Method for interaction of terminal client device with server over internet with high level of security from ddos attack and system for realising said method

IPC classes for russian patent Method for interaction of terminal client device with server over internet with high level of security from ddos attack and system for realising said method (RU 2496136):

H04L12/741 - Data switching networks (interconnection of, or transfer of information or other signals between, memories, input/output devices or central processing units G06F0013000000)

H04L12/24 - Arrangements for maintenance or administration

G06F15/173 -

G06F11/07 - Responding to the occurrence of a fault, e.g. fault tolerance

Another patents in same IPC classes:

Method of servicing different-priority packets in multi-service networks / 2495536

Packet servicing maximum waiting time codes (T_ser.i) are used, during generation of which the type of service (j) to which the packet belongs and the time spent by the packet in the queue are taken into account. The maximum waiting time codes are determined using the formula: T_ser.i=η_j(min(t_del.j,t_del.i)-t_ij), where i=1,2,…,N is the corresponding priority number of the i-th packet; N is the total number of packets; j=1,2_,…K is the number of service of the multi-service network; K is the total number of services of the multi-service network; η_i is the weight coefficient for the j-th service; t_del.i is the allowable dwell time of the i-th packet in the computing system; t_del.j is the delay time requirement for the packet of the j-th service in the multi-service network; t_ij is the time spent by the packet in the queue.

Multi-carrier operation in data transmission systems / 2493666

Procedures for adding carriers and carrier acquisition are simplified through common carrier timing, signalling by the network to the user equipment (UE) of timing offsets and scrambling code selection, and other measures. Channel reuse is employed to minimise changes in asymmetric systems with different numbers of uplink and downlink carriers. The channel quality indicator (CQI) field is divided into multiple subfields to enable transmission of multiple CQIs and ACK/NACK indicators on one uplink carrier. Joint and separate scheduling schemes are shown for concurrent scheduling of a data stream transmission to UE via multiple downlink carriers.

Method and system for subscription service implementation in ims network / 2493665

Method comprises steps of: establishing IP channels between a session border controller (SBC) and an IP multimedia subsystem (IMS) terminal, as well as between the SBC and a resource list server (RLS) after receiving a status subscribe request message from the IMS terminal; and sending, by the RLS, subscribed status information and an acknowledgment message to the IMS terminal through the IP channels after the RLS finds the subscribed status information for the IMS terminal.

Base station, mobile station, communication system, transmission method and reordering method / 2491741

Mobile station includes a receiving means for receiving a first packet data convergence protocol (PDCP) protocol data unit (PDU) from a source base station; a receiving means for receiving a second PDCP PDU from a target base station, in which the second PDCP PDU is created using a sequence number and a PDCP service data unit (SDU), that are transferred from the source base station to the target base station; a storage means for storing PDCP SDU corresponding to the first PDCP PDU and the PDCP SDU corresponding to the second PDCP PDU; and a reordering means for performing order delivery of the stored PDCP SDU based on the sequence numbers.

Method and system to provide call transfer service for subscriber of access gateway control function / 2491740

Method is described to provide a call transfer service for a subscriber of the access gateway control function, in which after the AGCF subscriber effects access to a subsystem-emulator of a switched public telephone network/digital network with services integration (PES), provide the AGCF subscriber with a call transfer service by application of the mode of strong/weak communication between AGCF and an applications server (AS) and by means of application of the mode of the main control/through control of AS between AS and subscribers that do not use AGCF. Also the system is described to provide a call transfer service for a subscriber of the access gateway control function, which includes a call transfer unit configured to provide a call transfer service for a AGCF subscriber by application of a mode of strong/weak communication between AGCF and the applications server (AS) and the mode of the main control/through control of AS between AS and subscribers not using AGCF. The method and system according to the invention make it possible to provide a call transfer service for an AGCF subscriber.

Method for transferring packet data in wireless network and base station controller / 2490810

Technical key points of the present invention are as follows: before the base station controller receives a message sent by the serving GPRS support node (SGSN) to request the confirmation of a cell update of a mobile station (MS), the packet data of the first cell, initially meant to be sent to the MS, are transferred to a temporary block flow (TBF) between the MS and a second cell, and then sent to the base station (BTS) of the second cell via the TBF and then sent to the MS by the base station of the second cell.

Base station, mobile station, communication system and reordering method / 2486685

Data are sent from a handover source base station to a mobile station notifying that transference of packets has been executed during execution of handover sequence if the handover source base station transfers to the target handover base station packets which were not sent to the mobile station, from packets received from a host station, and the target handover base station sends packets to the mobile station. The mobile station reorders the received packets if transference of packets has been executed.

Method and system for controlling electronic mail message collection / 2485706

Electronic mail message collecting system has an internal interface and an external interface for managing message collection, as well as a collection module through which given source mail boxes are periodically checked and if there are messages present, the messages are forwarded to a common recipient box. The mail collection function is available for both authorised and unauthorised, as well as unregistered mail system users.

