JP2003188893A - Device for detecting illegal access - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an illegal access detecting device in which a communication traffic interruption state in a network caused by an automatic learning function of a switch is recovered in a short period of time. <P>SOLUTION: The illegal access detecting circuit is configured so as to transmit a reset packet for disconnecting a TCP session with respect to illegal access in the network using a network switch provided with an address learning function. The device includes a means for transmitting a re-learning packet after transmitting the reset packet by an address which is different from the one for reset packet transmission. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an unauthorized access detection device, and more particularly, to improvement of processing after an unauthorized access is detected in a network using a network switch.

[0002]

2. Description of the Related Art Conventionally, in transmitting packet data in a network, a signal distributor having a function of transmitting packets to all connected transmission paths called a hub (HUB) has been used.

However, since the hub uses the carrier collision detection method, there is a problem in that the utilization efficiency of the network is poor and the network speed cannot be effectively utilized.

Therefore, in recent years, in most networks, a network switch (hereinafter referred to as a switch) that selects a transmission path for each packet data is used as an element for improving the utilization efficiency of the network.

On the other hand, with the development of the network, a human being called a hacker appears, tries to invade the network of a business office, and misplaces the network or data by the mischief of rewriting the home page (HP). Some even commit crimes such as stealing.

Therefore, in order to detect and deal with such unauthorized access by humans, as shown in FIG. 3, IDS (I
nstruction Detection System) has been introduced. In FIG. 3, switch 1
Is connected between the router 2 and the server 3. IDS4
Is connected to switch 1 and is usually a MAC (MediaAcce
ss Control) The address is stealthed so that it cannot be seen from switch 1. Note that stealth settings do not have an IP address and do not execute the Arp protocol, so no one can see the port.

The switch 1 recognizes the other party by looking at the MAC address and IP address of the packet arriving at each port of the switch. Initially, broadcast to all ports, but for the port that responded, the other party's MAC address and IP address are stored for each port, then the MAC
By discriminating the address and sending the packet only to the port that needs to be transferred, the network band is effectively used without the existence of extra packets in the network.

The IDS 4 includes at least an attack packet detector 41 and a Reset packet transmitter 42. In order to detect an intrusion or attack through the network, the attack packet detection unit 41 monitors packets of traffic flowing through the network, and is it a normal packet or an attack or intrusion based on a database called an attack signature? To judge. If there is an attack or intrusion, the Reset packet sending unit 42 sends a Reset packet to the other party trying to make an attack, and cuts off the network connection.

That is, when the attack packet detector 41 detects an attack signature, the reset packet transmitter 4
2 sends a Reset packet to disconnect the currently established TCP session. Specifically, IDS4 temporarily changes its stealth settings and uses the ones of server 3 and router 2 where both MAC and IP have been attacked, and reset packets for forcing itself to disconnect the TCP session. Is sent. As a result, the packet generated by the attacking person cannot maintain the session and cannot attack.
From the attacker, the target server 3, as if it was Reset
Since it looks as if a packet was generated, the existence of IDS4 cannot be easily known.

[0010]

Although the network-type IDS has the advantage that it is difficult to detect its existence, in order to emphasize the confidentiality when responding to an attack, the IDS of the network is forged to reveal its identity. Since it has a function that it does not exist, in a network using switches as shown in FIG. 3, depending on the characteristics of the switch 1,
The following inconvenience may occur.

IDS 4 is simply a network switch 1
If you just connected to the same MAC (Media Access
A packet with a Control address will come from multiple ports. As a result, if the switch 1 has the function of automatically learning the MAC address, the MAC of the switch 1
The table is overwritten with the latest information.

As a result, even if it is possible to send a Reset packet to the attack source, after that, the main communication traffic is forwarded to a different port due to the automatic learning of the MAC address, which hinders the communication itself. There is. Especially popular recently because it is cheap
In the MAC address auto-learning type switch, there is a situation in which the network itself is shut off because the IDS installation support function is built in.

For example, it is assumed that the router 2 has a MAC address of A and the server 3 has a MAC address of B. The IDS 4 uses a monitor port provided in the switch 1 or a TAP to monitor packets flowing through the network. IDS4 originally has a MAC address of C, but this is not output to the network.

The IDS 4 is reset by the Reset packet sending unit 42.
When sending a set packet, speak the MAC addresses of A and B, and put the packet with the IP address on it. When the switch 1 is connected in the network from the IDS 4 to the router 2 and the server 3 as shown in FIG. 3,
The switch 1 considers that the MAC address that has been connected until now has moved to another switch port by the automatic learning function, and changes the route of traffic including IP.

