2 is a system structure diagram of the present invention;

Fig. 3 is a flow chart of the load update processing of the defense detection node in the present invention;

Fig. 4 is the processing flowchart of the two-level load balancing method of the present invention;

Fig. 5 is a processing flow chart of the load distribution method of the present invention;

Fig. 6 is the schematic diagram of simulation experiment environment;

Fig. 7 is a system load diagram of two defense detection nodes;

Fig. 8 is a system load diagram of four defense detection nodes.

Detailed ways

The present invention will be further described in detail below in conjunction with the accompanying drawings and embodiments.

The SIP DDoS attack distributed defense system of the present invention includes a load balancer (Load Balacer, LB), which is connected to a plurality of defense detection nodes, performs preliminary processing on network traffic and distributes it to each defense detection node using a load balancing algorithm; the defense detection node ( Defending and Detecting Node, DDN), process the SIP messages assigned to it, filter out attack messages, and send normal messages to the server.

The system of the present invention is an intrusion prevention system for resisting SIP DDoS attacks. This embodiment runs on the front end of the SIP server cluster, processes SIP messages sent to the server, defends against SIP DDoS attacks, and protects the SIP server from the harm of the attack. As shown in Figure 1, the load balancer in the system is connected to multiple defense detection nodes, and the defense detection nodes are only connected to the load balancer except for the shared rule base. The load balancer adopts master-slave redundancy backup, and the active load balancer and the standby load balancer share the history record table and the defense detection node load table.

The historical record table of this system includes a Call-ID historical record table and a source IP address pair historical record table. The Call-ID history record table of this system is shown in Table 1, which records the number and virtual IP address of the defense detection node sent to by a Call-ID history record.

Table 1

The source IP address pair history record table of this system is shown in Table 2, which records the number and virtual IP address of the defense detection node sent to by a source IP address pair history record.

Table 2

The system defense detection node load table is shown in Table 3, which records the system defense detection node number, virtual IP address, availability and CPU load rate.

table 3

This system only records historical records within a period of time (such as 24 hours) to ensure the search efficiency of the historical record table.

As shown in Figure 2, the defense detection nodes of this system adopt the same structure and are connected to the load balancer in the same way. The load balancer distributes the SIP message to each defense detection node, and the defense detection node notifies the load balancer of the load information in real time.

The load balancer includes a SIP message filter, which only forwards SIP messages to the access rate controller, and ignores all other messages; the access rate controller detects the arrival rate of SIP requests, and if it is higher than the rate that the defense system can handle Rate threshold, then discard the SIP message; load balancing algorithm module, query the defense node load table and history table, determine the distribution destination of the SIP message; traffic distribution module, according to the distribution destination determined by the load balancing algorithm module, send the SIP message to the corresponding Defense detection node; history table; defense detection node load table. History table and defense detection node load table are as above.

The defense detection node includes a SIP firewall module, which parses the message and matches the rule base, determines the next step of processing the message, discards the attack message, sends the suspicious message to the detection algorithm module, and delivers the normal message to the traffic forwarding module; Algorithm module, using specific detection algorithms (such as cumulative sum algorithm, finite state machine algorithm, etc.) The normal message is sent to the target server; the load update module sends the load information of the defense detection node to the load balancer in real time; the rule base records the filtering rules of the SIP message.

The load update module interacts with the load balancer, and reports the availability and load information of the defense detection nodes to the load balancer in real time, and the load balancer updates the availability and load information of the defense detection nodes in the load table. As shown in Figure 3, the load balancer waits for load messages from all defense detection nodes. If no message is received from a certain defense detection node within the response period, the number of non-responses of the defense detection node is increased by one; If the number of non-responses of the detection node is greater than the upper limit of non-responses, the availability of the node is set to No; if the load information of an unavailable defense detection node is received, the availability of the node is set to Yes, and the number of non-responses is set to zero, and update the load information of the node in the load table.

The load balancer uses a two-level load distribution method to distribute SIP messages to each defense detection node. As shown in FIG. 4, the two-level load balancing method includes a first-level load balancing module and a second-level load balancing module. Described one-level load balancing module comprises SIP message parsing module, parses SIP message, extracts Call-ID header domain and source IP address pair header domain; The SIP message is sent to the same defense detection node; the source IP address pair matching module searches the source IP address pair history record table, and sends the SIP message with the same source IP address pair to the same defense detection node. The secondary load balancing module includes a load distribution algorithm module, querying the load table of the defense detection node, and distributing the messages that the primary load balancing module fails to distribute using the load distribution method; the availability query module of the defense detection node, to the The defense detection node performs an availability check; the traffic distribution module sends the SIP traffic to the corresponding defense detection node; the history record update module updates the history record table after forwarding.