Method and system to identify network protocols based on description of client-server interaction / 2485705

Method of network protocols identification on the basis of a description of client-server interaction contains a description of available protocols of client-server interaction, collection of data on a bidirectional network interaction between the client and the server, simultaneous identification of packets related to multiple sessions of bidirectional interaction between the client and the server by identified protocols, analysis of parameters and the sequence of interaction of client-server components, identification of network protocols, according to which the client-server interaction is carried out.

Four-port backup device for coupling of circular networks of communication network / 2485704

Four-port backup device (FPBD), comprises two switchboards (2) of data packets, every of which is connected to the other switchboard (2) and with two ports (3 and 4), designed for connection into the first and second circular communications networks, and a clock synchronisation unit (5). To the unit (5) the outlets of two receivers (6) and (7) are connected, as well as inlets of two transmitters (8) and (9), designed for the first circular network, outlets of two receivers (10 and 11), inlets of two transmitters (12 and 13), designed for the second circular network, and the outlet of the receiver (14) of the external synchronisation signal. The unit (5) is made as capable of generation of a clock signal synchronised with output signals of receivers with introduction of a fixed delay of an output signal for each receiver, issue of a generated signal to inlets of transmitters, and as capable of translation of output signals of receivers to inlets of transmitters designed for the identical network. The device is equipped with a configuration interface (15) as capable of setting the receivers and transmitters of the synchronising signal, delay values of output signals of receivers and permit or prohibition of transmission of output signals of receivers to inlets of transmitters.

Method and system for scheduling data selection for transmission over data network / 2495533

System for scheduling data selection for transmission in a data network includes a plurality of daughter elements as well as a credit allocator and a transmission selector. The transmission selector is communicatively connected to the credit allocator, wherein each credit can be used to transmit data. The credit allocator operates to provide credits to one of allowable daughter elements and daughter elements having a negative credit counter. The credit allocator also operates to maintain a credit balance which represents the available total volume of unallocated credits, and subtracts the provided credits from the credit balance. The transmission selector operates to select one allowable and operable daughter element for extraction from a queue and add credits to the credit balance in accordance with the amount of data selected for extraction from the queue.

Targeted queries using oma dm protocol / 2494554

Disclosed are various technologies and techniques for extending the functionality of the open mobile alliance (OMA) device management (DM) protocol. An addition is made to the OMA DM protocol that enables the server to specify node filtering criteria as part of a query to a target node on a mobile device to indicate a sub-set of the device management data for the target node that should be returned. As another variation, a modification is made to the OMA DM protocol that enables the server to specify what attributes should be selected on the mobile device in one parameter of a target URI of the Get command, and what format the device management data should be returned in as another parameter of the target URI of the Get command.

System and method of implementing policy of providing network device / 2493660

Computer executable method of managing resources of a data processing and storage centre for implementing a policy of providing a network device with respect to the data processing and storage centre includes a step of issuing one data processing and storage centre resource supplier commands which instruct said supplier to limit provision of data processing and storage centre resources. The method also includes a step of receiving a request for providing data processing and storage centre resources to a network device, said request including information defining the data processing and storage centre resource. Furthermore, according to the method, an indication that the network device is authorised to receive data processing and storage centre resources from said supplier is received.

Method and system for arranging link resource fragments / 2490806

Method includes configuring cascade services in a link in advance; generating a preset arrangement method according to an initial channel number of occupied channel(s) in the link and a cascade number of service carried in the channel(s) (S210); a local end node that initiates a link resource arrangement notifying an opposite end node to arrange link resource fragments (S220); the local end node and the opposite end node reconfiguring a cross connection according to the preset arrangement method (S230).

Method of providing pause indication during "stuck" (resource) allocation / 2490805

Wireless communication device, access terminal and access point perform administration of allocation of a transmission resource associated with a forward and return link, which is allocated to a transmitting object for a certain period of time and each time the transmitting object does not transmit real data packets and needs to store allocation of the selected resource, a pause indication is provided.

System for household electric appliances and its functioning method / 2484522

System contains a selector device designed so that to enable the input command receipt for malfunction diagnostics fulfilment; a memory device designed so that to enable storage of product information with regard to the household electric appliance for malfunction diagnostics purposes; a controller designed so that to enable upload of product information stored in the memory device as well as for generation and output of a control signal including product information and for control of the conversion device; a conversion device designed so that to enable the control signal conversion into an acoustic signal and such acoustic signal output; and an input device designed so that to enable output of a sonic signal corresponding to the acoustic signal.

Service charging method and system, network access server and protocol information analysing device / 2483358

Service charging method involves receiving a service packet, obtaining a protocol identifier from the service packet based on which the need to perform analysis of protocol information in the service packet is determined; determining protocol information analysis involves performing analysis, obtaining charge information and service charging in accordance with the charge information and the predetermined charging procedure, otherwise traffic or duration and traffic of the service packet are counted and charging is performed in accordance with the traffic or duration and traffic, as well as with the predetermined charging procedure. The system which enables to carry out the method comprises a network access server, a protocol information analysing device and a charging subsystem.

