首页>
外国专利>
Method and system for anti denial of service and anti traffic analysis capabilities for ip based virtual private networks and data distribution through use of an ip multicast address hopping technique
Method and system for anti denial of service and anti traffic analysis capabilities for ip based virtual private networks and data distribution through use of an ip multicast address hopping technique
A method and system for Internet Protocol network communications and uses thereof for protecting Internet sites against denial of service and traffic analysis attacks on insecure public networks such as the Internet are provided. The method provides for communicating multicast packets between end stations, in a multicast IP network, on a chosen multicast IP address from a plurality of multicast IP addresses for multicast communication using a multicast address hopping technique. The technique selectively varies the chosen multicast IP address from the plurality of multicast IP addresses according to a predetermined scheme known to the end stations but not to unauthorized endstations. The packets are then communicated on the chosen multicast IP address. Indicia normally capable of identifying the source of the packets may be selectively varied to conceal the source of the packets. Further, the packets may be communicated to an end station having subscribed to a set of multicast IP addresses comprising at least one multicast IP address from the plurality of multicast IP addresses for multicast communication and including the chosen multicast IP address for transmitting the packets. The set of multicast IP addresses may also be selectively varied according to a secret predetermined scheme known to the end stations, particularly by randomly adding to and dropping from the set of multicast IP addresses. Multiple sets of communicating groups all utilizing the same address space can coexist such that their respective traffic is intermingled on the various addresses, making traffic analysis very difficult. In another embodiment, a data coding scheme such as code division multiplexing may be employed on the individual multicast packets data fields to allow data for individual destinations to be mixed together in one packet that is multicast to a plurality of receivers. Each receiver then decodes its applicable data by passing the received multicast data field through the appropriate decoding scheme such as a code division de-multiplexing process. In further aspects of the invention, various uses of the invention for Virtual Private Networks and other secure communication systems are also provided.
展开▼
