Method, data carrier, computer system and computer progamme for the identification and defence of attacks in server of network service providers and operators
First Claim
1. Method for recognizing and refusing attacks on server systems of network providers and operators by means of an electronic device to be implemented in a computer network, this device contains a computer program characterized by the components and the steps of procedures:
- defense against DoS and DDoS attacks (flood attacks) whereas each IP SYN (IP connection request) is registered and answered with a SYN ACK for preservation of time restrictions (timeouts) defined in the IP protocol while the registered SYN packet is checked for validity and available services in the target system and the connection to the target system is initialized and the received data packet is forwarded to the target system for further processing if the verification was successful and the expected ACK as well as a consecutively following valid data packet was received from the requesting external system in the meantime, and/or link level security whereas the data packets which have to be checked are received directly from the OSI layer 2 (link level), and/or examination of valid IP headers whereas the structure of each IP packet is checked for validity before it is forwarded to the target system and each invalid packet is rejected, and/or examination of the IP packet by especially checking the length and the checksum for conformity of the values in the TCP or IP header with the structure of the IP packet and/or TCP/IP fingerprint protection whereas the answering outgoing data traffic from the secured systems to the requesting external systems is neutralized by using default protocol identifiers, and/or blocking of each UDP network packet for avoiding attacks at the secured systems via the network protocol UDP (user datagram protocol), by selectively registering and unblocking services required to be reached via UDP whereas for these UDP ports messages are explicitly admitted and the other UDP ports stay closed, and/or length restrictions of ICMP packets (Internet control message protocol) whereas only ICMP messages with a predefined maximal length are identified as valid data and others are rejected, and/or exclusion of specific external IP addresses from the communication with the target system, and/or packet-level firewall function whereas incoming and outgoing IP packets are examined by freely definable rules and because of these rules are rejected or forwarded to the target system, and/or protection of reachable services of the target system by exclusion of specific services and/or users and/or redirection of service requests to other servers.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention relates to a method for the identification and defence of attacks on the server systems of network service providers and operators, using an electronic device (4) that can be integrated into a computer network and that comprises a computer programme, and relates to a data carrier, which contains a computer programme for carrying out said method. The invention also relates to a computer system, which is connected to a network, such as the Internet (6), an intranet or similar and has one or several computers that are configured as server computers (2) or client computers, and to a computer programme containing computer programme codes for the identification and defence of attacks on server systems. The invention comprises —protection against DoS and DDoS attacks (flood attacks)—link-level security, —verification of valid IP headers, —verification of IP packet characteristics, —TCP/IP fingerprint protection, —blocking of all UDP network packets, —exclusion of specific external IP addresses, —packet-level firewall function, —protection of accessible services of the target system. The invention provides the highest possible degree of security and protection against DoS and DDoS attacks.
-
Citations
10 Claims
-
1. Method for recognizing and refusing attacks on server systems of network providers and operators by means of an electronic device to be implemented in a computer network, this device contains a computer program characterized by the components and the steps of procedures:
-
defense against DoS and DDoS attacks (flood attacks) whereas each IP SYN (IP connection request) is registered and answered with a SYN ACK for preservation of time restrictions (timeouts) defined in the IP protocol while the registered SYN packet is checked for validity and available services in the target system and the connection to the target system is initialized and the received data packet is forwarded to the target system for further processing if the verification was successful and the expected ACK as well as a consecutively following valid data packet was received from the requesting external system in the meantime, and/or link level security whereas the data packets which have to be checked are received directly from the OSI layer 2 (link level), and/or examination of valid IP headers whereas the structure of each IP packet is checked for validity before it is forwarded to the target system and each invalid packet is rejected, and/or examination of the IP packet by especially checking the length and the checksum for conformity of the values in the TCP or IP header with the structure of the IP packet and/or TCP/IP fingerprint protection whereas the answering outgoing data traffic from the secured systems to the requesting external systems is neutralized by using default protocol identifiers, and/or blocking of each UDP network packet for avoiding attacks at the secured systems via the network protocol UDP (user datagram protocol), by selectively registering and unblocking services required to be reached via UDP whereas for these UDP ports messages are explicitly admitted and the other UDP ports stay closed, and/or length restrictions of ICMP packets (Internet control message protocol) whereas only ICMP messages with a predefined maximal length are identified as valid data and others are rejected, and/or exclusion of specific external IP addresses from the communication with the target system, and/or packet-level firewall function whereas incoming and outgoing IP packets are examined by freely definable rules and because of these rules are rejected or forwarded to the target system, and/or protection of reachable services of the target system by exclusion of specific services and/or users and/or redirection of service requests to other servers. - View Dependent Claims (2, 3, 4, 5, 6, 8)
-
-
7. Data carrier containing a computer program for recognizing and refusing attacks on server systems of network service providers and operators for the use of an electronic device to be included in a computer network characterized by the program steps:
-
defense against DoS and DDoS attacks (flood attacks) whereas each IP SYN (IP connection request) is registered and answered with a SYN ACK for preservation of time restrictions (timeouts) defined in the IP protocol while the registered SYN packet is checked for validity and available services in the target system and the connection to the target system is initialized and the received data packet is forwarded to the target system for further processing if the verification was successful and the expected ACK as well as a consecutively following valid data packet was received from the requesting external system in the meantime, and/or link level security whereas the data packets which have to be checked are received directly from the OSI layer 2 (link level), and/or examination of valid IP headers whereas the structure of each IP packet is checked for validity before it is forwarded to the target system and each invalid packet is rejected, and/or examination of the IP packet by especially checking the length and the checksum for conformity of the values in the TCP or IP header with the structure of the IP packet and/or TCP/IP fingerprint protection whereas the answering outgoing data traffic from the secured systems to the requesting external systems is neutralized by using default protocol identifiers, and/or blocking of each UDP network packet for avoiding attacks at the secured systems via the network protocol UDP (user datagram protocol), by selectively registering and unblocking services required to be reached via UDP whereas for these UDP ports messages are explicitly admitted and the other UDP ports stay closed, and/or length restrictions of ICMP packets (Internet control message protocol) whereas only ICMP messages with a predefined maximal length are identified as valid data and others are rejected, and/or exclusion of specific external IP addresses from the communication with the target system, and/or packet-level firewall function whereas incoming and outgoing IP packets are examined by freely definable rules and because of these rules are rejected or forwarded to the target system, and/or protection of reachable services of the target system by exclusion of specific services and/or users and/or redirection of service requests to other servers.