System and device of microwave communication and method of connection in system / 2480927

Multiple transmitting modules in a module in a room are in a switched manner connected with modules outside the room by means of the cross-connection function. Besides, each transmitting module has a function of bidirectional branching. Typically, each of the transmitting modules controls an IP-address of another transmitting module and detects an adjacent transmitting module on the basis of an IP-address.

Network scanning and organisation of management in device type manager / 2477926

Method of communication with the use of infrastructure made according to the standard FDT (Field Device Tool), with device working in process control medium and having communication connection with communication link, including: method of communication with the use of infrastructure made according to the standard FDT (Field Device Tool), with device working in process control medium and having communication connection with communication link, including: generation of copy of process performed with the possibility of scanning of device type manager (DTM) of "device" type that represents the said device in FDT infrastructure; communication connection of this DTM copy with communication link corresponding to the said communication link; scanning of the said communication link with the aim to detect the said device using the said copy of DTM; and obtaining the address of detected device in DTM made with the possibility of scanning.

Domestic appliance and system of domestic appliance / 2477516

Information of a product and on a condition of a domestic appliance is converted into several acoustic signals of transmission, and a sound corresponding to the specified acoustic signals of transmission is discharged outside. Information on the product and information on the condition are formed in the form of a digital signal and are stored in a memory device. The digital signal is coded with the help of a conversion device and is converted into at least one acoustic signal of transmission. At least one acoustic signal of transmission is formed as an analogue signal. At the same time at least one acoustic signal of transmission may be formed as capable of separation.

Methods for automatic identification of participants for multimedia conference event / 2488227

Apparatus to automatically identify participants for a multimedia conference event comprising a content-based annotation component that operates to receive a meeting invitee list for a multimedia conference event; receiving multiple input media streams from multiple meeting consoles, and annotating video content from each input media stream with identifying information for each participant within each input media stream to form a corresponding annotated media stream, wherein the identifying information for each participant moves with that participant when the participant moves within the video content.

FIELD: information technology.

SUBSTANCE: method involves generating a request from a terminal client device to obtain a server IP address, checking the server certificate and the client certificate, generating one or more IP address tables in form of binary codes, setting up a secure connection, transmitting the generated table to the terminal client device; transmission of data packets between the terminal client device and the server is carried out with variation of the sever IP address selected from the IP address table. The system includes a terminal client device, a data server, a domain name server, a secure connection server, two routers and a unit which generates an IP address table in form of binary codes and varies the IP address on the table assigned for each connection.

EFFECT: high resistance to network attacks by reducing the effect of packets from attack bots on server operation.

14 cl, 7 dwg

The invention relates to telecommunications and computer technology and can be used to organize a public computer network, which provides communication terminal device from the client and server (client-server) with increased resistance to a network DDoS attacks.

There is a method of interaction between client-server (Vgolf, Nagelfar, and Computer networks. Principles, technologies and protocols. 4th edition, 2010), the implementation of which is presented in figure 1, uses a terminal device acting as the client 1, which is connected to the Internet 5 via the router 2. In turn, the server 3 is connected to the Internet 5 via the router 4. An integral part of the network for the communication terminal and the server is also available on the Internet-the domain name server (DNS), indicated by the block 6, and the server system 7 secure connection (SSL)functions of the authorization of the client terminal and transmitting the key to connect to the server.

The operation of the known secure system client-server is determined by the following processes. Terminal device 1 sends via their router 2 and then through the Internet 5, the sequence of IP packets addressed to the DNS server 6 that define a query on the floor is an increase in the IP address of the server 3. The DNS server 6 generates a sequence of IP packets to the address of the terminal device 1, which contains information about the IP address of the server 3. This sequence of packets delivered to the terminal 1 via the Internet 5 and the end router 2, to the output port of which is connected the terminal device 1. Terminal device 1, upon receiving the IP address of the server 3 sends the address sequence of the IP packets, determining a request for obtaining the identification data in the form of a standardized certificate. The server 3 sends to the device 1 a copy of the certificate containing the signature of the certification authority to verify the certificate. Terminal device 1, upon receiving a copy of the certificate for the signature of the certification authority, determines the IP address of the server certification centre 7 and sends the address sequence of packets, determining a request for the trust received from the server 3 to the certificate. The server 7 sends a sequence of packets confirmation trust the certificate of the terminal device 1, which, after receiving confirmation from the server 7 sends to the server 3, the sequence of packets on the connection. The server 3 sends the terminal device 1 a sequence of packets confirm the start secure session containing the electronic signature server 3. Those who nominal device 1, using the secret key, encrypts your data and sends them in the form of a sequence of packets to the server 3. In turn, the server 3 encrypts its data to its secret key before transmitting the sequence of packets of the terminal device 1. So is the secure exchange of data between the terminal device 1 and the server 3 connected to the Internet.

