[go: up one dir, main page]

WO2016055668A1 - Device and method for protection in communication networks - Google Patents

Device and method for protection in communication networks Download PDF

Info

Publication number
WO2016055668A1
WO2016055668A1 PCT/ES2014/000167 ES2014000167W WO2016055668A1 WO 2016055668 A1 WO2016055668 A1 WO 2016055668A1 ES 2014000167 W ES2014000167 W ES 2014000167W WO 2016055668 A1 WO2016055668 A1 WO 2016055668A1
Authority
WO
WIPO (PCT)
Prior art keywords
fpga
network
microprocessor
data
physical layer
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/ES2014/000167
Other languages
Spanish (es)
French (fr)
Inventor
Sebastián LAISECA SEGURA
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Keelwit Laiseca Internet Security Solutions SL
Original Assignee
Keelwit Laiseca Internet Security Solutions SL
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Keelwit Laiseca Internet Security Solutions SL filed Critical Keelwit Laiseca Internet Security Solutions SL
Priority to PCT/ES2014/000167 priority Critical patent/WO2016055668A1/en
Publication of WO2016055668A1 publication Critical patent/WO2016055668A1/en
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks

Definitions

  • the present invention relates to a device and a method of protection in communications networks, in particular a hardware device and a method specifically designed to provide protection against DoS denial of service attacks by flooding a computer system, capable of encrypting and decipher the information that flows through it, connected to a telecommunications network, thus acting as a method of protection against attacks of information theft, by illicit access to the telecommunications network used.
  • European Patent EP-2 256 298 and publication of US Patent Application US-2003/0065943 Al they refer to a protection system based on a personal computer that rejects received data packets that violate a specific package rejection policy.
  • the device verifies that the length and sum of each packet of received IP data matches the information declared in the header of the IP packet itself.
  • the weakness of this type of system is that it requires oversized hardware to operate, not embedded and of considerable dimensions.
  • the algorithms introduced may not be easily expandable or modifiable.
  • a plurality of computers are connected to transmit data through a telecommunications network of the Internet network type, transporting data packets on these communication channels between the computers connected to the ends of these communication channels.
  • the computers are associated to an IP address respectively, so that each IP packet transported by the transport network includes an origin and destination address in order to allow the correct addressing of them.
  • the attacked computer denies the service to legal users, this technique being known as denial of service attack by service saturation, that is Denial Of Service Attack (DoS) or Distributed Denial Of Service Attack (DDoS) when the origin It is from multiple attacking computers.
  • DoS Denial Of Service Attack
  • DDoS Distributed Denial Of Service Attack
  • the high traffic generated by the attacking computers seems to be legal traffic in the transport layer, being difficult to filter it effectively with a firewall without consuming 100% of the resources of the firewall itself, thus leaving the attacked computer without resources available to serve legitimate users.
  • the characteristic of the protective device to encrypt and decrypt the information that flows through it responds to the problem of the existence of intruders or attackers who wish to carry out a Man in the Middle (MIM) attack.
  • MIM Man in the Middle
  • These attacks are based on the fact of being able to read the unencrypted communications, obtain sensitive security data, such as passwords, credentials or electronic certificates, etc., of the victim of the attack that transmits this information over the existing telecommunications network .
  • sensitive security data such as passwords, credentials or electronic certificates, etc.
  • a VPN network is simply a network in which an encryption algorithm is used between point to point so that no one accessing the same network can decrypt the content of a communication.
  • the International Patent Publication Document WO-2013/098424 Al describes a device and a method of protection against denial of service Two due to flooding of a computer system connected to a telecommunications network whose content underlies the basis of the present specification.
  • the present invention constitutes a clear improvement of the device and method described in the aforementioned document.
  • the present invention seeks to solve one or more of the problems set forth above by means of a method and a protective device protecting against denial of service by saturation that is also capable of encrypting and decrypting the communications of a computer system connected to a telecommunications network. , avoiding MIM attacks.
  • An aspect of the invention is to provide an integrated protective device that identifies or recognizes malicious data packets, associated with attacks of the flood attack type, such that the protective device recognizes and protects computers or computer networks from attacks by denial of service, rejecting or retransmitting Ethernet packets of incoming traffic to the internal network, according to certain standards, all with a hardware configuration specifically designed for it.
  • a decision tree is provided herein in which the manner of recognizing malicious data packets and their rejection is defined, whose flow diagram will be explained later in relation to Figure 3C.
  • the number of analysis rules implemented in this device it can vary and consequently it can be increased by modifying the rejection policy in charge of making the decisions to transmit (or not) an Ethernet packet.
  • This policy is recorded on the protective device itself, by its introduction using, for example, the USB connection of that device.
  • the data packets that circulate in the opposite direction that is, those that come from the computer, computer network or node to be protected and are directed towards the users connected to them, these can be encrypted following the same technique and diagram of flow of figure 3B; Depending on the port, application or IP address, the information will be encrypted with a specific method and password.
  • Still another aspect of the present invention is to provide a protective device that prevents saturation of the bandwidth at the entrance of the attacked system and, in addition, prevents all computer resources of said system from being consumed.
  • Still another aspect of the invention is to provide a flood protection device for DoS attacks from an external network.
  • the protective device may be connected, on the one hand, to the communications network, such as that of the Internet, and on the other hand, to the internal network to be protected, consisting of one or more computers providing the attack object or a node network, and can even be connected in series more than one protective device in order to increase The protection capabilities.
  • the protective devices can be connected in series, being able to implement rules against different denial of service attacks according to the different connected devices, in order to improve security if a device by itself becomes overloaded.
  • two or more devices can be connected in series in order to improve security, if the bandwidth were such that it would be more convenient to separate the encryption and decryption stages into two different devices.
  • a further aspect of the invention is to provide a protective device comprising a programmable general purpose logic type device, composed of logic blocks communicated by FPGA (Field Programmable Gate Array) programmable connections, governed for example by a microprocessor.
  • FPGA Field Programmable Gate Array
  • Another possible aspect of the invention is to be able to provide a protective device comprising at least one FPGA or two connected in series, which may be negatively fed back.
  • the negative feedback is that the first FPGA, to which the data packets arrive, is responsible for filtering the data packets that the second FPGA estimates as part of an attack.
  • Another additional aspect of the present invention is to be able to supply a device with more than two FPGAs, with different functionalities (encryption, decryption, filtering and detection of DoS attacks) governed by the same microprocessor.
  • Said microprocessor is electronically connected in parallel with the FPGAs that comprise the system.
  • Still another additional aspect of the invention is to provide a protective device comprising at least one FPGA directly connected by its control. of media access, MAC, to a microprocessor that in turn is connected to a high speed access memory unit.
  • MAC media access
  • These connections between the FPGA MAC and the microprocessor are of the serial-parallel type.
  • a further aspect of the invention is to provide a protective device comprising at least one FPGA directly connected by its MAC to two microprocessors, each of which is in turn connected to a high speed access memory unit. These connections between the microprocessors and the memories are in parallel.
  • Still another aspect of the invention is to provide a protective device without an assigned or determined IP address, not at least for the external network, and which, therefore, cannot be attacked by not having visibility on the network itself. not be an addressable device from upstream.
  • Figure 1A shows a simplified block diagram of a telecommunications network such as the Internet, connected to a protection device (1) according to the invention and to a computer network;
  • Figure IB shows a simplified block diagram of a telecommunications network such as the Internet, connected to the protection device (1) according to the invention and to the computer network through a firewall (2), illustrating that the protection device is compatible with this configuration;
  • Figure 1C shows a simplified block diagram of a telecommunications network such as the Internet, with the protective device (1) of the invention connected within the network to a node on which the connection of critical points of the telecommunications network depends;
  • FIG. 2A shows a simplified block diagram of the protection device (1) according to the invention, comprising physical layer connectors of Ethernet interfaces, PHY, (50) and (56), an FPGA (52) with its access control of media, MAC, (51) connected to a microprocessor (53) in turn connected to two solid fast access memories (54) and (55);
  • FIG 2B shows a simplified block diagram of the protection device (1) according to the invention comprising physical layer connectors of Ethernet interfaces, PHY, (50) and (56), an FPGA (52) connected to two microprocessors (53) and (62) in turn each connected to two solid quick access memories, (54), (55) (63) and (64);
  • FIG. 2C shows a simplified block diagram of the protection device (1) according to the invention comprising physical layer connectors of Ethernet interfaces, PHY, (50) and (56), two FPGAs (52) and (57) in turn connected to two microprocessors (53) and (62) respectively by each MAC media access control of each FPGA (51) and (58) respectively, and where each microprocessor is in turn connected to two solid fast access memories (54 ), (55) (63) and (64);
  • FIG. 2D shows a simplified block diagram of the protection device (1) according to the invention, comprising physical layer connectors of Ethernet interfaces, PHY, (50) and (56), two FPGAs (52) and (57) with their respective MAC media access controls (51) and (58) connected to a microprocessor (53) which in turn is connected to two solid fast access memories (54) and (55);
  • Figure 3A shows a flow chart simplified in which the decision tree that applies the protection device (1) according to the invention is represented, by reading the information packets that arrive through the telecommunications network, upstream, to perform its filtering and / or decryption of incoming data packets, before transmitting them downstream;
  • Figure 3B shows a flowchart depicting the decision tree that applies the protection device (1) of the present invention in the decryption or decryption stage mentioned in Figure 3A, and