For this reason, the packet sent from the router 2 to the server 3 is transferred to the changed destination, but only the IDS 4 exists there. Switch 1 for NIC (Network Interface Card) with stealth settings
Tries to connect, but does not respond, the network is cut off. Such communication traffic blocking state continues until the MAC information learned by the switch 1 is updated.

The present invention focuses on such a problem, and an object thereof is an unauthorized access detection device capable of recovering a communication traffic interruption state of a network due to an automatic learning function of a switch within a short time. To provide.

[0017]

The invention according to claim 1 that achieves the above object provides a reset packet for disconnecting a TCP session against an unauthorized access in a network using a network switch having an address learning function. The unauthorized access detection device configured to send out is provided with means for sending out the re-learning packet after sending the reset packet to an address different from that at the time of sending out the reset packet.

According to the invention of claim 2, in the unauthorized access detection device according to claim 1, the packet for re-learning is ICMP_Ech.
It is characterized by being an o_Request packet.

With these, the switch automatically learns the re-learning packet, so that the main communication path of the network can be secured, and the communication traffic interruption state of the network due to the automatic learning function of the switch can be recovered within a short time. be able to.

[0020]

BEST MODE FOR CARRYING OUT THE INVENTION Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing an example of an embodiment of the present invention, and portions common to FIG. 3 are assigned the same reference numerals. In FIG. 1, a re-learning packet generator 43 is added to the IDS 4. The re-learning packet generator 43 sends the re-learning packet to an address different from that when the reset packet is sent after the reset packet generator 42 sends the reset packet. Examples of such re-learning packets include ICMP (Inter
net Control Message Protocol) _Echo_Request packet is used.

The operation of FIG. 1 will be described. An attacker (not shown) sends packets from the Internet in the order of router 2 → switch 1 → server 3. The IDS 4 fetches the attacker's packet from the monitor port of the switch 1, and the attack packet detector 41 analyzes the content.

When the attack packet detector 41 determines that the packet sent by the attacker is an attack, the reset packet transmitter 4
2 sends out a Reset packet. For the Reset packet, specify the MAC address of the server 3 as the sender and the M of the router 2
Specify the AC address as the destination, change the source IP from which the packet was sent to the destination, and replace the dest address with the source to create it. The switch 1 receives this Reset packet, but since it has the same MAC, it learns to the latest configuration. As a result, the Reset packet is sent to the router 3.

At this point, the route from the server 3 to the router 2 and vice versa are cut off, and both attempt to transmit to the port connected to the IDS 4, but in reality there is only a stealth setting port, so communication is not possible. Be disrupted.

Here, the re-learning packet generating section 43 has an ID
The ICMP_Echo_Request packet using the MAC of S4 is generated and the switch 1 is made to learn again. Switch 1 updates the MAC table because a MAC different from the MAC that has been connected to the same port has arrived, but since there is no same address, when changing the table from the latest information to the latest information held by each port , Transfer information to the port to which the server was connected until now.

As a result, the communication path that has been interrupted is reconnected, and information can pass between the router 2 and the server 3.

According to the present invention, between the IDS 4 and the switch 1, the IDS 4
When a Reset packet is sent from 4, the Mac address of IDS4 is used as the source, the MAC of either router 2 or server 3 is set as the destination, and the IP is either router 2 or server 3 after a certain time from the last packet. It is provided with a function of generating and transmitting a re-learning packet such as an ICMP_Echo_Request packet under a condition.

There are many possible implementation methods, but there is no problem if they can be generated within a few ms after the generation of the Reset packet sequence. For example, if the dedicated hardware 5 as shown in FIG. 2 is used, it is not necessary to set the switch on site.

The dedicated hardware 5 shown in FIG.
Network interface 51 for connecting to
And an ICMP_Echo_Request packet generator 52, and a network interface 53 for connecting to the IDS 4. The ports PT1, PT2, and PT4 of the switch 1 are switch ports, and the port PT3 is a monitor port. Ports PT5 and PT6 of IDS4 are stealth ports.

The present invention can be applied regardless of the settings and types of switches in the existing system. Then, when recovering from the communication interruption, ICMP or UDP (User Data program Proto
col) packets, the existence of these packets does not affect the system since there is no obligation to respond.

By the way, such an IDS is often installed and operated in a general PC or workstation that constructs a network as a software product. However, if the load on the network becomes high, or if the average value is low but the instantaneous load becomes high, so-called packet dropouts may occur and packet inspection may not be possible. In particular, in a system using UNIX (registered trademark), due to the characteristics of UNIX (registered trademark), there is a strong tendency to easily drop packets when capturing data in the promiscuous mode.