However, the described operation of the system client-server becomes impossible when the number of terminal devices 1 that sends a sequence of packets at the IP address of the server 3, becomes so large that the server 3 fails to install with all terminal devices connection for data exchange. This phenomenon is called overloading the server 3. To combat the overload of the server you want to improve the performance of its equipment or arrange for parallel operation of several sets of equipment with the same IP address. The phenomenon of overloading the server used by attackers on the Internet to incapacitate favorite servers. This method of removing the server from the system is called the attack on the server denial of service - DoS (DoS - Denial of Service). Usually to increase the flow of requests to the server use one terminal, and a large number of simultaneously requesting terminal. In this case, the ATA what we call "distributed attack" - DDoS (Distributed Denial of Service). Because the increased flow of requests is created by increasing the number of terminals, called when used to attack "bots", the fight against DDoS attacks is a complex, difficult task. Whatever level of performance was not achieved, starting from a certain number of bots they create thread requests may exceed the permissible level for any server.

The prior art technical solutions for solving protect the server from DDoS attacks.

So, in the application for U.S. patent No. 20100031315 "SYSTEMS AND METHODS FOR PROTECTING AGAINST DENIAL OF SERVICE ATTACKS" presents a solution at the application level. According to the description of the invention the process of the system includes the following main stages. First terminal device, the client sends the first request to access a server resource. The server creates a request proof of work that is passed to the client. Further, this request is processed to generate the new URL (text address of the request)is sent a second request generated URL, the server generates a value based on exactly matches the received response and made the request proof of work. When getting depleted values in the set thresholds on server load, assigned a priority level to the second request, the customer shall, and the request is processed by the server. Thus, the proposed solution is based on the use of server-side verification filter Manager set priority client requests depending on the level of load on the server to the receipt of the request from a new terminal device of the client.

In the application for U.S. patent No. 20100235632 "PROTECTING AGAINST DENIAL OF SERVICE ATTACKS USING TRUST, QUALITY OF SERVICE, PERSONALIZATION, AND HIDE PORT MESSAGE" offered the following resolution. Terminal client device accesses the server only after obtaining estimates of the level of trust given to the client by using an additional set of server create and update a cryptographically secure tokens. Thus, the essence of the proposed in this patent of the solution lies in the introduction of the access to the server through a protective screen that checks the access level of each client, using the procedure of transfer to the special client software JavaScript, which generates a response to the server for a decision on the admission of the client to communicate with the server. The process of execution of the loaded JavaScript will depend on the receipt by the client to confirm their level of trust from some external entity described in the patent, which identifies the customer and gives him the current key for processing upomyanutoj the above request from the server to the script.

However, these technical solutions will also offer protection from DDoS attacks application layer Protocol and does not affect the transmission of IP packets.

In the application for U.S. patent 20110283367 "SECURING A COMMUNICATION PROTOCOL AGAINST ATTACKS" is proposed to use the separation of data flow between two systems connected via a packet network, for two consecutive segment within the TCP Protocol and comparison of key current and subsequent segments with the aim of detecting the presence of the segment "other" attacking the source. Upon detection of segments that do not belong to a legal source, the data reception is blocked, preventing the threat of attack.

Known solutions use additional means to identify packets attacking bots from packets coming from clients at the application level, and do not provide the stability of the system against attacks on the IP address of the server "brute force" (i.e. high intensity).

Object of the invention is a method and system interaction terminal client device and the data server via the Internet, providing increased resistance to network attacks (DDoS).

The technical result is to significantly reduce the impact on the performance of server packets received by the server from the attacking bots.

Put sadakosasada fact, that way interaction terminal client device with a server over the Internet, including the formation of a request from a terminal client device via the Internet to obtain the IP address of the server, check the server certificate and the client certificate and a secure connection is established with the subsequent transmission of data packets, according to the invention before establishing secure connections are forming one or more tables of IP addresses in the form of binary codes by selecting the pseudo-random sequence of IP addresses from the pool of free IP addresses allocated to the server, and transmitting at least one of the generated table to the terminal device of the client after establishing a secure connection with the server, and transmitting one or more data packets between a terminal device of the client and server is done by changing the IP address of the server which is chosen from a table of IP addresses.

For transmission of packet data between a terminal device of the client and the server to change the IP address of the server using the sequence in accordance with which the first initiate the data transfer from the client to the server in the first packet sent by a client, replace initial server address on the first address from the table and p is the transfer of the data packet to the server, on the router where the packet is received from a client make a comparison of the destination address with the first address from the table when matching addresses replaces the destination address in the real address of the server, and then receives the packet processing server; then initiate the sending of a data packet from the server to the client, where the sender indicate the true address of the server that enters the router on the server are replacing the true address to the first address of the table, with subsequent transfer of the packet to the router of the client, where they perform the replacement address to the initial address of the server; sending the second and subsequent batches from the client to the server replaces the initial server address obtained from the table on the second and subsequent addresses, respectively, and transmitting the data packet to the server similar to the transmission of the first packet. Forming one or more tables of IP addresses is carried out at a boot server from a pool of addresses. When checking for matching addresses use the time stamp. Tables can be generated using a random number generator randomly selected IP addresses from the range of IP addresses allocated for the server, for example, using the function Rand(), the table contains at least two IP addresses. When the formation is escolca tables selection tables is carried out in dependence on the corresponding specific parameter, for example, a specified amount of time, or range of addresses of the client, or another parameter. To send the table of IP addresses terminal client device may generate a code table, for example, in the form of a set of binary numbers that specify the offset of the IP address from the initial, with the transfer of the generated table from the data server to the client is implemented by forwarding the authorized client over a secure connection code, providing the generation of a table on a terminal device of the client. The formation of the table may be carried out after a certain period of time or for each session. Change the IP address of the server data IP address from a table can be done in time, the synchronization of the terminal device of the client and server data is performed using the unified messaging server time.