  • Figure 3C shows a flow chart depicting the decision tree that applies the protection device (1) according to the invention, in the filtering stage, against denial of service attacks, mentioned in Figure 3A.
  • the protection device (1) proposed by the present invention has been designed so that it is connectable, on the network side, through an Ethernet network line, to a telecommunications network for the transport of data packets of the IP datagram type and, on the client side, it is configured so that it is connectable through an Ethernet network line, also to a computer or to a computer system or network to recognize or identify packets received from an attacking sender user and encrypt and decrypt data packets whose destination is a computer connected downstream of the protection device (1).
  • the protection device (1) is capable of receiving all the network packets whose recipient is located downstream of the device protection (1), and consequently, the protection device (1) is adapted to analyze the Ethernet packets that come from the transmitter, upstream, destined for the system that is downstream or behind the protection device (1).
  • a recipient computer receives a plurality of "malicious" packets, generated from at least the same source computer, connectable to the destination computer via the network connection.
  • the protection device (1) is programmed to receive all network packets through an input / output interface (3), process them and analyze them at a low level through a custom programmable hardware system, being able to identify and block those considered attackers, and retransmit those that are not considered as such.
  • the traffic of data packets coming from the upstream network passes through the physical layer connectors of Ethernet interfaces (PHY) (50) connected to the data packet input interface to later pass through the access control input of media (media access control, MAC) (51) implemented in the FPGA, which allows the microprocessor to access the information in the data packets in order to perform filtering at the link layer level, avoiding having to pass to upper layers, thus being able to perform these operations in a smaller number of clock cycles.
  • PHY Ethernet interfaces
  • MAC media access control
  • the Ethernet Type (indicator of the frame encapsulation protocol) is extracted from the Ethernet frame in addition to the IP and TCP headers, corresponding to the network and transport layers, at the physical layer level.
  • This information passes from the FPGA input (52) to the microprocessor (53) responsible for governing the same FPGA through a memory access Direct (Direct Memory Access, DMA) (54), (55).
  • DMA Direct Memory Access
  • DMA Direct Memory Access
  • the data packets that enter the device sequentially can be read in parallel from a memory (DMA) to facilitate its processing, and thus be able to perform these operations in a very small number of clock cycles.
  • DMA Direct Memory Access
  • the device To determine whether a frame fits the scheme used in DoS attacks, the device must perform a set of ordered mathematical operations, an algorithm, in which the characteristics of each different denial of service attack are checked (see flowcharts of Figures 3A to 3C).
  • the protective device has an SRAM memory directly connected to the microprocessor (53) responsible for governing one or more FPGAS, which serves to save the already filtered IP addresses and another SRAM memory that fulfills a temporary memory function to perform the encryption calculations and decryption of information.
  • SRAM memory directly connected to the microprocessor (53) responsible for governing one or more FPGAS, which serves to save the already filtered IP addresses and another SRAM memory that fulfills a temporary memory function to perform the encryption calculations and decryption of information.
  • the device When a data package meets the requirements and is has exceeded the number of packets from which an IP address is blocked (filtered), the device stores that IP together with a time stamp in the SRAM memory. In this way, each time a frame that matches the scheme is reviewed by the software, it will first review the SRAM memory to check if said IP is blocked or not and act accordingly. In this way a higher processing speed is achieved.
  • the IP address of each data packet is compared with those previously stored in SRAM memory in very few clock cycles. That is, said information arrives through the Ethernet connection (50) or (56), it is extracted at the link layer level by the microprocessor, which is responsible for checking the various fields that indicate if a packet complies with the scheme required for Be identified as a possible attack. If the package is identified as a possible attack, the microprocessor checks if the address is stored in the SRAM memory responsible for storing IP addresses. If said address is in memory, and the blocking of said IP is still active (within the time range described by a time stamp in a memory cell adjacent to the memory cell itself responsible for storing the corresponding IP address) proceed to discard the package.
  • the The microprocessor will add that address to the SRAM memory along with the time stamp.
  • this packet When a data packet is detected to be part of a denial of service attack, this packet is instantly discarded in the FPGA upon receipt of the instructions from the microprocessor, except for its address IP, TCP and Ethernet type that are stored in SRAM memory to compare with subsequent packets.
  • the software must scan the memory to check if that IP has already been previously blocked. In situations where the number of IPs stored in the SRAM is small, this is not a problem. In the case where the number of stored IPs is high, it may be the case that the system has to go through the entire memory to find (or not) a specific IP address. To avoid this, since it would penalize the performance of the system, the software divides the memory into blocks of identical size. The software uses the last component of the IP addresses as a method of selecting the memory block to which it should go, or in which it must search for that IP.
  • the IP address memory is specially integrated in the system so that the microprocessor can use the IP address itself as part of the information to be sent via the address bus to the memory unit.
  • the microprocessor applies an offset to the base IP address of the memory based on the IP block in which the IP address must be searched / saved. Once the base address is obtained, the microprocessor will increase the offset, at the physical layer level by the address bus; until the end of the memory is reached, the first empty position is reached or a positive search result is obtained.
  • the task of increasing the offset to traverse the different memory positions can be carried out by a separate element independent of the microprocessor and directly connected between the microprocessor and the SRAM memory comprising a memory buffer and an electronic counter capable of operating at the layer level physics, thus freeing the microprocessor from this task to be able to focus on another series of operations.
  • a data packet is not estimated as part of a denial of service attack, it is retransmitted in the shortest possible time. That is, once the necessary operations have been carried out on a package in the microprocessor, the microprocessor, this will indicate the Scatter-Gather Direct Memory Access (SGDMA) .
  • SGDMA Scatter-Gather Direct Memory Access
  • the base address from which the packet to be transmitted downstream is located. Once the SGDMA receives this address, the SGDMA will transform this information (which is already in parallel in this point) into a serial data stream that can be received by the system's transmission MAC for downstream retransmission.
  • the data packets coming from the PHY (50) of the data entry interface from downstream are connected to the FPGA module that in turn, it will send the data to the microprocessor (53) for later encryption if the ports or application require it, before retransmitting the data packet to the PHY interface of upstream data output, in this way the traffic does not pass through the microprocessor avoiding unwanted delays if you do not want to encrypt the information.
  • the number of packets from which an IP address is filtered, as well as the time that said IP remains blocked, can be modified at the owner's will of the device by means of a computer program or through two rotary switches present on the PCB.
  • An effect of the mode of action of the protection device (1) is to reduce the number of packets that the recipient computer will receive, preventing the computer or the computer system itself from being saturated by having to attend to an abnormally large number of packages in a reduced time period
  • the service provider or set of service providers are protected against an attack by denial of service due to flooding by the protection device (1), which helps prevent loss of connectivity of the computer network victim of the attack by the bandwidth consumption available in the protected network itself.
  • the protection device (1) collaborates in reducing the load of the computer resources of the system victim of an attack.
  • the flood attack can cause the attacked computer to malfunction, but not its disconnection from the transport network.
  • the protection device (1) performs a filtering step where a number of IP data packets can be rejected based on a rejection policy executed by the protection device itself (1).
  • the rejection policy applied by the protection device (1) is a function of the bandwidth occupied at each moment, the number of packets received per unit of time and the type of firewall (2) connected between the protection device (1) and the computer network.
  • the rejection policy applied is variable depending on the above parameters, that is, if the occupancy of the bandwidth is high, the rejection policy determines that the protective device raises the number of similar Ethernet packets rejected.
  • An administrator of the protection device (1) can modify the threshold values of occupied bandwidth and the number of packets received by the protection device (1) from which malicious request packets could be rejected for the purpose of provide a correct and sized network traffic to its infrastructure. For example, you could keep the computer network connected to the external network, even if the operation of the same network is not optimal because you are receiving a number of malicious packets below the defined threshold.
  • the flood attack protection procedure described above can also be applied to protect a computer network against distributed attacks of denial of service by DDoS saturation in which the source IP addresses of the malicious packets are not repetitive.
  • the input / output network interface (3) comprises at least one Ethernet connector for the unprotected external network and another for the internal network to be protected.
  • the protection device (1) is powered by a power supply, battery type, rechargeable battery, power source or similar, both through a standard USB connector and through its expansion slot.
  • protection device (1) In addition, firmware and general software updates are allowed via the USB connection. protection device (1).
  • An advantage of this is that the administrator of the protection device (1) can update the rules governing rejection decisions (or not) of a data packet from a communication network, such as the Internet, in the if new forms of denial of service attacks appear.
  • the algorithm comprises, for this purpose, programmed instructions for executing the steps of the aforementioned process when, in addition, the programmed instructions can be recorded on a readable carrier medium within the device.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a device (1) for protection against denial-of-service attacks, which can encrypt and decrypt the data packets flowing therethrough, said device being connected to any point in a telecommunications network, in a service provider system. An algorithm programmed in the protection device (1) analyses the Ethernet packets of the traffic circulating in the network, on the physical layer level. The protection device can encrypt and decrypt the network traffic and can detect, within said network traffic, the packets intended to cause a DoS attack, said packets being rejected and not retransmitted to the network downstream.

