Method and device for preventing network attacks

US 20110264908A1
Filed: 04/29/2011
Published: 10/27/2011
Est. Priority Date: 10/31/2008
Status: Active Grant

First Claim

Patent Images

1. A method for preventing network attacks, comprising:

obtaining a data packet, wherein a source address of the data packet is a cryptographically generated address (CGA);

detecting the obtained data packet, and determining whether the data packet comprises a CGA parameter and signature information;

authenticating the CGA parameter if the data packet comprises the CGA parameter and the signature information, and authenticating the signature information according to the successfully-authenticated CGA parameter; and

sending the data packet to a destination address after the signature information is authenticated.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for preventing network attacks is provided, which includes: obtaining a data packet, where a source address of the data packet is a cryptographically generated address (CGA); determining that the obtained data packet includes a CGA parameter and signature information; authenticating the CGA parameter; authenticating the signature information according to the authenticated CGA parameter; and sending the data packet to a destination address when the signature information is authenticated. Accordingly, a device for preventing network attacks is also provided. A CGA parameter used by a data packet is directly used to ensure authenticity of a source address of the data packet, thus preventing network attacks performed by counterfeiting the address. In addition, by authenticating signature information, authenticity of identification of a sender of the data packet and bound address of the sender of the data packet are further ensured. Therefore, illegal data packets are filtered to prevent network attacks on servers, thus improving network security.

Citations

14 Claims

1. A method for preventing network attacks, comprising:
- obtaining a data packet, wherein a source address of the data packet is a cryptographically generated address (CGA);
  
  detecting the obtained data packet, and determining whether the data packet comprises a CGA parameter and signature information;
  
  authenticating the CGA parameter if the data packet comprises the CGA parameter and the signature information, and authenticating the signature information according to the successfully-authenticated CGA parameter; and
  
  sending the data packet to a destination address after the signature information is authenticated.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method according to claim 1, wherein the authenticating the CGA parameter and the authenticating the signature information according to the successfully-authenticated CGA parameter comprise:
    - querying a record table to determine whether the source address of the data packet exists;
      
      authenticating the CGA parameter if the source address does not exist, authenticating the signature information according to the successfully-authenticated CGA parameter, and saving the source address and a corresponding public key in the record table; and
      
      discarding the data packet if the authentication fails; and
      
      authenticating the signature information by using a corresponding public key in the record table if the source address exists, and discarding the data packet if the authentication fails.
  - 3. The method according to claim 1, wherein the CGA parameter comprises a public key, a sub-network prefix, and a collision count, and the authenticating the CGA parameter comprises performing at least one of the set of authentication steps consisting of:
    - performing a hash calculation on the public key in the CGA parameter to obtain a hash value, and comparing the hash value with an interface identifier in the source address, wherein if the hash value is not consistent with the interface identifier, the CGA authentication fails;
      
      checking whether the sub-network prefix in the CGA parameter is a sub-network prefix of the CGA, wherein if the sub-network prefix in the CGA parameter is not a sub-network prefix of the CGA, the CGA authentication fails; and
      
      checking whether the collision count in the CGA parameter is within a preset range, wherein if the collision count in the CGA parameter is not within a preset range, the CGA authentication fails.
  - 4. The method according to claim 1, wherein the CGA parameter comprises the public key, and the authenticating the signature information according to the successfully-authenticated CGA parameter comprises:
    - performing a calculation on the signature information using an encryption algorithm corresponding to the signature information using the public key, and comparing a value obtained through the calculation on the signature information with a value before the signature information calculation, wherein successful authentication of the signature information occurs if the two values are the same.
  - 5. The method according to claim 2, further comprising:
    - returning an error report to a source address that sends the data packet after discarding the data packet.