The problem is solved also by the fact that the system for communication terminal device of the client to the server over the Internet comprising at least one terminal device of the client, data server, domain name server, the server providing a secure connection, two routers, the server secure connection is made with the ability to authenticate the terminal device of the client and send him the key to connect to the server the data is, and terminal client device, configured to connect to the Internet via the first router, the data server is configured to connect to the Internet via a second router according to the invention is equipped with a unit that enables the formation of one or more tables of IP addresses in the form of binary codes by selecting a pseudo-random sequence of IP addresses from the pool of free IP addresses allocated to the server and change the IP addresses in the table assigned to each of the compounds with an authorized terminal device of the client.

The unit, providing the opportunity to change the IP address of the server that contains the control unit address of the IP packets included between the first router and terminal client device, the block address multiplexer connected between the second router and the server data and the individual managing input connected to the secondary adisoemarto input of the router, and the server one time, made with the ability to connect to the Internet. The control unit may be a unit of the terminal network interface connected to the external network interface through the forming unit request key and the replacement unit's IP address into IP packets, and the unit receiving the confirmation, the United States through the block task sequence changes of address replacement unit IP address in the IP packets. The block address multiplexer may include external network interface connected to the server network interface through the block routing and replacement unit addresses, managing a network interface, coupled to the block routing and replacement unit IP address through the block storage sequence of IP addresses and unit assignments current address, and a control unit connected with the control network interface and the storage unit of the sequence of IP addresses.

The invention consists in that for the purpose of protection from DDoS attacks IP address of the server is selected from allocated to this server address pool, and is changed according to a special schedule in accordance with one of the pseudo-random sequence assigned to each of the connections authorized by the client or appointed for a specified period of time, or a combination of these two methods. Server IP address changes randomly according to the algorithm, which allows to use all dedicated to the server pool of addresses, with authorized clients are transferred for use coded (as keys) pseudo-random sequence of IP addresses server. IP address of the data sequences used for client communication with the server at certain time intervals, and/or session.

The invention the belt is aetsa drawings, which figure 1 presents a system that provides one of the standard communication client-server: Fig 2 - the system that implements the interaction between client and server by the present method; figure 3 and 4 shows an example implementation of the blocks 8 and 9 of the system of figure 2; figure 5 presents the process of converting addresses on the path from the client 1 to the server 3 and Vice versa; figure 6 - interaction algorithm blocks of the system; figure 7 - scheme of work unit address multiplexer when replacing the address of the arriving IP packet to the real server address.

Positions indicated on drawings: 1 and terminal client device (client), 2 router (or router)that is installed with the client 3 to the server (or database server), 4 router (or router)installed server-side, 5 - Internet 6 the system of domain name servers, such as DNS, 7 - system servers provide a secure connection such as SSL, 8 - control unit address of the IP packets, set the client-side, 9 - block address multiplexer installed on the server side, 10 server a single time. The following are the positions of the elements of the block 8, namely: 11 - block terminal network interface, 12 - unit external network interface, a 13 - block replacing IP address in the IP packets, 14 - forming unit request key, 15 - unit for the project sequence changes IP addresses, 16 is a block receiving confirmation. The following are the positions of the elements of the block 9, namely: 17 - block external network interface, an 18 - unit of the server network interface, 19 - unit Manager network interface, 20 - block storage sequence of IP addresses, a 21 - unit assignments current address, 22 - block routing, 23 - unit change IP address, 24 - control block.

The inventive method can be implemented using the system presented in figure 2, which contains standard blocks: terminal client device 1, the routers 2 and 4, installed client-side and server, respectively, the server 3, the Internet 5, the system of domain name servers 6, system servers provide secure connections 7, as well as new units: the control unit address of the IP packets 8, block address multiplexer 9 and the um server time 10. Unit 8 included in the connection terminal client device 1 router 2. Unit 9 included in the connection the router 4 to the server 3 and the individual managing input is connected to the additional adisoemarto input router server.

The system is built on the principle of mandatory authorization terminal devices of customers and establish a secure connection terminal client device with the server, which can be implemented by the algorithm is provided in the description of work of similar (figure 1). In accordance with this algorithm, the clients must register and obtain a digital signature (centralized certificate).