Description

"DISPOSITIVO Y METODO DE PROTECCION EN REDES DE  "DEVICE AND METHOD OF PROTECTION IN NETWORKS OF

COMUNICACIONES'  COMMUNICATIONS '

DESCRIPCION  DESCRIPTION

Objeto de la invención  Object of the invention

La presente invención se refiere a un dispositivo y un método de protección en redes de comunicaciones, en particular un dispositivo hardware y un método específicamente diseñados para proporcionar protección contra ataques de denegación de servicio DoS por inundación de un sistema de ordenadores, capaz de cifrar y descifrar la información que fluye a través de él, conectado a una red de telecomunicaciones, actuando por ello de método de protección contra ataques de robo de información, por acceso ilícito a la red de telecomunicación utilizada.  The present invention relates to a device and a method of protection in communications networks, in particular a hardware device and a method specifically designed to provide protection against DoS denial of service attacks by flooding a computer system, capable of encrypting and decipher the information that flows through it, connected to a telecommunications network, thus acting as a method of protection against attacks of information theft, by illicit access to the telecommunications network used.

Estado de la técnica State of the art

El uso de dispositivos de seguridad que protejan ordenadores, sistemas de ordenadores o nodos de red críticos contra ataques que intentan saturarlos mediante el envío a los mismos de cantidades desproporcionadas de paquetes de datos que el sistema atacado no puede procesar por desbordamiento de recursos, es una práctica conocida. Frente al uso de medios de protección vía software instalados en el mismo ordenador a proteger, el uso de dispositivos de protección vía hardware presenta ventajas de rapidez de evaluación y respuesta, reducción de la latencia del sistema y disminución del consumo de recursos necesarios del propio ordenador a proteger para frenar el ataque .  The use of security devices that protect computers, computer systems or network nodes critical against attacks that attempt to saturate them by sending them disproportionate amounts of data packets that the attacked system cannot process due to overflow of resources, is a known practice Faced with the use of protection means via software installed on the same computer to be protected, the use of protection devices via hardware has advantages of rapid evaluation and response, reduction of system latency and reduction of the consumption of necessary resources of the computer itself to protect to stop the attack.

La Patente europea EP-2 256 298 y la publicación de la solicitud de Patente estadounidense US-2003/0065943 Al se refieren a un sistema de protección basado en un ordenador personal que rechaza paquetes de datos recibidos que infringen una política determinada de rechazo de paquetes. El dispositivo comprueba que la longitud y suma de cada paquete de datos IP recibidos coincide con la información declarada en la cabecera del propio paquete IP. La debilidad de este tipo de sistema es que requiere un hardware sobredimensionado para funcionar, no embebido y de dimensiones considerables. Los algoritmos introducidos pueden no ser fácilmente ampliables ni modificables . European Patent EP-2 256 298 and publication of US Patent Application US-2003/0065943 Al they refer to a protection system based on a personal computer that rejects received data packets that violate a specific package rejection policy. The device verifies that the length and sum of each packet of received IP data matches the information declared in the header of the IP packet itself. The weakness of this type of system is that it requires oversized hardware to operate, not embedded and of considerable dimensions. The algorithms introduced may not be easily expandable or modifiable.

Existen asimismo otros documentos de patentes y solicitudes de patente, como por ejemplo la publicación de solicitud de Patente estadounidense US-2005/0144467 Al, en las que se pretende dar solución al problema planteado desde la óptica de la implantación de un firewall que realiza el filtrado de paquetes a través de software, lo que queda fuera del cometido y contenido de esta patente por tener las debilidades anteriormente citadas como por basarse la protección en unos algoritmos implementados mediante un software.  There are also other patent documents and patent applications, such as the publication of US patent application US-2005/0144467 Al, in which it is intended to solve the problem posed from the perspective of the implementation of a firewall that performs the packet filtering through software, which is beyond the scope and content of this patent for having the aforementioned weaknesses as for the protection based on algorithms implemented by software.

Definiendo en detalle el problema que se quiere resolver, se establece que una pluralidad de computadoras están conectadas para transmitir datos a través de una red de telecomunicaciones del tipo de la red Internet, transportando paquetes de datos sobre estos canales de comunicación entre las computadoras conectadas a los extremos de estos canales de comunicación. Las computadoras están asociadas a una dirección IP respectivamente, de manera que cada paquete IP transportado por la red de transporte incluye una dirección origen y destino con el fin de permitir el correcto direccionamiento de los mismos.  Defining in detail the problem to be solved, it is established that a plurality of computers are connected to transmit data through a telecommunications network of the Internet network type, transporting data packets on these communication channels between the computers connected to the ends of these communication channels. The computers are associated to an IP address respectively, so that each IP packet transported by the transport network includes an origin and destination address in order to allow the correct addressing of them.

Si bien los nodos de la red de comunicaciones no tienen propiamente una dirección IP asignada, atacarlos es medianamente sencillo sabiendo su localización geográfica, a base de atacar las direcciones IP dependientes del propio nodo. Although the nodes of the communications network do not properly have an assigned IP address, attacking them is fairly simple knowing its geographical location, based on attacking the IP addresses dependent on the node itself.

Por ejemplo, para el ataque tipo "SYN flood" (inundación SYN) , quién desea realizar este tipo de ataque contra una computadora determinada con una IP determinada, envía un número elevado de paquetes de petición de establecimiento de conexión, en caso de emplear protocolo TCP, con el objeto de saturar los puertos de la computadora con flujo de información, haciendo que la computadora se sobrecargue y, por consiguiente, no pueda seguir prestando servicios; por ello se denomina un "ataque de denegación", pues hace que la computadora no pueda gestionar los paquetes de petición de usuarios, causando que un servicio o recurso sea inaccesible a usuarios legítimos. Por lo tanto, la computadora atacada deniega el servicio a usuarios legales, siendo conocida esta técnica como ataque de denegación de servicio por saturación del servicio, es decir Denial Of Service Attack (DoS) o Distributed Denial Of Service Attack (DDoS) cuando el origen es de múltiples ordenadores atacantes.  For example, for the "SYN flood" type attack, who wants to perform this type of attack against a particular computer with a specific IP, sends a large number of connection establishment request packets, in case of using protocol TCP, in order to saturate the computer's ports with information flow, causing the computer to overload and, therefore, cannot continue to provide services; This is why it is called a "denial attack", because it makes the computer unable to manage user request packages, causing a service or resource to be inaccessible to legitimate users. Therefore, the attacked computer denies the service to legal users, this technique being known as denial of service attack by service saturation, that is Denial Of Service Attack (DoS) or Distributed Denial Of Service Attack (DDoS) when the origin It is from multiple attacking computers.

El elevado tráfico generado por las computadoras atacantes parece tráfico legal en la capa de transporte, siendo complicado filtrarlo de manera efectiva con un cortafuegos (firewall) sin consumir el 100% de los recursos del propio cortafuegos, dejando pues así a la computadora atacada sin recursos disponibles para atender a los usuarios legítimos.  The high traffic generated by the attacking computers seems to be legal traffic in the transport layer, being difficult to filter it effectively with a firewall without consuming 100% of the resources of the firewall itself, thus leaving the attacked computer without resources available to serve legitimate users.

Consecuentemente, existe en el estado actual de la técnica una necesidad de reducir la denegación de servicio de una computadora a usuarios legítimos, sin que sea necesaria la utilización de un cortafuegos aguas abajo, cuya efectividad radica en reglas definidas mediante software y en los recursos de hardware disponibles, obligando estas técnicas a incrementar los propios recursos del cortafuegos si se desea lograr una mayor efectividad del sistema. Consequently, there is a need in the current state of the art to reduce the denial of service of a computer to legitimate users, without the need for the use of a downstream firewall, whose effectiveness lies in rules defined by software and in the resources of available hardware, forcing these techniques to increase their own firewall resources if you want to achieve greater system effectiveness.

La característica del dispositivo protector de cifrar y descifrar la información que fluye a través de él, responde a la problemática de la existencia de intrusos o atacantes que desean realizar un ataque de Man in the Middle (MIM) . Estos ataques se basan en el hecho de poder leer las comunicaciones no cifradas, obtener datos sensibles de seguridad, como por ejemplo las contraseñas, credenciales o certificados electrónicos, etc., de la víctima del ataque que transmite esta información por la red de telecomunicaciones existente. La capacidad de crear redes privadas virtuales, VPN, entre ordenadores separados por la red pública de telecomunicaciones permite solucionar parcialmente esta problemática de los ataques de Man in The Middle.  The characteristic of the protective device to encrypt and decrypt the information that flows through it, responds to the problem of the existence of intruders or attackers who wish to carry out a Man in the Middle (MIM) attack. These attacks are based on the fact of being able to read the unencrypted communications, obtain sensitive security data, such as passwords, credentials or electronic certificates, etc., of the victim of the attack that transmits this information over the existing telecommunications network . The ability to create virtual private networks, VPNs, between computers separated by the public telecommunications network allows partially solving this problem of Man in The Middle attacks.

Una red VPN es simplemente una red en la que entre punto y punto se utiliza un algoritmo de encriptación para que nadie que acceda a la misma red pueda descifrar el contenido de una comunicación.  A VPN network is simply a network in which an encryption algorithm is used between point to point so that no one accessing the same network can decrypt the content of a communication.

El hecho de utilizar un programa de ordenador, software, para cifrar y descifrar las comunicaciones entre dos ordenadores es de sobra conocido, siendo el método de cifrado y la forma de ejecutar el cifrado, las opciones con las que cuenta un usuario y que distinguen un sistema de otro.  The fact of using a computer program, software, to encrypt and decrypt communications between two computers is well known, being the encryption method and the way to execute the encryption, the options that a user has and that distinguish a other system.