The load distribution method uses a Round-Robin algorithm to distribute SIP messages. Before sending the message to a certain defense detection node, the load distribution method needs to check the availability of the defense detection node according to the load table.

As shown in FIG. 5 , the availability checking method looks up the load of the defense detection node in the load table, and if the load of the defense detection node is greater than the upper limit α2 of the secondary forwarding load, the forwarding of the secondary load to the defense detection node is stopped. If the load of the defense detection node is greater than the upper limit α1 of the first-level forwarding load, the forwarding of the first-level load to the defense detection node is stopped. If there is a situation of stopping forwarding, calculate the lower limit β of resuming forwarding. The calculation method of the lower limit β of resuming forwarding is as in formula 1, where n is the number of defense detection nodes, and cpu_loadingi is the CPU load of the i-th node. If the load of the defense detection node is less than the lower limit of recovery forwarding, resume forwarding the message to the defense detection node.

$\mathrm{<span\; class="notranslate">\; \&beta;</span>}<span\; class="notranslate">\; =</span><span\; class="notranslate">\; (</span>\frac{\underset{\mathrm{<span\; class="notranslate">\; i</span>}<span\; class="notranslate">\; =</span>\mathrm{<span\; class="notranslate">\; 1</span>}}{\overset{\mathrm{<span\; class="notranslate">\; no</span>}}{\mathrm{<span\; class="notranslate">\; \&Sigma;</span>}}}{\mathrm{<span\; class="notranslate">\; cpu</span>}<span\; class="notranslate">\; \_</span>\mathrm{<span\; class="notranslate">\; loading</span>}}_{\mathrm{<span\; class="notranslate">\; i</span>}}}{\mathrm{<span\; class="notranslate">\; no</span>}}<span\; class="notranslate">\; )</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; -</span><span\; class="notranslate">\; (</span>\mathrm{<span\; class="notranslate">\; 1</span>}<span\; class="notranslate">\; )</span>$

The performance of the two-level load balancing method is simulated. As shown in Figure 6, the experimental environment is as follows: a load balancer is connected to four defense detection nodes, and the load balancer runs the open source SIP server opensips with a two-level load distribution method added, and opensips follows the two-level load balancing method Distribute SIP messages; four defense detection nodes run opensips with a rule filtering mechanism added to simulate the filtering and detection process of SIP messages; use a host to run the SIP message generation tool SIPp to generate SIP messages, simulating the network under normal conditions traffic and network traffic at the time of the attack. The experiment records the CPU load of the defense detection node and the number of messages sent at each level of the two-level load balancing method in real time.

SIPp generates 100,000 users to simulate the network traffic when there is no attack. The probability of a user initiating a call per second is 0.09% to 0.11% and is independent of each other; at the same time, 1,000 IPs are generated to simulate an attacker carrying out a DDoS attack. To simplify the processing of SIP messages, we only simulate INVITE, 200OK, ACK and BYE messages. α1 takes 95%, and α2 takes 85%.

The CPU load of the defense system of the two defense detection nodes under normal conditions and when an attack occurs is shown in Figure 7, where the abscissa represents the time, and the ordinate represents the CPU usage rate. The upper figure shows the load of the defense detection node under normal conditions, and the lower The graph represents the defense detection node load when an attack occurs. It can be seen that under normal circumstances, the loads of the two defense detection nodes are maintained at about 40% and the difference is not large; when an attack occurs, the loads of the two nodes reach more than 85%, basically reaching full load. Figure 8 shows the CPU load of the four defense detection nodes under normal conditions and when an attack occurs. The upper figure shows the node load under normal conditions, and the lower figure shows the node load when an attack occurs. It can be seen that under normal circumstances, the loads of the four detection nodes are maintained at about 25% with little difference; when an attack occurs, the loads of the four nodes all reach more than 50%. The algorithm exhibits good load balancing characteristics both under normal conditions and when attacks occur.

The percentages of message distribution at all levels in the simulation experiment are shown in Table 4.

Table 4

It can be seen that most messages are forwarded by the first-level load balancing mechanism, and most messages are forwarded at the first level, which ensures the integrity of the SIP session and meets the detection requirements of the detection algorithm. For an attack of the same strength, the system with two nodes can no longer handle it, resulting in a higher packet loss rate, while the system with four nodes can still process all messages and each node has a lower CPU load. Therefore, when the system cannot meet the defense and detection requirements, you can consider adding nodes to improve the defense and detection capabilities of the system.

In addition to being used in the SIP DDoS intrusion prevention system, the load balancing method of the present invention can also be used in the distribution of SIP traffic by the SIP distributed cluster server.