The distinctive feature of the inventive system is the operation of forming a table of IP addresses, which carries the block 9, which may be part of the server 3, by selecting the server 3 IP addresses belonging to the address pool. Thus, the table of IP addresses being formed from a subset of the IP addresses allocated by the network server or network provider. To address server is not a single IP address, and a set of IP addresses from the table. While the server's IP address change on a custom schedule in accordance with one of the pseudo-random sequence assigned to each of the connections authorized by the client, or on time. Forming a table of IP addresses carried out before establishing a secure connection, for example at boot time of the server 3. The minimum size of the table must include at least two IP addresses, the maximum is limited by the amount of the selected range of available addresses and the amount of memory allocated for storage of the table on the client and on the server. When this resistance to attacks is proportional to the length of the table. The forming table can be implemented in two stages. At the first stage assigns the number to every available free address from the address pool, the second is by using a random number generator (for example, using the random number generator, which is present in the standard environment) determine the number that selects an IP address from the available pool of addresses. The process of forming table can be associated, for example, parameters such as time - days of the week, time of day, etc. or in other settings, for example, be formed on each request or session.

After the formation of the table carry out the encoded key with the subsequent transfer of the key of the terminal device of the client. Use this key on the side of the terminal device of the client generate a table equivalent to table, which is stored in the block 9. Thus, when the receiving terminal device of the client initial server address and key of the table, the client performs restoration table of IP addresses server. The key may be implemented as a sequence of numbers, each of which represents a shift to the next IP address from the initial. The initial address is the IP address under which the server is known to the external system and which informs the DNS server.

In the process of implementation of the interaction client-server perform time synchronization terminal client device and the server. Also, in each IP packet record the timestamp (time stamp) to account for the time difference when a packet through the network, which checks the packet against the his address, the date of the transfer package. The sender of the packet, for example, the client takes the address from the table, and receives information from the server one time, adding it in the form of a timestamp to ship the package. As the recipient of the package, such as a server, analyzes the time and IP address in the received packet, and the time and IP address in the address table of the server. If specified in the received packet time address from the package and tables of IP addresses match, the packet is transmitted for further processing by the server. Each packet can be transmitted with the new IP address.

From the same pool of IP addresses allocated for the server can be built several different tables of IP addresses in the form of pseudo-random sequences. At the same time, different clients can work on different tables. Tables can be different for different time intervals (days or hours). Table generate on the server, for example, when loading, providing double protection. When the server carry out a first selection of one of the tables, then select the address from the selected table, which provides greater stability of the system against DDoS attacks.

is connecting to the system only authorized (i.e. having a digital certificate) customer allows the system to distinguish between clients and bots. However, the behavior of the server 3 is different for the authenticated user from the server behavior in relation to the bot. In the known solutions of the authorized client uses to connect to one IP address (initial address of the server), which is the only one in the tunnel. In the case of network attacks to this address packets sent by the client to this address cannot be processed, i.e. there is a denial of service. The inventive method significantly increases resistance to DDoS attacks through the introduction of the original operation for forming a table of IP addresses and the use of changing addresses from this table when the packet data after establishing a secure connection.

In one embodiment, the execution system that implements the inventive method, as terminal client device can act and the router 2, block 8 may be embedded in the router 2 client-side, and the block 9 in the router 4 on the server side. The algorithms of blocks 8 and 9 can be implemented in hardware and/or software means.

In the private embodiment, the internal structure of the control unit address of the IP packet 8 includes a terminal block of the network interface 11 and the external network interface 1, the replacement unit IP address in the IP packet 13, the forming unit request key 16, block task sequence change of address 15 and the heat receiving confirmation 14 (Fig 3).

The block 9 has an internal structure also includes a network interface 17 is an external network interface, 18 - server network interface, and 19 - managing the network interface. The replacement unit IP address 23 is connected to the unit set the current address 21 and the block of route 22. Block storage sequence of IP addresses 20, the output of which is connected to the block 21, is controlled by commands from the control unit 24 and can modify its content from the network via the network interface 19. The control unit 24 communicates with external devices through the unit 19 (figure 4).

An important feature of the proposed solutions is the use of a protection mechanism at the network layer protocols - i.e. lower than the known methods. To ensure the reduce the load on the server from making the attack "bots" and receive all the network packets from an authorized client use the change of address server according to the schedule (algorithm), known only to the authorized client. The client during the session of the communication with the server changes on this algorithm IP address of the server on its side. Bots do not have reliable information about the schedule change I the address of the server can't generate a flow of packets in the server address, and therefore, a large load violating its normal functioning.

An authorized client and the server use a consistent and/or synchronous change the IP address of the server, thereby providing a continuous process of information transfer, and only authorized client knows about the schedule change server IP addresses to any unauthorized users, this schedule is not known.

In the particular case, the system that implements the claimed method works as follows.

Server 3 using the unit 9 generates one or more tables of IP addresses from a pool (a range), free address, dedicated server provider. Forming a table of IP addresses is done by constructing from them a pseudo-random sequence, i.e. a sequence, when the addresses in the table are not consistently used address pool, and available addresses in the pool are selected pseudo-random manner. Table of IP addresses can be generated for use in different periods of time, and/or for different sessions and/or for different clients. After the formation of the tables, the server prepares the appropriate keys to send the table to the client to switch IP addresses (for example, in the form of a sequence of binary numbers that PR is astavliaut the offset address relative to initial) for further transfer to authorized clients (and decryption on the client side) via a secure SSL connection.