Uno de los problemas a los que se enfrente un usuario es pensar que se encuentra en una red de comunicación segura sin estarlo, ya sea mediante un spoofing de los certificados SSL o porque su ordenador se encuentre infectado por un virus informático. Dichos virus informáticos pueden alterar los certificados SSL y dar la impresión de estar cifrando la información saliente sin realmente estarlo.  One of the problems that a user faces is to think that he or she is in a secure communication network without being one, either through a spoofing of the SSL certificates or because their computer is infected by a computer virus. Such computer viruses can alter SSL certificates and give the impression of being encrypting outgoing information without actually being.

El documento de publicación de Patente Internacional WO-2013/098424 Al describe un dispositivo y un método de protección contra la denegación de servicio Dos por inundación de un sistema de ordenadores conectados a una red de telecomunicaciones cuyo contenido subyace en la base de la presente memoria. La presente invención constituye un claro perfeccionamiento del dispositivo y método descritos en el citado documento anterior. The International Patent Publication Document WO-2013/098424 Al describes a device and a method of protection against denial of service Two due to flooding of a computer system connected to a telecommunications network whose content underlies the basis of the present specification. The present invention constitutes a clear improvement of the device and method described in the aforementioned document.

Sumario Summary

La presente invención busca resolver uno o más de los inconvenientes expuestos anteriormente mediante un método y un dispositivo de protección protector contra la denegación de servicio por saturación que además sea capaz de cifrar y descifrar las comunicaciones de un sistema de ordenadores conectados a una red de telecomunicaciones, evitando los ataques de tipo MIM.  The present invention seeks to solve one or more of the problems set forth above by means of a method and a protective device protecting against denial of service by saturation that is also capable of encrypting and decrypting the communications of a computer system connected to a telecommunications network. , avoiding MIM attacks.

Un aspecto de la invención es proporcionar un dispositivo integrado protector que identifica o reconoce paquetes de datos malintencionados, asociados a ataques del tipo ataque por inundación, de manera que el dispositivo protector reconoce y protege ordenadores o redes de ordenadores de ataques por denegación de servicio, rechazando o retransmitiendo paquetes Ethernet del tráfico entrante a la red interna, según normas determinadas, todo ello con una configuración de hardware específicamente diseñado para ello.  An aspect of the invention is to provide an integrated protective device that identifies or recognizes malicious data packets, associated with attacks of the flood attack type, such that the protective device recognizes and protects computers or computer networks from attacks by denial of service, rejecting or retransmitting Ethernet packets of incoming traffic to the internal network, according to certain standards, all with a hardware configuration specifically designed for it.

El hecho de reconocer un ataque de denegación de servicio es algo de sobra conocido pero poco eficiente de llevar a cabo mediante software, debido a la cantidad de recursos de la CPU que se consumen en ello.  The fact of recognizing a denial of service attack is something well known but not very efficient to carry out through software, due to the amount of CPU resources consumed in it.

En la presente memoria se proporciona un árbol de decisiones en el que se define la manera de reconocer paquetes de datos malintencionados y su rechazo, cuyo diagrama de flujo se explicará después en relación con la Figura 3C. El número de reglas de análisis implementadas en este dispositivo puede variar y en consecuencia puede ser incrementado modificando la política de rechazo encargada de tomar las decisiones de transmitir (o no) un paquete Ethernet. Esta política queda grabada en el propio dispositivo protector, mediante su introducción usando, por ejemplo, la conexión USB de dicho dispositivo. A decision tree is provided herein in which the manner of recognizing malicious data packets and their rejection is defined, whose flow diagram will be explained later in relation to Figure 3C. The number of analysis rules implemented in this device it can vary and consequently it can be increased by modifying the rejection policy in charge of making the decisions to transmit (or not) an Ethernet packet. This policy is recorded on the protective device itself, by its introduction using, for example, the USB connection of that device.

El diagrama de flujo de la manera de descifrar los paquetes de datos se explicará después en relación con la figura 3B. En dicha figura se ilustra el tráfico de datos entrante en el dispositivo protector desde aguas arriba. El número de métodos de descifrado en este dispositivo puede ser incrementado, modificando el firmware, usando la conexión USB de dicho dispositivo.  The flow chart of the way to decrypt the data packets will be explained later in relation to Figure 3B. This figure illustrates the incoming data traffic in the protective device from upstream. The number of decryption methods on this device can be increased by modifying the firmware, using the USB connection of that device.

En cuanto a los paquetes de datos que circulan en sentido inverso, es decir, los que provienen del ordenador, red de ordenadores o nodo a proteger y se dirigen hacia los usuarios conectados a ellos, estos se pueden cifrar siguiendo la misma técnica y diagrama de flujo de la figura 3B; en función del puerto, aplicación o dirección IP se cifrará la información con un método y una clave específicos.  As for the data packets that circulate in the opposite direction, that is, those that come from the computer, computer network or node to be protected and are directed towards the users connected to them, these can be encrypted following the same technique and diagram of flow of figure 3B; Depending on the port, application or IP address, the information will be encrypted with a specific method and password.

Aún otro aspecto de la presente invención es proporcionar un dispositivo protector que evita la saturación del ancho de la banda a la entrada del sistema atacado y, además, evita que se consuman todos los recursos informáticos de dicho sistema.  Still another aspect of the present invention is to provide a protective device that prevents saturation of the bandwidth at the entrance of the attacked system and, in addition, prevents all computer resources of said system from being consumed.

Todavía otro aspecto de la invención es suministrar un dispositivo protector de ataques de DoS por inundación procedente de una red externa. El dispositivo protector puede estar conectado, por un lado a la red de comunicaciones, como pueda ser la de Internet, y por otro lado, a la red interna a proteger, formada por uno o varios ordenadores proveedores del servicio objeto de ataque o un nodo de red, pudiendo ser incluso conectables en serie más de un dispositivo protector a fin de aumentar las capacidades de protección. Still another aspect of the invention is to provide a flood protection device for DoS attacks from an external network. The protective device may be connected, on the one hand, to the communications network, such as that of the Internet, and on the other hand, to the internal network to be protected, consisting of one or more computers providing the attack object or a node network, and can even be connected in series more than one protective device in order to increase The protection capabilities.

Los dispositivos protectores pueden ser conectados en serie, pudiéndose implementar reglas contra ataques de denegación de servicio diferentes según los distintos dispositivos conectados, a fin de mejorar la seguridad si un dispositivo por si solo llegase a sobrecargarse.  The protective devices can be connected in series, being able to implement rules against different denial of service attacks according to the different connected devices, in order to improve security if a device by itself becomes overloaded.

Del mismo modo, se pueden conectar en serie dos o más dispositivos a fin de mejorar la seguridad, si el ancho de banda fuese tal que resultase más conveniente separar las etapas de cifrado y descifrado en dos dispositivos diferentes .  In the same way, two or more devices can be connected in series in order to improve security, if the bandwidth were such that it would be more convenient to separate the encryption and decryption stages into two different devices.

Otro aspecto adicional de la invención es proporcionar un dispositivo protector que comprende un dispositivo de tipo lógico de propósito general programable, compuesto de bloques lógicos comunicados por conexiones programables FPGA (Field Programmable Gate Array) , gobernados por ejemplo por un microprocesador.  A further aspect of the invention is to provide a protective device comprising a programmable general purpose logic type device, composed of logic blocks communicated by FPGA (Field Programmable Gate Array) programmable connections, governed for example by a microprocessor.

Otro aspecto posible de la invención es poder suministrar un dispositivo protector comprendiendo al menos una FPGA o dos conectadas en serie, pudiendo estar éstas realimentadas negativamente. La realimentación negativa consiste en que la primera FPGA, a la que le llegan los paquetes de datos es la encargada de filtrar los paquetes de datos que la segunda FPGA estime como parte de un ataque.  Another possible aspect of the invention is to be able to provide a protective device comprising at least one FPGA or two connected in series, which may be negatively fed back. The negative feedback is that the first FPGA, to which the data packets arrive, is responsible for filtering the data packets that the second FPGA estimates as part of an attack.

Otro aspecto adicional de la presente invención es poder suministrar un dispositivo con más de dos FPGAs, con funcionalidades diferentes (cifrado, descifrado, filtrado y detección de ataques DoS) gobernadas por el mismo microprocesador. Dicho microprocesador está conectado electrónicamente en paralelo con las FPGAs que comprenden el sistema.  Another additional aspect of the present invention is to be able to supply a device with more than two FPGAs, with different functionalities (encryption, decryption, filtering and detection of DoS attacks) governed by the same microprocessor. Said microprocessor is electronically connected in parallel with the FPGAs that comprise the system.

Todavía otro aspecto adicional de la invención es proporcionar un dispositivo protector que comprende al menos una FPGA conectada directamente mediante su control de accesos de medios, MAC, a un microprocesador que a su vez está conectado a una unidad de memoria de alta velocidad de acceso. Dichas conexiones entre la MAC de la FPGA y el microprocesador son del tipo serie-paralelo. Still another additional aspect of the invention is to provide a protective device comprising at least one FPGA directly connected by its control. of media access, MAC, to a microprocessor that in turn is connected to a high speed access memory unit. These connections between the FPGA MAC and the microprocessor are of the serial-parallel type.