Claims (10)

1. A kind of SIP DDoS attack distributed defense system, is characterized in that, comprises The defense detection node is connected to the load balancer and is used to report the load information to the load balancer in real time and share the rule base; The load balancer is connected with multiple defense detection nodes, and is used for distributing SIP messages to each defense detection node, and updating the defense node load table according to the load information sent by the defense detection nodes. 2. a kind of SIP DDoS attack distributed defense system according to claim 1, is characterized in that, described defense detection node comprises The SIP firewall module parses the SIP message and matches the rule base to determine the next step of processing the SIP message; The detection algorithm module uses a specific detection algorithm to detect suspicious SIP messages, determines the processing of suspicious SIP messages, and adds the found attack generation rules to the rule base; The traffic forwarding module sends the normal SIP message to the target server; The load update module sends the load information of the defense detection node to the load balancer in real time. 3. a kind of SIP DDoS attack distributed defense system according to claim 1, is characterized in that, described load balancer comprises SIP message filter, only forwards SIP messages to the access rate controller, and ignores all other messages; The access rate controller detects the arrival rate of SIP requests, and discards SIP messages if it is higher than the rate threshold that the defense system can handle; The load balancing algorithm module queries the defense node load table and history table to determine the distribution destination of SIP messages; The traffic distribution module sends the SIP message to the corresponding defense detection node according to the distribution direction determined by the load balancing algorithm module. 4. a kind of SIP DDoS attack distributed defense system according to claim 3, it is characterized in that, described load balancer adopts master-slave redundant backup, active load balancer and standby load balancer share historical records table and defense detection node load table; The historical record table includes a Call-ID historical record table and a source IP address pair historical record table; The historical record table only records historical records within a period of time. 5. A load balancing method of a SIP DDoS attack distributed defense system, characterized in that, comprising the following steps: Forward the SIP message to the access rate controller, and let go of other messages; Detect the arrival rate of SIP requests, and discard SIP messages if it is higher than the rate threshold that the defense system can handle; Query the defense node load table and history table to determine the distribution destination of SIP messages; Send the SIP message to the corresponding defense detection node according to the distribution direction determined by the two-level load balancing algorithm module; The defense detection node processes the SIP message; Update the defense node load table according to the load information sent by the defense detection node. 6. the load balancing method of a kind of SIP DDoS attack distributed defense system according to claim 5, is characterized in that, described load balancing algorithm is a two-stage load balancing algorithm, specifically: Parsing the SIP message, extracting the Call-ID header field and the source IP address matching header field; The first-level load balancing module distributes according to the Call-ID history record table; For messages that are not recorded in the Call-ID history record table, the first-level load balancing module distributes the header domain history record table according to the source IP address; For messages not distributed by the first-level load balancing module, the second-level load balancing module sends them to the appropriate defense detection node according to the load distribution method; The history table is updated according to the distribution results. 7. the load balancing method of a kind of SIP DDoS attack distributed defense system according to claim 6, is characterized in that, described load distribution method distributes SIP message with Round-Robin algorithm. 8. the load balancing method of a kind of SIP DDoS attack distributed defense system according to claim 6, it is characterized in that, before message is sent to a certain defense detection node, described load distribution method will according to load table to this The defense detection node performs an availability check, specifically: Detect the load of the defense detection node. If the load of the defense detection node is greater than the upper limit of the secondary forwarding load, stop forwarding the secondary load to the defense detection node; Detect the load of the defense detection node. If the load of the defense detection node is greater than the upper limit of the first-level forwarding load, stop forwarding the first-level load to the defense detection node; Calculate the lower limit of recovery forwarding, and if the load of the defense detection node is less than the lower limit of recovery forwarding, resume forwarding messages to the defense detection node. 9. the load balancing method of a kind of SIP DDoS attack distributed defense system according to claim 5, is characterized in that, described defense detection node is specifically to the processing of SIP message: The SIP firewall module parses the message and matches the rule base, decides the next step to process the message, discards the attack message, sends the suspicious message to the detection algorithm module, and sends the normal message to the traffic forwarding module; The traffic forwarding module sends the messages determined to be normal to the target server; The detection algorithm module uses a specific detection algorithm to detect suspicious messages, determines the processing of suspicious messages, and adds the found attack generation rules to the rule base. 10. the load balancing method of a kind of SIP DDoS attack distributed defense system according to claim 5, is characterized in that, the method for updating the defense node load table according to the load information that defense detection node sends is: The load balancer waits for the load information of all defensive detection nodes; If no SIP message from a defense detection node is received within the response period, the number of non-response times of the defense detection node is increased by 1; If the non-response times of a defense detection node is greater than the upper limit of non-response, the availability of the node is set to No; If the load information of an unavailable defense detection node is received, the availability of the node is set to yes, the number of non-responses is set to zero, and the load information of the node is updated in the defense node load table.

Images