When IDS is introduced into a UNIX (registered trademark) -based machine, there are the following problems. 1) UNIX (registered trademark) is basically a time sharing system, and it is premised that processing is performed in synchronization with the processing clock of the system. 2) UNIX (registered trademark) I / O (input / output) system is S
It enters a single queue called tream, and individual I / O information is extracted from this queue, dispatched, and processed sequentially. 3) All I / O (disk, man-machine,
(Network) is queued together, so this part becomes the bottleneck in processing speed.

Although UNIX (registered trademark) ensures stability by performing synchronous sequential processing, in the case of IDS, flow control cannot be used for the arrival of packets from the network. This is because the MAC address is not output because the stealth setting is used to increase the confidentiality of the IDS, and it is recognized by the network device that it does not exist.

When a packet that exceeds the processing capability of the user arrives due to the inability to perform flow control, the normal processing is informed that the packet cannot be processed and the packet is retransmitted. Become.

In the case of IDS, N is set at the same time as stealth setting.
Since the IC is set to the indiscriminate capture mode, the number of packets is suppressed by filtering with the NIC in normal network equipment, but the processing becomes more strict because all the packets flowing through the network come in.

The packet drop when the IDS is mounted on such a UNIX (registered trademark) machine can be greatly improved by using a NIC having a large hardware buffer.

The conventional NIC has a buffer of about 1 kB inside and transfers packets to the communication buffer of the OS at a transfer rate of about 132 MB / S via the PCI bus. The communication buffer has an upper limit because it allocates the fixed area of the OS,
A lot of CPU if you dynamically change its size or allocate it
Time consuming.

As a countermeasure against this, prepare a buffer sufficiently larger than usual (20 to 4000 times or more) inside the NIC,
Reduce the frequency of interrupts to the OS to keep the communication buffer size to the maximum and reduce the frequency of processing startup.

As a result, the operation of the CPU is directed to the packet analysis process, and even if the stream processing is full, buffering is performed at a place where the software does not know, so that the packet drop can be avoided.

When a packet arrives, an asynchronous interrupt is generated from the NIC, and after the I / O request, the data is transferred from the NIC to the system communication buffer. The pointer of the data in this buffer is queued in the stream along with other I / O requests, dispatched to each process at the stream exit, and sent to the IDS process for analysis.

The processing of this OS is left unchanged, and the buffer size of the NIC is increased. For example, a NIC with a 64KB hardware buffer (FIFO format) is used, and an interrupt is generated when 512 bytes are accumulated. In a normal NIC, the buffer is only about 1KB, so the upper process is busy, and if the time until the actual data is taken in for the I / O request is long, the buffer content will overrun and the packet will be lost.

The longer the time until the data is actually fetched in response to the I / O request, the better.
Should be high speed, but for example SP of Sun Micro system
The upper limit is about 500MHz in the system using the ARC processor, and the IDS system is often not multi-process capable, so increasing the number of CPUs will not improve the analysis capability.

Until the stream enters from the NIC, there are actually interrupt processing, data transfer, and queuing, and dispatch processing also enters at the stream exit. Therefore, when it is difficult to reduce the number of interrupt processes and the actual process after the interrupt, buffering the data by hardware can reduce the chances of packet loss.

Also, the number of asynchronous requests generated each time a packet arrives can be reduced by accumulating data to some extent.

As a concrete additional circuit for realizing these, in addition to NIC (physical, LINK layer), IP from LINK
A FIFO type memory having a function of buffering packets may be mounted.

[0045]

As described above, according to the present invention,
It is possible to realize an unauthorized access detection device capable of recovering the communication traffic blocking state of the network due to the automatic learning function of the switch in a short time.

[Brief description of drawings]

FIG. 1 is a block diagram showing an exemplary embodiment of the present invention.

FIG. 2 is a block diagram showing another embodiment of the present invention.

FIG. 3 is an example of a conventional unauthorized access detection device.

[Explanation of symbols]

1 switch 2 router 3 servers 4 Unauthorized access detection device IDS 41 Attack packet detector 42 Reset packet generator 43 Re-learning packet generator 5 Dedicated hardware

Claims (2)

[Claims] 1. An unauthorized access detection device configured to send a reset packet for disconnecting a TCP session in response to an unauthorized access in a network using a network switch having an address learning function, and then resets after sending the reset packet. An unauthorized access detection device comprising means for transmitting a re-learning packet at an address different from that at the time of packet transmission. 2. The unauthorized access detection device according to claim 1, wherein the re-learning packet is an ICMP_Echo_Request packet.