Otro aspecto adicional de la invención es proporcionar un dispositivo protector que comprende al menos una FPGA conectada directamente mediante su MAC a dos microprocesadores, cada uno de los cuales está a su vez conectado a una unidad de memoria de alta velocidad de acceso. Dichas conexiones entre los microprocesadores y las memorias son de forma paralela.  A further aspect of the invention is to provide a protective device comprising at least one FPGA directly connected by its MAC to two microprocessors, each of which is in turn connected to a high speed access memory unit. These connections between the microprocessors and the memories are in parallel.

Aún otro aspecto de la invención es suministrar un dispositivo protector sin dirección IP asignada o determinada, no al menos de cara a la red externa, y que, por lo tanto, no puede ser objeto de ataque al no tener visibilidad en la propia red por no ser un dispositivo direccionable desde aguas arriba.  Still another aspect of the invention is to provide a protective device without an assigned or determined IP address, not at least for the external network, and which, therefore, cannot be attacked by not having visibility on the network itself. not be an addressable device from upstream.

Breve descripción de las Figuras Brief Description of the Figures

Una explicación más detallada del dispositivo de acuerdo con realizaciones de la invención se da en la siguiente descripción basada en las figuras adjuntas en las que:  A more detailed explanation of the device according to embodiments of the invention is given in the following description based on the attached figures in which:

La figura 1A muestra un diagrama simplificado de bloques de una red de telecomunicaciones como Internet, conectada a un dispositivo de protección (1) según la invención y a una red de ordenadores;  Figure 1A shows a simplified block diagram of a telecommunications network such as the Internet, connected to a protection device (1) according to the invention and to a computer network;

La figura IB muestra un diagrama simplificado de bloques de una red de telecomunicaciones como Internet, conectada al dispositivo de protección (1) según la invención y a la red de ordenadores a través de un cortafuegos (2), ilustrando que el dispositivo de protección es compatible con esta configuración;  Figure IB shows a simplified block diagram of a telecommunications network such as the Internet, connected to the protection device (1) according to the invention and to the computer network through a firewall (2), illustrating that the protection device is compatible with this configuration;

La figura 1C muestra un diagrama simplificado de bloques de una red de telecomunicaciones como Internet, con el dispositivo protector (1) de la invención conectado dentro de la red a un nodo del cual depende la conexión de puntos críticos de la red de telecomunicaciones; Figure 1C shows a simplified block diagram of a telecommunications network such as the Internet, with the protective device (1) of the invention connected within the network to a node on which the connection of critical points of the telecommunications network depends;

La figura 2A muestra un diagrama simplificado de bloques del dispositivo de protección (1) según la invención, comprendiendo conectores de capa física de interfaces Ethernet, PHY, (50) y (56), una FPGA (52) con su control de accesos de medios, MAC, (51) conectado a un microprocesador (53) a su vez conectado a dos memorias solidas de acceso rápido (54) y (55);  Figure 2A shows a simplified block diagram of the protection device (1) according to the invention, comprising physical layer connectors of Ethernet interfaces, PHY, (50) and (56), an FPGA (52) with its access control of media, MAC, (51) connected to a microprocessor (53) in turn connected to two solid fast access memories (54) and (55);

La figura 2B muestra un diagrama simplificado de bloques del dispositivo de protección (1) según la invención comprendiendo conectores de capa física de interfaces Ethernet, PHY, (50) y (56), una FPGA (52) conectada a dos microprocesadores (53) y (62) a su vez conectados cada uno a dos memorias sólidas de acceso rápido, (54), (55) (63) y ( 64 ) ;  Figure 2B shows a simplified block diagram of the protection device (1) according to the invention comprising physical layer connectors of Ethernet interfaces, PHY, (50) and (56), an FPGA (52) connected to two microprocessors (53) and (62) in turn each connected to two solid quick access memories, (54), (55) (63) and (64);

La figura 2C muestra un diagrama simplificado de bloques del dispositivo de protección (1) según la invención comprendiendo conectores de capa física de interfaces Ethernet, PHY, (50) y (56), dos FPGAs (52) y (57) a su vez conectadas a dos microprocesadores (53) y (62) respectivamente mediante cada control de accesos de medios MAC de cada FPGA (51) y (58) respectivamente, y donde cada microprocesador está conectado a su vez a dos memorias sólidas de acceso rápido (54), (55) (63) y (64);  Figure 2C shows a simplified block diagram of the protection device (1) according to the invention comprising physical layer connectors of Ethernet interfaces, PHY, (50) and (56), two FPGAs (52) and (57) in turn connected to two microprocessors (53) and (62) respectively by each MAC media access control of each FPGA (51) and (58) respectively, and where each microprocessor is in turn connected to two solid fast access memories (54 ), (55) (63) and (64);

La figura 2D muestra un diagrama simplificado de bloques del dispositivo de protección (1) según la invención, comprendiendo conectores de capa física de interfaces Ethernet, PHY, (50) y (56), dos FPGAs (52) y (57) con sus respectivos controles de acceso de medios MAC (51) y (58) conectados a un microprocesador (53) que a su vez está conectado a dos memorias sólidas de acceso rápido (54) y (55);  Figure 2D shows a simplified block diagram of the protection device (1) according to the invention, comprising physical layer connectors of Ethernet interfaces, PHY, (50) and (56), two FPGAs (52) and (57) with their respective MAC media access controls (51) and (58) connected to a microprocessor (53) which in turn is connected to two solid fast access memories (54) and (55);

La figura 3A muestra un diagrama de flujo simplificado en el que se representa el árbol de decisiones que aplica el dispositivo de protección (1) según la invención, al leer los paquetes de información que le llegan a través de la red de telecomunicaciones, aguas arriba, para realizar su labor de filtrado y/o de descifrado de los paquetes de datos entrantes, antes de transmitirlos aguas abajo; Figure 3A shows a flow chart simplified in which the decision tree that applies the protection device (1) according to the invention is represented, by reading the information packets that arrive through the telecommunications network, upstream, to perform its filtering and / or decryption of incoming data packets, before transmitting them downstream;

La figura 3B muestra un diagrama de flujo en el que se representa el árbol de decisiones que aplica el dispositivo de protección (1) de la presente invención en la etapa de descifrado o desencriptación mencionada en la figura 3A, y  Figure 3B shows a flowchart depicting the decision tree that applies the protection device (1) of the present invention in the decryption or decryption stage mentioned in Figure 3A, and

La figura 3C muestra un diagrama de flujo en el que se representa el árbol de decisiones que aplica el dispositivo de protección (1) según la invención, en la etapa de filtrado, contra los ataques de denegación de servicio, mencionada en la figura 3A.  Figure 3C shows a flow chart depicting the decision tree that applies the protection device (1) according to the invention, in the filtering stage, against denial of service attacks, mentioned in Figure 3A.

Descripción de un modo de realización Description of an embodiment

De acuerdo con una forma de realización preferida, el dispositivo de protección (1) propuesto por la presente invención ha sido diseñado de modo que es conectable, por el lado de red, a través de una linea de red Ethernet, a una red de telecomunicaciones para el transporte de paquetes de datos del tipo datagramas IP y, por el lado de cliente, está configurado de modo que es conectable a través de una linea de red Ethernet, también a un ordenador o a un sistema o red de ordenadores para reconocer o identificar los paquetes recibidos desde un usuario emisor atacante y cifrar y descifrar paquetes de datos cuyo destino es un ordenador conectado aguas abajo del dispositivo de protección (1).  According to a preferred embodiment, the protection device (1) proposed by the present invention has been designed so that it is connectable, on the network side, through an Ethernet network line, to a telecommunications network for the transport of data packets of the IP datagram type and, on the client side, it is configured so that it is connectable through an Ethernet network line, also to a computer or to a computer system or network to recognize or identify packets received from an attacking sender user and encrypt and decrypt data packets whose destination is a computer connected downstream of the protection device (1).

Por lo tanto, el dispositivo de protección (1) está capacitado para recibir todos los paquetes de red cuyo destinatario está localizado aguas abajo del dispositivo de protección (1), y consecuentemente, el dispositivo de protección (1) está adaptado para analizar los paquetes Ethernet que provienen del emisor, aguas arriba, con destino al sistema que está aguas abajo o detrás del dispositivo de protección (1) . Therefore, the protection device (1) is capable of receiving all the network packets whose recipient is located downstream of the device protection (1), and consequently, the protection device (1) is adapted to analyze the Ethernet packets that come from the transmitter, upstream, destined for the system that is downstream or behind the protection device (1).

En un escenario donde se desarrolla un ataque por inundación, un ordenador destinatario recibe una pluralidad de paquetes "malintencionados", generados desde al menos un mismo ordenador origen, conectable al ordenador destinatario por medio de la conexión de red. El dispositivo de protección (1) está programado para recibir todos los paquetes de red a través de una interfaz de entrada/salida (3), procesarlos y analizarlos a bajo nivel mediante un sistema hardware programable a medida, siendo capaz de identificar y bloquear aquellos considerados atacantes, y retransmitir aquellos que no son considerados como tales.  In a scenario where a flood attack develops, a recipient computer receives a plurality of "malicious" packets, generated from at least the same source computer, connectable to the destination computer via the network connection. The protection device (1) is programmed to receive all network packets through an input / output interface (3), process them and analyze them at a low level through a custom programmable hardware system, being able to identify and block those considered attackers, and retransmit those that are not considered as such.

