JP2003283554A - Distributed denial of service attack preventing method, gate device, communication device, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To limit the transmission band of offensive traffic for a distributed denial of service (DDoS) attack while securing communication traffic for regular users. <P>SOLUTION: When the suspicious offensive packet of the DDoS attack is detected, a gate device 2001 transmits the suspicious signature and the regular condition of the suspicious offensive packet to upstream communication devices 2002 and 2003. Each of the communication devices 2002 and 2003 cancels the transmission band limitation of the packet identified from the regular condition and a regular signature created based upon the suspicious signature while limiting the transmission band of the packet identified from the suspicious signature. Further, each of the communication devices 2003 and 2003 transmits the suspicious signature and the regular condition to further upstream communication devices to report the suspicious signature and the regular condition to the upper- most stream communication device in the recursive manner and each communication device further limits the band by detecting the offensive packet from the suspicious offensive packets while implementing the band limitation of the suspicious offensive packet. <P>COPYRIGHT: (C)2004,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a distributed denial-of-service attack prevention method and apparatus for protecting a device connected to a network from an attack via the network, and a computer program thereof.

[0002]

2. Description of the Related Art Conventionally, TCP / IP (Transmission con
Network protocols such as trol protocol / internet protocol) are open and designed to be used by mutually trusted groups. For this reason, the computer operating system tries to prevent the use of legitimate users by consuming a large amount of communication traffic (data, etc.) to the attack target server, consuming network transmission bandwidth and server resources. Denial of service attacks (hereinafter referred to as "DoS (Denial of Ser
vice) attack) is not considered.
Although methods of defense against such DoS attacks are increasing, "DDoS (Distributed Denial of Service) attacks" in which DoS attacks are performed simultaneously from multiple locations in cooperation with each other
No effective method has yet been developed to protect against.

As a defense method against this DDoS attack, Ingress Filter proposed by Cisco, Inc.
r (RFC2267) and Center of UUNET
There is a Track. The former is a mechanism for checking the spoofing of the source address, which is often used in DDoS attacks. It is installed in the router which is the boundary where the local area network is connected to the internet, and it transmits from the local area network to the internet. Check the legitimacy of the source address of the packet being sent, and if it does not match the address assigned to the local area network, drop the packet without sending it to the Internet. On the other hand, the latter is a technique in which a diagnostic function is added to an Internet router to trace the source of a DDoS attack.

Further, as a technique for limiting attack traffic at an upstream node closer to the attack source than a node that has detected a DDoS attack, a method for preventing a distributed denial of service attack, which has been filed by the inventors of the present application (special Wish 2001-274
016), paper by AT & T (R. Mahajan, SMBellovin,
S. Floyd, J. Ioannidis, V. Paxson and S. Shenker: “Co
ntrolling high bandwidth aggregates in the network
-extended version ”(2001)), IDIP (Intruder
Detection and Isolation Protocol) (D.Schnackenber
g, K.Djahandari and D.Sterne: “Infrastructure for
intrusion detection and response ”, Proceedings o
f the DARPA Information Survivability Conference a
nd Exposition (DISCEX), South Carolina (2000)). AT &T's paper and IDIP are methods and protocols for transmitting an attack detection event to an upstream node of an attack route and limiting the transmission band at the upstream node. The distributed denial-of-service attack prevention method applied by the inventors of the present application is that a mobile packet filtering program installed in a router creates a copy of its own program and moves the copy to an upstream router, The mobile packet filtering program that has moved to each upstream router is a technique that blocks all traffic sent from the DDoS attacker's host to the attack target server.

[0005]

The above-mentioned Ingres
s Filter (RFC2267) is a technique for prohibiting a DDoS attack by spoofing a source address, and is not a technique used by an attacked side for protection. Further, Center Track is a technique that helps victims of an attack to identify the attacker, but cannot prevent the attack while actually being attacked.

Further, the above-mentioned Ingress Fil
eter (RFC2267) is a correct IP (internet
protocol) Addresses cannot be used for attacks by IP packets. If the router that is the boundary between the attacking local area network and the Internet does not have an Ingress Filter, no attack is possible. There is a problem that it is not useful for defense. In addition, the above-mentioned Center
Track cannot effectively stop the attack without contacting the computer that is the attack source of distributed DoS distributed in multiple locations and the administrator of the network to which the computer is connected. Has the problem that it will take hours or even days to stop the attack.

Further, in the distributed denial-of-service attack prevention method and the AT & T papers filed by the same inventors of the present application, the attack packet can only be attacked with predetermined attributes such as the data field of the IP packet and the destination information of the packet. Since it is specified, there is a problem that the attack attribute requested by the attacked person cannot be reflected. Furthermore, in these distributed denial of service attacks prevention methods, AT & T papers and IDIP,
Do not send the packet identified as the attack packet to the next node, but discard it. Therefore, although it is possible to prevent the primary damage in which the service is stopped due to the down of the target server or the overload of the router device, there is no method to distinguish the packet from the legitimate user from the attack packet, so the There is a possibility that a legitimate packet from a user may be discarded as an attack packet, causing a secondary damage such as a decrease in usability of a legitimate user.