Client 1 makes a request for obtaining the address of the server 3 in the form of a transmission sequence of packets through the block 8 and the router 2 to the Internet 5 to the DNS server 6. The server 6 processes the request using the available data on under the name of the requested server IP addresses. As the IP server address used by the address recorded in the standard DNS record owner of the server. Returned by the DNS address is not the address of a real server 3, and belongs to the block 9 to the address multiplexer. This address is called the initial address of the server 3.

After receiving the IP address from DNS, the client generates a request to establish a connection with the server 3 according to the received initial IP address. This query as a sequence of IP packets transmitted via the network 5 and the router 4 to the block address of the multiplexer 9. Through the network interface unit 17, the request is passed to the block routing 22 forming the response to the client containing the requirement to switch to enhanced protected SSL and the server's security certificate. This response is a sequence of packets through 17 in the network 5 and further to the client 1 via the router 2 and the control unit address 8. Client 1, receipt of this request, generates its own security certificate, certified on the server safe connect the Oia 7, and sends the encrypted request to the server 3. The encrypted request to the extended secure Protocol via the network 5, the router 4 receives the block 9 to block the route 22. Unit 22 calculates the correctness of the query. If it is incorrect, the request is ignored and the process is terminated.

If the correctness of the block 22 generates a signal to control unit 24 that generates a query to retrieve data of a single time stamp and sends it in the form of a sequence of packets through a network interface 19 to the server one time 10. Server a single time, after receiving a request for the stamp of universal time returns the current time, which in a sequence of packets are received via the router 4 and the network interface 19 to the inside of the unit 9 to the control unit 24. In this block, timing data is used in conjunction with a signal about the correctness of the block 22 to generate a signal at block 20 the sequence of IP addresses for server 3 and the appointment of its current address. The sequence of the IP address of the server 3 are stored as tables of addresses in the memory unit 20. The choice of the sequence is determined by the data of a single time stamp and generated encrypted key computed by the server's certificate. The server responds with preshared keys table of IP addresses through the block 22 and the network the interface 19, a response to enhanced secure Protocol client 1 and the control unit 8 as a sequence of IP packets through the network interface 17 and the router 4 network 5 and next to router 2 and through the block 8. Unit 8 answer 9, it passes the request to the server 10 to retrieve data about a single time stamp. After receiving the response from the server system a single time 10 through the network interface 12 unit 8 performs the following steps. The response from block 9 and the data from the server 10 in the form of a sequence of packets pass through the network interface 12 to a control unit 14, which produces a signal to set the current address request to the server 3. The signal is sent to the unit 13 that stores decoded from the received key from the server table of IP addresses of a sequence of changing addresses. To select the current IP address of the server use a single time stamp that identifies the address in this table. In each IP packet is recorded timestamp. On the server side, when receiving the IP packet addresses this timestamp and the decision was whether the current received packet at the time of transfer, i.e. whether the IP address in the received packet IP address from the table specified in the service time.

Client 1 sends the following request to the server 3, using initial server address. The request goes che the ez block 8 as a sequence of IP packets and each unit 14 changes the IP address to another, defined by the block 13 from the table of IP addresses. To exchange information with the server, the client can use individual packages or groups of IP packets. Upon further interaction with the server, for each individual IP packet or for a group of IP packets, the initiative of a transition table is always belongs to the client - if the client does not pass query table is not scanned, the address is not selected.

The packets go through the network interface 12 to router 2 and then to the network 5. All addresses in the sequence of IP addresses server 3 belong to the address space of the router 4, and therefore, all packets directed to these addresses, proceed through the router 4 to the block 9. Receiving another packet through the network interface 17, block 22 transmits it to the block 23, which checks the IP address in the packet matches the current address of the server to a point in time defined by a single time stamp. If these addresses match, then the packet is changed IP address to the real IP address of the server 3 and the package gets to the login server 3 through the network interface 18.

Thus, the Protocol stack of the server is operating normally in accordance with a standard set of protocols. Client 1 in the process of exchange of packets also works via the standard Protocol stack. However, all transmitted by the terminal packages using block proizvoditsa replacement IP address, recipient address, which is taken from a table of IP addresses and the time stamp on the transmitted packet. These packets are relayed through the network in accordance with routing rules and going on router 4, which owns all of the net addresses of the used sequence, then enter the block 9, which analyzes (compares) the address in the received packet, and replaces the address of the real server address for those packets that contain the correct address that matches the current address for a specific timestamp. These packages form the stream of packets sent to the server 3 and processed his stack on conventional algorithms.

Figure 5 illustrates the process of converting addresses on the path from the client 1 to the server 3 and back. On figure 5 the terms "Series 1" and "Series 2" is marked by two alternative table IP server addresses stored in blocks 13 and 20 and used depending on the content of the received key, a s(l), s(k) and s(n) is denoted by IP addresses, which are used in the received and transmitted packets. 6 shows the diagram of interaction of system units. 7 in more detail reveals the functional blocks 20, 21, 23 when replacing the address of the arriving IP packet to the real server address.

One of the options for filling address table is filling pseudorandom PEFC is a sequence, i.e. so that on observed previously were most difficult to predict subsequent values of an address.