El trafico de paquetes de datos provenientes de la red aguas arriba, pasa por los conectores de capa fisica de interfaces Ethernet (PHY) (50) conectado a la interfaz de entrada de paquetes de datos para posteriormente pasar por la entrada de control de acceso de medios (media access control, MAC) (51) implementada en la FPGA, lo que permite el acceso del microprocesador a la información de los paquetes de datos para de esta manera realizar el filtrado a nivel de capa de enlace, evitando el tener que pasar a capas superiores, pudiendo asi realizar estas operaciones en un número menor de ciclos de reloj .  The traffic of data packets coming from the upstream network passes through the physical layer connectors of Ethernet interfaces (PHY) (50) connected to the data packet input interface to later pass through the access control input of media (media access control, MAC) (51) implemented in the FPGA, which allows the microprocessor to access the information in the data packets in order to perform filtering at the link layer level, avoiding having to pass to upper layers, thus being able to perform these operations in a smaller number of clock cycles.

Para realizar el filtrado, se extrae de la trama Ethernet el Ethernet Type (indicador del protocolo de encapsulamiento de la trama) además de las cabeceras IP y TCP, correspondientes a las capas de red y transporte, a nivel de capa fisica. Esta información pasa de la entrada de la FPGA (52) al microprocesador (53) encargado de gobernar a la misma FPGA mediante un acceso de memoria directo (Direct Memory Access, DMA) (54), (55). De esta manera, los paquetes de datos que entran al dispositivo de forma secuencial, se pueden leer de forma paralela desde una memoria (DMA) para facilitar su procesado, y asi poder realizar estas operaciones en un número muy reducido de ciclos de reloj. Es la propia MAC (51) de la FPGA (52) la que gestiona la DMA (54) y (55) para que guarde los paquetes que le llegan de forma serie y que posteriormente sea el microprocesador (53) quien acceda a esa memoria en forma paralelo. To perform the filtering, the Ethernet Type (indicator of the frame encapsulation protocol) is extracted from the Ethernet frame in addition to the IP and TCP headers, corresponding to the network and transport layers, at the physical layer level. This information passes from the FPGA input (52) to the microprocessor (53) responsible for governing the same FPGA through a memory access Direct (Direct Memory Access, DMA) (54), (55). In this way, the data packets that enter the device sequentially, can be read in parallel from a memory (DMA) to facilitate its processing, and thus be able to perform these operations in a very small number of clock cycles. It is the MAC (51) of the FPGA (52) that manages the DMA (54) and (55) so that it saves the packets that arrive in a serial way and that it is the microprocessor (53) that accesses that memory in parallel

Para determinar si una trama encaja con el esquema utilizado en los ataques DoS, el dispositivo debe realizar un conjunto de operaciones matemáticas ordenadas, un algoritmo, en el que se comprueban las características de cada ataque diferente de denegación de servicio (véanse los diagramas de flujo de las Figuras 3A a 3C) .  To determine whether a frame fits the scheme used in DoS attacks, the device must perform a set of ordered mathematical operations, an algorithm, in which the characteristics of each different denial of service attack are checked (see flowcharts of Figures 3A to 3C).

Existe un orden de comprobación preestablecido en el firmware, pudiendo este ser alterado por una notificación electrónica proveniente de aguas abajo por el puerto USB, si el servidor, ordenadores o nodos a proteger por el dispositivo protector (1) estima que la defensa ante un tipo específico de ataque es prioritaria. Esta entrada de información con requerimiento extra de filtrado se muestra claramente en la figura 3C  There is a pre-established check order in the firmware, which can be altered by an electronic notification coming from downstream through the USB port, if the server, computers or nodes to be protected by the protective device (1) consider that the defense against a type Specific attack is a priority. This information entry with extra filtering requirement is clearly shown in Figure 3C

El dispositivo protector cuenta con una memoria SRAM conectada directamente al microprocesador (53) encargado de gobernar una o varias FPGAS, que sirve para guardar las direcciones IP ya filtradas y otra memoria SRAM que cumple una función de memoria temporal para realizar los cálculos de cifrado y descifrado de la información. Estas dos memorias pueden llegar a fusionarse en una sola memoria siempre y cuando la memoria interna de la FPGA tenga capacidad suficiente para almacenar la información necesaria para cifrar y descifrar la información.  The protective device has an SRAM memory directly connected to the microprocessor (53) responsible for governing one or more FPGAS, which serves to save the already filtered IP addresses and another SRAM memory that fulfills a temporary memory function to perform the encryption calculations and decryption of information. These two memories can be merged into a single memory as long as the internal memory of the FPGA has sufficient capacity to store the information necessary to encrypt and decrypt the information.

Cuando un paquete de datos cumple los requisitos y se ha superado el número de paquetes a partir del cual se bloquea (filtra) una dirección IP, el dispositivo almacena dicha IP junto con una marca temporal en la memoria SRAM. De este modo, cada vez que una trama que concuerda con el esquema es revisada por el software, éste revisará en primera instancia la memoria SRAM para comprobar si dicha IP está bloqueada o no y actuar en consecuencia. De esta forma se consigue una velocidad de procesamiento más elevada . When a data package meets the requirements and is has exceeded the number of packets from which an IP address is blocked (filtered), the device stores that IP together with a time stamp in the SRAM memory. In this way, each time a frame that matches the scheme is reviewed by the software, it will first review the SRAM memory to check if said IP is blocked or not and act accordingly. In this way a higher processing speed is achieved.

La dirección IP de cada paquete de datos se compara con los previamente almacenados en la memoria SRAM en muy pocos ciclos de reloj. Esto es, dicha información llega por la conexión Ethernet (50) o (56), se extrae a nivel de capa de enlace por el microprocesador, el cual se encarga de comprobar los diversos campos que indican si un paquete cumple con el esquema requerido para ser identificado como un posible ataque. De ser el paquete identificado como un posible ataque, el microprocesador comprueba si la dirección está almacenada en la memoria SRAM encargada de guardar las direcciones IP. Si dicha dirección se encuentra en la memoria, y el bloqueo de dicha IP se encuentra aún activo (dentro del rango temporal descrito por una marca temporal en una celda de memoria adyacente a la propia celda de memoria encargada de guardar la correspondiente dirección IP) se procede a descartar el paquete. De no encontrarse la dirección IP almacenada en la memoria SRAM, y en caso de que se haya superado el criterio para que un paquete de datos se estime como parte de un ataque de denegación de servicio, a partir del cual se bloquea una IP, el microprocesador añadirá dicha dirección a la memoria SRAM junto con la marca temporal.  The IP address of each data packet is compared with those previously stored in SRAM memory in very few clock cycles. That is, said information arrives through the Ethernet connection (50) or (56), it is extracted at the link layer level by the microprocessor, which is responsible for checking the various fields that indicate if a packet complies with the scheme required for Be identified as a possible attack. If the package is identified as a possible attack, the microprocessor checks if the address is stored in the SRAM memory responsible for storing IP addresses. If said address is in memory, and the blocking of said IP is still active (within the time range described by a time stamp in a memory cell adjacent to the memory cell itself responsible for storing the corresponding IP address) proceed to discard the package. If the IP address stored in the SRAM memory is not found, and in case the criterion for a data packet is estimated as part of a denial of service attack, from which an IP is blocked, the The microprocessor will add that address to the SRAM memory along with the time stamp.

Cuando se detecta que un paquete de datos forma parte de un ataque de denegación de servicio, este paquete es instantáneamente descartado en la FPGA al recibir ésta las instrucciones desde el microprocesador, salvo su dirección IP, TCP y el Ethernet type que se guardan en la memoria SRAM para comparar con paquetes posteriores. When a data packet is detected to be part of a denial of service attack, this packet is instantly discarded in the FPGA upon receipt of the instructions from the microprocessor, except for its address IP, TCP and Ethernet type that are stored in SRAM memory to compare with subsequent packets.

Cada vez que el sistema recibe una IP nueva, el software debe recorrer la memoria para comprobar si dicha IP ya ha sido previamente bloqueada. En situaciones en las que el número de IPs almacenadas en la SRAM es pequeña, esto no supone un problema. En el caso en el que el número de IPs almacenadas sea elevado, se puede dar el caso de que el sistema tenga que recorrer la totalidad de la memoria para encontrar (o no) una dirección IP determinada. Para evitarlo, puesto que penalizaría el rendimiento del sistema, el software divide la memoria en bloques de idéntico tamaño. El software utiliza el último componente de las direcciones IP como método de selección del bloque de memoria al que debe ir, o en el que debe buscar dicha IP. Por esta razón, la memoria de dirección IP esta especialmente integrada en el sistema de tal manera que el microprocesador pueda utilizar la propia dirección IP como parte de la información a enviar mediante el bus de direcciones a la unidad de memoria. Para realizar esta operación, el microprocesador aplica un offset a la dirección IP base de la memoria en función del bloque de IPs en el que se deba buscar/guardar dicha dirección IP. Una vez obtenida la dirección base, el microprocesador irá incrementando el offset, a nivel de capa física por el bus de direcciones; hasta que se llegue al final de la memoria, se llegue a la primera posición vacía o se obtenga un resultado positivo en la búsqueda. En caso de requerirse una optimización mayor, la tarea de incrementar el offset para recorrer las diferentes posiciones de memoria puede ser llevada a cabo por un elemento separado independiente del microprocesador y conectado directamente entre el microprocesador y la memoria SRAM que comprenda un buffer de memoria y un contador electrónico capaz de operar a nivel de capa física, liberando así al microprocesador de esta tarea para poder centrarse en otra serie de operaciones. Each time the system receives a new IP, the software must scan the memory to check if that IP has already been previously blocked. In situations where the number of IPs stored in the SRAM is small, this is not a problem. In the case where the number of stored IPs is high, it may be the case that the system has to go through the entire memory to find (or not) a specific IP address. To avoid this, since it would penalize the performance of the system, the software divides the memory into blocks of identical size. The software uses the last component of the IP addresses as a method of selecting the memory block to which it should go, or in which it must search for that IP. For this reason, the IP address memory is specially integrated in the system so that the microprocessor can use the IP address itself as part of the information to be sent via the address bus to the memory unit. To perform this operation, the microprocessor applies an offset to the base IP address of the memory based on the IP block in which the IP address must be searched / saved. Once the base address is obtained, the microprocessor will increase the offset, at the physical layer level by the address bus; until the end of the memory is reached, the first empty position is reached or a positive search result is obtained. In the event that greater optimization is required, the task of increasing the offset to traverse the different memory positions can be carried out by a separate element independent of the microprocessor and directly connected between the microprocessor and the SRAM memory comprising a memory buffer and an electronic counter capable of operating at the layer level physics, thus freeing the microprocessor from this task to be able to focus on another series of operations.