-
-
9. Computer system being connected to network such as Internet (6), Intranet or any similar one, containing one computer or several computers configured as server computer (2) or as client computer, characterized by the fact that a data line to be protected is equipped with an electronic device (4) switched between the network (6) and the server (2) or client computer. This device has got a data carrier with a computer program containing the program steps:
-
defense against DoS and DDoS attacks (flood attacks) whereas each IP SYN (IP connection request) is registered and answered with a SYN ACK for preservation of time restrictions (timeouts) defined in the IP protocol while the registered SYN packet is checked for validity and available services in the target system and the connection to the target system is initialized and the received data packet is forwarded to the target system for further processing if the verification was successful and the expected ACK as well as a consecutively following valid data packet was received from the requesting external system in the meantime, and/or link level security whereas the data packets which have to be checked are received directly from the OSI layer 2 (link level), and/or examination of valid IP headers whereas the structure of each IP packet is checked for validity before it is forwarded to the target system and each invalid packet is rejected, and/or examination of the IP packet by especially checking the length and the checksum for conformity of the values in the TCP or IP header with the structure of the IP packet and/or TCP/IP fingerprint protection whereas the answering outgoing data traffic from the secured systems to the requesting external systems is neutralized by using default protocol identifiers, and/or blocking of each UDP network packet for avoiding attacks at the secured systems via the network protocol UDP (user datagram protocol), by selectively registering and unblocking services required to be reached via UDP whereas for these UDP ports messages are explicitly admitted and the other UDP ports stay closed, and/or length restrictions of ICMP packets (Internet control message protocol) whereas only ICMP messages with a predefined maximal length are identified as valid data and others are rejected, and/or exclusion of specific external IP addresses from the communication with the target system, and/or packet-level firewall function whereas incoming and outgoing IP packets are examined by freely definable rules and because of these rules are rejected or forwarded to the target system, and/or protection of reachable services of the target system by exclusion of specific services and/or users and/or redirection of service requests to other servers.
-
-
10. Computer programme product containing computer codes for recognizing and refusing attacks on server systems of network service providers and operators by means of an electronic device to be included in a computer network, characterized by the program steps:
-
defense against DoS and DDoS attacks (flood attacks) whereas each IP SYN (IP connection request) is registered and answered with a SYN ACK for preservation of time restrictions (timeouts) defined in the IP protocol while the registered SYN packet is checked for validity and available services in the target system and the connection to the target system is initialized and the received data packet is forwarded to the target system for further processing if the verification was successful and the expected ACK as well as a consecutively following valid data packet was received from the requesting external system in the meantime, and/or link level security whereas the data packets which have to be checked are received directly from the OSI layer 2 (link level), and/or examination of valid IP headers whereas the structure of each IP packet is checked for validity before it is forwarded to the target system and each invalid packet is rejected, and/or examination of the IP packet by especially checking the length and the checksum for conformity of the values in the TCP or IP header with the structure of the IP packet and/or TCP/IP fingerprint protection whereas the answering outgoing data traffic from the secured systems to the requesting external systems is neutralized by using default protocol identifiers, and/or blocking of each UDP network packet for avoiding attacks at the secured systems via the network protocol UDP (user datagram protocol), by selectively registering and unblocking services required to be reached via UDP whereas for these UDP ports messages are explicitly admitted and the other UDP ports stay closed, and/or length restrictions of ICMP packets (Internet control message protocol) whereas only ICMP messages with a predefined maximal length are identified as valid data and others are rejected, and/or exclusion of specific external IP addresses from the communication with the target system, and/or packet-level firewall function whereas incoming and outgoing IP packets are examined by freely definable rules and because of these rules are rejected or forwarded to the target system, and/or protection of reachable services of the target system by exclusion of specific services and/or users and/or redirection of service requests to other servers.
-
Specification