It should be noted that the principle of a change of address in the received packet is now used in Internet routers using a technique called Network Address Translation (NAT). Unlike the proposed method, this replacement is carried out by assigning compliance AC external device address for the duration of the session from the pool of internal addresses to the permanent address. This mechanism is used to provide shared use of external network addresses a large number of devices without the need for permanent connection through the Internet. All packets entering the device must have the same IP address throughout a session, so this use of NAT is not solved in the present invention tasks.

The present invention provides the use of the following techniques: changing server IP addresses according to a special schedule in accordance with one of the pseudo-random sequence assigned to each of the connections from authorized (certified) by the client, convert IP addresses "on the fly" (NAT), public key encryption (SSL technology). Use the any of these techniques allows you to solve urgent task to protect the server from DDoS attacks, thereby increase the level of reliability of the server and information security in the network.

1. A communication method of a terminal device used by the client to the server over the Internet, including the formation of a request from a terminal client device via the Internet to obtain the IP address of the server, check the server certificate and the client certificate and a secure connection is established with the subsequent transmission of data packets, wherein before establishing secure connections are forming one or more tables of IP addresses in the form of binary codes by selecting the pseudo-random sequence of IP addresses from the pool of free IP addresses allocated to the server, and transmitting at least one of the generated table to the terminal device of the client after establishing a secure connection with the server, and the transmission one or more data packets between a terminal device of the client and server is done by changing the IP address of the server which is chosen from a table of IP addresses.

2. The method according to claim 1, characterized in that for the transmission of packet data between a terminal device of the client and the server to change the IP address of the server using the sequence in accordance with which the first initiate data transfer from the client to the server, with the first package, sent by the client, replace initial server address on the first address from the table and transfer the data packet to the server on the router where the packet is received from a client make a comparison of the destination address with the first address from the table when matching addresses replaces the destination address in the real address of the server, and then receives the packet processing server; then initiate the sending of a data packet from the server to the client, where the sender indicate the true address of the server that enters the router on the server are replacing the true address to the first address of the table, with subsequent transfer package on the router the client, where they perform the replacement address to the initial address of the server; sending the second and subsequent packets from the client to the server replaces the initial server address obtained from the table on the second and subsequent addresses, respectively, and transmitting the data packet to the server similar to the transmission of the first packet.

3. The method according to claim 1, characterized in that the formation of one or more tables of IP addresses is carried out at a boot server from a pool of addresses.

4. The method according to claim 2, characterized in that the matching addresses use the time stamp.

5. The method according to claim 1, characterized those who, that table is formed by using a random number generator randomly selected IP addresses from the range of IP addresses allocated for the server, for example, using the function Rand(), the table contains at least two IP addresses.

6. The method according to claim 1, characterized in that the form of several tables, the choice of the working table is carried out in dependence on the corresponding specific parameter, such as a specified amount of time, or range of addresses of the client, or another parameter.

7. The method according to claim 1, characterized in that the transfer table of the IP addresses of the terminal device of the client form a code table, for example, in the form of a set of binary numbers that specify the offset of the IP address from the initial, with the transfer of the generated table from the data server to the client is implemented by forwarding the authorized client over a secure connection code, providing the generation of a table on a terminal device of the client.

8. The method according to claim 1, characterized in that the forming table is carried out after a certain period of time.

9. The method according to claim 1, characterized in that the generation of the table of exercise for each session.

10. The method according to claim 1, characterized in that changing the IP address of the database server on the IP address of the table is performed in time, the term synchronization is national client device and the server data is performed using the unified messaging server time.

11. System for communication terminal device of the client to the server over the Internet comprising at least one terminal device of the client, data server, domain name server, the server providing a secure connection, two routers, the server secure connection is made with the ability to authenticate the terminal device of the client and send him the key for the connection with the data server and terminal client device configured to connect to the Internet via the first router, the data server is configured to connect to the Internet via the second router, characterized in that it is provided by the unit providing the formation of one or more tables of IP addresses in the form of binary codes by selecting the pseudo-random sequence of IP addresses from the pool of free IP addresses allocated to the server and change the IP addresses in the table assigned to each of the compounds with an authorized terminal device of the client.

12. The system according to claim 11, wherein the unit providing the opportunity to change the IP address of the server that contains the control unit address of the IP packets included between the first router and terminal client device, the block address multiplexer, included is between the second router and the server data and the individual managing input, connected to additional adisoemarto input of the router, and the server one time, made with the ability to connect to the Internet.

13. The system of item 12, wherein the control block includes the block address terminal of the network interface connected to the external network interface through the forming unit request key and the replacement unit's IP address into IP packets, and the unit receiving the confirmation, connected through the block task sequence changes of address replacement unit IP address in the IP packets.

14. The system of item 12, wherein the block address multiplexer includes an external network interface connected to the server network interface through the block routing and replacement unit addresses, managing a network interface, coupled to the block routing and replacement unit IP address through the block storage sequence of IP addresses and unit assignments current address, and a control unit connected with the control network interface and the storage unit of the sequence of IP addresses.