6. A method for preventing network attacks, comprising:
- generating a cryptographically generated address (CGA) parameter and signature information according to a source address and a public key; and
  
  attaching the source address of the data packet, the CGA parameter, and the signature information to the data packet, and sending the data packet, wherein the source address is the CGA generated according to the public key.
- View Dependent Claims (7, 8, 9)
- - 7. The method according to claim 6, wherein the signature information is obtained by encrypting a payload of the data packet using a private key, and the private key corresponds to the public key for generating the CGA.
  - 8. The method according to claim 6, wherein the CGA parameter comprises a correction field, a sub-network prefix, a public key, a collision count, and an extension field.
  - 9. The method according to claim 6, wherein the data packet comprises a basic header, an extension header, and the payload, the basic header comprises a source address and a destination address, and the extension header comprises a CGA parameter and signature information.

10. A device for preventing network attacks, comprising:
- a data packet receiving module, configured to obtain a data packet, wherein a source address of the data packet is a cryptographically generated address (CGA);
  
  a data packet check module, configured to check the received data packet, determine whether the data packet comprises a CGA parameter and signature information, and send a first check result;
  
  a CGA authentication module, configured to authenticate the CGA parameter of the obtained data packet when the first check result indicates that the CGA parameter exists, and send an authentication result of the CGA parameter;
  
  a signature authentication module, configured to authenticate the signature information according to the successfully-authenticated CGA parameter if the authentication result sent by the CGA authentication module indicates that the CGA parameter is authenticated successfully, and send an authentication result of the signature information; and
  
  a main control module, configured to process the data packet sent to a server according to the received first check result, and the authentication result, sent by the CGA authentication module of the CGA parameter, or the authentication result, sent by the signature authentication module, of the signature information, whereinif the authentication on the CGA of the obtained data packet performed by the CGA authentication module succeeds, and the authentication performed by the signature authentication module succeeds, then the main control module sends the data packet to a destination address.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The device according to claim 10, further comprising:
    - a storage module, configured to store a record table, wherein the record table comprises the successfully-authenticated source address of the data packet authenticated by the CGA authentication module, and the public key corresponding to the source address.
  - 12. The device according to claim 11;
    - further comprising;
      
      a record query module, configured to query the record table in the storage module according to the source address of the data packet, and return a second check result to the main control module;
      
      whereinthe main control module is further configured to use a corresponding public key in the record table to authenticate the signature information if the received second check result indicates that the source address of the data packet exists in the record table , and discard the data packet if the authentication fails, andif the received second check result indicates that the source address of the data packet does not exist in the record table, the CGA parameter of the data packet is sent to the CGA authentication module for authentication, the signature information of the data packet is sent to the signature authentication module for authentication, and the successfully-authenticated CGA parameter and signature information are saved in the record table.
  - 13. The device for preventing network attacks according to claim 10, further comprising:
    - a parameter generating module, configured to generate a cryptographically generated address (CGA) parameter and signature information according to a source address and a public key;
      
      a parameter attachment module, configured to attach the source address, the CGA parameter, and the signature information to the data packet, wherein the source address is a CGA generated according to the public key; and
      
      a data packet sending module, configured to send the data packet.
  - 14. The device according to claim 13, wherein the parameter generating module comprises:
    - a CGA parameter generating unit, configured to insert a sub-network prefix of the source address, the public key, and a collision count to a fixed data structure respectively to generate the CGA parameter; and
      
      a signature information generating unit, configured to encrypt a payload of the data packet using a private key to obtain the signature information, wherein the private key corresponds to the public key for generating the CGA.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Chengdu Huawei Symantec Technologies Company Limited (Huawei Investment & Holding Co., Ltd.)
Inventors
Feng, Hongyan, Liu, Lifeng

Granted Patent

US 8,499,146 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 2101/604   Address structures or formats

H04L 2101/659   Internet protocol version 6...

H04L 63/0428   wherein the data content is...

H04L 63/126   the source of the received ...

H04L 63/1441   Countermeasures against mal...

H04L 9/3247   involving digital signatures

H04L 9/40   Network security protocols

Method and device for preventing network attacks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method and device for preventing network attacks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links