Si un paquete de datos no es estimado como parte de un ataque de denegación de servicio, éste es retransmitido en el menor tiempo posible. Esto es, una vez realizadas las operaciones necesarias sobre un paquete en el microprocesador, el microprocesador, éste indicará al Scatter-Gather Direct Memory Access (SGDMA).de transmisión la dirección base a partir de la que se encuentra el paquete a transmitir aguas abajo. Una vez que la SGDMA reciba dicha dirección, la SGDMA transformará esta información (que en este punto se encuentra ya en formato paralelo) en un flujo de datos serie que pueda recibir la MAC de transmisión del sistema para su retransmisión aguas abajo. If a data packet is not estimated as part of a denial of service attack, it is retransmitted in the shortest possible time. That is, once the necessary operations have been carried out on a package in the microprocessor, the microprocessor, this will indicate the Scatter-Gather Direct Memory Access (SGDMA) . The base address from which the packet to be transmitted downstream is located. Once the SGDMA receives this address, the SGDMA will transform this information (which is already in parallel in this point) into a serial data stream that can be received by the system's transmission MAC for downstream retransmission.

El tráfico proveniente del sistema protegido aguas abajo, y que circula hacia la red no requiere de filtrado, los paquetes de datos provenientes del PHY (50) de la interfaz de entrada de datos desde aguas abajo se conectan con el módulo de la FPGA que a su vez enviara los datos al microprocesador (53) para su posterior cifrado si los puertos o aplicación lo requieren, antes de retransmitir el paquete de datos a la interfaz PHY de salida de datos aguas arriba, de este modo el tráfico no pasa por el microprocesador evitando retardos no deseados si no se desea cifrar la información.  The traffic coming from the protected system downstream, and that circulates to the network does not require filtering, the data packets coming from the PHY (50) of the data entry interface from downstream are connected to the FPGA module that in turn, it will send the data to the microprocessor (53) for later encryption if the ports or application require it, before retransmitting the data packet to the PHY interface of upstream data output, in this way the traffic does not pass through the microprocessor avoiding unwanted delays if you do not want to encrypt the information.

En caso de llegar al limite de transmisión que pueda ofrecer esta arquitectura básica, se implementarán dos microprocesadores independientes (53) y (62) en vez de uno solo, cada uno gobernando una FPGA (52) y (67) y cada uno encargado de una dirección del flujo de los paquetes de datos para el cifrado y descifrado de los mismos.  In case of reaching the transmission limit that this basic architecture can offer, two independent microprocessors (53) and (62) will be implemented instead of just one, each governing an FPGA (52) and (67) and each one in charge of an address of the flow of data packets for encryption and decryption thereof.

El número de paquetes a partir del cual se filtra una dirección IP, así como el tiempo que dicha IP permanece bloqueada, puede ser modificado a voluntad del propietario del dispositivo mediante un programa informático o mediantes dos rotary-switches presentes en la PCB. The number of packets from which an IP address is filtered, as well as the time that said IP remains blocked, can be modified at the owner's will of the device by means of a computer program or through two rotary switches present on the PCB.

Un efecto del modo de actuación del dispositivo de protección (1) es reducir el número de paquetes que recibirá el ordenador destinatario, evitando que el ordenador o el propio sistema de ordenadores se saturen por tener que atender a un número anómalamente elevado de paquetes en un periodo de tiempo reducido.  An effect of the mode of action of the protection device (1) is to reduce the number of packets that the recipient computer will receive, preventing the computer or the computer system itself from being saturated by having to attend to an abnormally large number of packages in a reduced time period

Resumiendo, el proveedor de servicio o conjunto de proveedores de servicio son protegidos contra un ataque por denegación de servicio por inundación por el dispositivo de protección (1), que ayuda a evitar la pérdida de la conectividad de la red de ordenadores victima del ataque por el consumo del ancho de banda disponible en la propia red protegida. Asimismo, el dispositivo de protección (1) colabora en disminuir la carga de los recursos computacionales del sistema victima de un ataque. En otros escenarios, el ataque por inundación puede ocasionar el mal funcionamiento de la computadora atacada, pero no su desconexión de la red de transporte .  In summary, the service provider or set of service providers are protected against an attack by denial of service due to flooding by the protection device (1), which helps prevent loss of connectivity of the computer network victim of the attack by the bandwidth consumption available in the protected network itself. Likewise, the protection device (1) collaborates in reducing the load of the computer resources of the system victim of an attack. In other scenarios, the flood attack can cause the attacked computer to malfunction, but not its disconnection from the transport network.

Consecuentemente, el dispositivo de protección (1) lleva a cabo una etapa de filtrado donde un número de paquetes de datos IP pueden ser rechazados en función de una política de rechazo ejecutada por el propio dispositivo de protección (1).  Consequently, the protection device (1) performs a filtering step where a number of IP data packets can be rejected based on a rejection policy executed by the protection device itself (1).

La política de rechazo aplicada por el dispositivo de protección (1) es función del ancho de banda ocupado en cada instante, del número de paquetes recibidos por unidad de tiempo y del tipo de cortafuegos (2) conectado entre el dispositivo de protección (1) y la red de ordenadores.  The rejection policy applied by the protection device (1) is a function of the bandwidth occupied at each moment, the number of packets received per unit of time and the type of firewall (2) connected between the protection device (1) and the computer network.

La política de rechazo aplicada es variable en función de los antedichos parámetros, es decir, si la ocupación del ancho de banda es elevada, la política de rechazo determina que el dispositivo protector eleve el número de paquetes Ethernet similares rechazados. The rejection policy applied is variable depending on the above parameters, that is, if the occupancy of the bandwidth is high, the rejection policy determines that the protective device raises the number of similar Ethernet packets rejected.

Un administrador del dispositivo de protección (1) puede modificar los valores umbrales de ancho de banda ocupado y del número de paquetes recibidos por el dispositivo de protección (1) a partir de los cuales los paquetes de petición malintencionados pudieran ser rechazados con el fin de proporcionar un tráfico en la red correcto y dimensionado a la infraestructura de la misma. Por ejemplo, podría mantener conectada la red de ordenadores a la red externa, aunque el funcionamiento de la misma red no sea el óptimo por estar recibiendo una cantidad de paquetes malintencionados inferior al umbral definido .  An administrator of the protection device (1) can modify the threshold values of occupied bandwidth and the number of packets received by the protection device (1) from which malicious request packets could be rejected for the purpose of provide a correct and sized network traffic to its infrastructure. For example, you could keep the computer network connected to the external network, even if the operation of the same network is not optimal because you are receiving a number of malicious packets below the defined threshold.

El procedimiento de protección contra ataques por inundación descrito anteriormente puede ser aplicado también para proteger una red de ordenadores contra ataques distribuidos de denegación de servicio por saturación DDoS en los que las direcciones IP de origen de los paquetes malintencionados no son repetitivas.  The flood attack protection procedure described above can also be applied to protect a computer network against distributed attacks of denial of service by DDoS saturation in which the source IP addresses of the malicious packets are not repetitive.

La interfaz de red de entrada/salida (3) comprende al menos un conector Ethernet para la red externa no protegida y otro para la red interna a proteger. El dispositivo de protección (1) se alimenta de una fuente de alimentación eléctrica, de tipo batería, batería recargable, fuente de corriente o similar, tanto a través de un conector estándar USB como por su ranura de expansión .  The input / output network interface (3) comprises at least one Ethernet connector for the unprotected external network and another for the internal network to be protected. The protection device (1) is powered by a power supply, battery type, rechargeable battery, power source or similar, both through a standard USB connector and through its expansion slot.

Mediante una de las conexiones USB del dispositivo de protección (1) se puede modificar y depurar el algoritmo programado para tomar las decisiones de rechazar (o no) un paquete de datos, así como reprogramar el H sintetizado para la FPGA, grabados en el dispositivo de protección (1) ·  Using one of the USB connections of the protection device (1) you can modify and debug the algorithm programmed to make the decisions to reject (or not) a data packet, as well as reprogram the H synthesized for the FPGA, recorded on the device protection (1)

Además, mediante la conexión USB se permiten las actualizaciones de firmware y software general del dispositivo de protección (1). In addition, firmware and general software updates are allowed via the USB connection. protection device (1).

Una ventaja de esto es que el administrador del dispositivo de protección (1) puede actualizar las reglas que rigen la toma de decisiones de rechazo (o no) de un paquete de datos proveniente de una red de comunicación, como por ejemplo internet, en el caso de que aparezcan nuevas formas de ataques de denegación de servicio.  An advantage of this is that the administrator of the protection device (1) can update the rules governing rejection decisions (or not) of a data packet from a communication network, such as the Internet, in the if new forms of denial of service attacks appear.

El algoritmo comprende, para este fin, instrucciones programadas para ejecutar los pasos del antedicho proceso cuando, además, las instrucciones programadas pueden ser grabadas en un medio portador legible dentro del dispositivo .  The algorithm comprises, for this purpose, programmed instructions for executing the steps of the aforementioned process when, in addition, the programmed instructions can be recorded on a readable carrier medium within the device.

Claims

REIVINDICACIONES 1. - Un dispositivo protector contra ataques de denegación de servicio por inundación DoS y DDoS, caracterizado porque consiste en un dispositivo lógico (1) de propósito general programable, compuesto de bloques lógicos comunicados por conexiones programables FPGA (52) y (57) (52; 57) con paquetes de datos de la red como entrada y salida de datos del sistema, además de una conexión USB de entrada y salida de datos, en donde los paquetes de datos de la red entran en modo serie por conectores de capa física de interfaces de Ethernet, PHY, (50, 56) y pasan directamente al control de medios implementado en una FPGA, capacitada para trasladarlos después en forma paralelo por un bus de datos a un microprocesador implementado en la FPGA (53; 62) o conectado a una FPGA por una conexión directa entre ambos elementos, a nivel de capa física, capacitado para el reenvío, acto seguido, por un bus de datos y direcciones, a una memoria sólida de acceso rápido (SRAM) (54, 55; 63, 64). Además, el dispositivo protector comprende una interfaz de capa física PHY (50) de Ethernet gestionada por un controlador de capa física, a su vez gestionado por un controlador de acceso al medio, MAC, implementado en una FPGA, el cual envía los datos a un microprocesador implementado en una FPGA para su procesado y, en caso de ser oportuno, su retransmisión aguas abajo finalmente a través de un interfaz de capa física PHY (56) . 1. - A protective device against DoS and DDoS flood denial of service attacks, characterized in that it consists of a programmable general purpose logic device (1), composed of logic blocks communicated by FPGA programmable connections (52) and (57) ( 52; 57) with network data packets such as system data input and output, in addition to a USB data input and output connection, where network data packets enter serial mode via physical layer connectors Ethernet interfaces, PHY, (50, 56) and pass directly to the media control implemented in an FPGA, capable of transferring them in parallel by a data bus to a microprocessor implemented in the FPGA (53; 62) or connected to an FPGA by a direct connection between both elements, at the physical layer level, capable of forwarding, followed by a data and address bus, to a solid fast access memory (SRAM) (54, 55; 63, 64). In addition, the protective device comprises an Ethernet PHY physical layer interface (50) managed by a physical layer controller, in turn managed by a media access controller, MAC, implemented in an FPGA, which sends the data to a microprocessor implemented in an FPGA for processing and, if appropriate, its downstream retransmission finally through a PHY physical layer interface (56). 2. - Un dispositivo de acuerdo a la reivindicación 1 , en donde entre las unidades de memoria (54, 55; 63, 64) y el microprocesador existe un elemento electrónico programable capaz de recibir en formato serie o paralelo parte de una dirección IP a nivel de capa física, modificarla mediante un algoritmo implementado en el propio elemento electrónico, para posteriormente ir incrementado dicha señal modificada con un contador a nivel de bit, y utilizar las señales resultantes como entrada del bus de direcciones de las unidades de memoria. 2. - A device according to claim 1, wherein between the memory units (54, 55; 63, 64) and the microprocessor there is a programmable electronic element capable of receiving in part or parallel format part of an IP address to physical layer level, modify it using an algorithm implemented in the own electronic element, to subsequently increase said modified signal with a bit-level counter, and use the resulting signals as input of the address bus of the memory units. 3. - Un dispositivo de acuerdo a la reivindicación 2, en donde las unidades de memoria están directamente conectadas en forma paralelo al microprocesador implementado en una FPGA, siendo este microprocesador el encargado de gobernar a una o varias FPGAs .  3. - A device according to claim 2, wherein the memory units are directly connected in parallel to the microprocessor implemented in an FPGA, this microprocessor being responsible for governing one or more FPGAs. 4. - Un dispositivo de acuerdo a la reivindicación 1, en donde en el control de medios, MAC (51), de la FPGA (52) incluye medios para copiar en formato paralelo exclusivamente la cabecera de datos del paquete de Ethernet entrante y medios para el envió en formato paralelo de dicha cabecera de datos a un microprocesador implementado dentro de una FPGA (53; 62), sin alterar el contenido del paquete de datos original que seguirá almacenado temporalmente en la FPGA desde donde son transmitidos de forma secuencial.  4. - A device according to claim 1, wherein in the media control, MAC (51), of the FPGA (52) includes means for copying in parallel format exclusively the data header of the incoming Ethernet packet and media for sending in parallel format of said data header to a microprocessor implemented within an FPGA (53; 62), without altering the content of the original data packet that will remain temporarily stored in the FPGA from where they are transmitted sequentially.
PCT/ES2014/000167 2014-10-10 2014-10-10 Device and method for protection in communication networks Ceased WO2016055668A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/ES2014/000167 WO2016055668A1 (en) 2014-10-10 2014-10-10 Device and method for protection in communication networks

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/ES2014/000167 WO2016055668A1 (en) 2014-10-10 2014-10-10 Device and method for protection in communication networks

Publications (1)

Publication Number Publication Date
WO2016055668A1 true WO2016055668A1 (en) 2016-04-14

Family

ID=55652619

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/ES2014/000167 Ceased WO2016055668A1 (en) 2014-10-10 2014-10-10 Device and method for protection in communication networks

Country Status (1)

Country Link
WO (1) WO2016055668A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050213570A1 (en) * 2004-03-26 2005-09-29 Stacy John K Hardware filtering support for denial-of-service attacks
US20110320617A1 (en) * 2010-06-24 2011-12-29 Saravanakumar Annamalaisami Systems and methods for detecting incomplete requests, tcp timeouts and application timeouts
US20130074183A1 (en) * 2011-09-16 2013-03-21 Electronics And Telecommunications Research Institute Method and apparatus for defending distributed denial-of-service (ddos) attack through abnormally terminated session
US8769681B1 (en) * 2008-08-11 2014-07-01 F5 Networks, Inc. Methods and system for DMA based distributed denial of service protection

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050213570A1 (en) * 2004-03-26 2005-09-29 Stacy John K Hardware filtering support for denial-of-service attacks
US8769681B1 (en) * 2008-08-11 2014-07-01 F5 Networks, Inc. Methods and system for DMA based distributed denial of service protection
US20110320617A1 (en) * 2010-06-24 2011-12-29 Saravanakumar Annamalaisami Systems and methods for detecting incomplete requests, tcp timeouts and application timeouts
US20130074183A1 (en) * 2011-09-16 2013-03-21 Electronics And Telecommunications Research Institute Method and apparatus for defending distributed denial-of-service (ddos) attack through abnormally terminated session

Similar Documents

Publication Publication Date Title
CN109842585B (en) Network information security protection unit and protection method for industrial embedded system
ES2805290T3 (en) Device to protect an electronic system of a vehicle
Anderson et al. Preventing Internet denial-of-service with capabilities
US8566612B2 (en) System and method for a secure I/O interface
Liu et al. Netfence: preventing internet denial of service from inside out
US9515992B2 (en) Network environment separation
US20170359347A1 (en) SYSTEM AND METHOD FOR DATA CENTER SECURITY ENHANCEMENTS LEVERAGING SERVER SOCs OR SERVER FABRICS
Lockwood et al. Internet worm and virus protection in dynamically reconfigurable hardware
CN110035047B (en) Lightweight mechanism for checking message integrity in data packets
US9015825B2 (en) Method and device for network communication management
US20110145572A1 (en) Apparatus and method for protecting packet-switched networks from unauthorized traffic
KR102144594B1 (en) Time-locked network and nodes for exchanging secure data packets
Lockwood et al. Application of hardware accelerated extensible network nodes for internet worm and virus protection
US9667650B2 (en) Anti-replay checking with multiple sequence number spaces
Tanachaiwiwat et al. Differential packet filtering against DDoS flood attacks
TWI335160B (en) Access-controlling method, pepeater, and sever
CN110247924A (en) Transmitted in both directions and control system and data transmission method based on physical transfer
WO2016055668A1 (en) Device and method for protection in communication networks
Goh et al. Experimenting with an intrusion detection system for encrypted networks
ES2654165T3 (en) Network protection entity and method to protect a communication network against fraudulent messages
Song et al. Secure remote control of field-programmable network devices
US11659394B1 (en) Agile node isolation using packet level non-repudiation for mobile networks
ES2345957T3 (en) METHOD AND SYSTEM TO MITIGATE DISTRIBUTED REFUSAL OF SERVICE ATTACKS USING GEOGRAPHICAL SOURCE AND TIME INFORMATION.
ES2430992T3 (en) Method, computer network system and computer portal to identify and control unsolicited traffic
RU2472217C1 (en) Method of processing network traffic datagrams for protecting information computer systems (versions)

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14903621

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14903621

Country of ref document: EP

Kind code of ref document: A1