The present invention has been made in consideration of the above circumstances, and an object thereof is to provide a distributed service capable of preventing a DDoS attack at an upstream node while mitigating a damage that deteriorates serviceability to a legitimate user. An object of the present invention is to provide an impossible attack preventing method and apparatus and a program.

[0009]

SUMMARY OF THE INVENTION The present invention has been made to solve the above-mentioned problems, and the invention according to claim 1 provides a network in which a plurality of communication devices are connected in a mesh and a protection. In a network system having a target computer and a LAN, and a gate device interposed between the LAN and the network, does the gate device match communication traffic with a predetermined attack suspect packet detection condition? If it is checked whether or not the matched traffic is detected, a suspect signature for identifying the detected suspect attack packet is generated and transmitted to the upstream communication device, and thereafter, the attack identified by the suspect signature. The communication device performs a process of limiting the transmission band of the suspect packet, and the communication device receives from the downstream gate device or the communication device. It sends the suspect signature to the upstream communication apparatus, a distributed denial of service attack prevention method and performing a process of limiting the transmission band of the suspicious offensive packet identified by the suspect signature.

The invention according to claim 2 is the distributed denial of service attack prevention method according to claim 1, wherein the gate device and the communication device are traffic of an attack suspect packet identified by the suspect signature. By analyzing attack traffic, detecting the attack traffic, identifying the source network of the packet forming the attack traffic, and further limiting the transmission band of the attack packet sent from the source network thereafter. And

A third aspect of the present invention is the distributed denial of service attack prevention method according to the first or second aspect, wherein the gate device is a condition for a communication packet from a terminal device of an authorized user. Is transmitted to the upstream communication device, and a normal signature for identifying a normal packet is generated based on the normal condition and the suspect signature, and thereafter, a normal signature identified by the normal signature is generated. The communication device performs processing for canceling the transmission band limitation of the packet, the communication device transmits the normal condition received from the downstream gate device or the communication device to the upstream communication device, and based on the normal condition and the suspect signature. To generate a regular signature that identifies the regular packet, and then to limit the transmission bandwidth of the regular packet identified by the regular signature. And performing a process of dividing.

A fourth aspect of the present invention is the distributed denial of service attack prevention method according to any one of the first to third aspects, characterized in that it operates on an active network.

According to a fifth aspect of the present invention, a distributed service is impossible in a gate device interposed between a network formed by connecting a plurality of communication devices in a mesh and a defense target computer and a LAN. A packet detection condition storage unit that stores a detection condition of an attack suspect packet of an attack,
A traffic monitoring unit that checks an input communication packet and detects the occurrence of an attack suspicion packet based on the detection condition of the attack suspicion packet stored in the packet detection condition storage unit; and the attack detected by the traffic monitoring unit. Bandwidth control means for limiting the transmission bandwidth of the suspect packet, signature generation means for generating a suspect signature for identifying the attack suspect packet based on the detection condition of the attack suspect packet, and the suspect signature to the upstream communication device. And a signature transmitting unit for transmitting the information by a signature transmitting unit.

According to a sixth aspect of the present invention, in the gate apparatus according to the fifth aspect, the traffic monitoring means analyzes the traffic of the attack suspect packet that is input to detect attack traffic, The bandwidth control means specifies a transmission source network of a packet forming the attack traffic and further limits a transmission bandwidth of an attack packet transmitted from the transmission source network.

The invention according to claim 7 is the gate device according to claim 5 or 6, wherein the packet detection condition storage section is further provided with a communication packet from a terminal device of an authorized user. A normal condition indicating a packet condition is stored, the signature generation unit generates a normal signature that identifies a normal packet based on the suspect signature and the normal condition, and the bandwidth control unit uses the normal signature. The signature transmission means releases the transmission band limitation of the identified regular packet, and transmits the regular condition to the upstream communication device.

According to an eighth aspect of the present invention, in a communication device forming a network in which a computer to be protected and a LAN are connected via a gate device, a signature for receiving a suspicious signature from a downstream gate device or the communication device. A communication device comprising: a reception unit, a band control unit that limits a transmission band of an attack suspect packet identified by the suspect signature, and a signature transmission unit that transmits the suspect signature to an upstream communication device. Is.

The invention according to claim 9 is the communication apparatus according to claim 8, further comprising: traffic monitoring means for analyzing traffic of the inputted attack suspect packet to detect attack traffic, The control means specifies the transmission source network of the packet forming the attack traffic, and further limits the transmission band of the attack packet transmitted from the transmission source network.

The invention described in claim 10 is the communication apparatus according to claim 8 or 9, wherein the signature receiving means receives a normal condition from the downstream gate apparatus or communication apparatus, and The bandwidth control unit generates a regular signature that identifies a regular packet based on the regular condition and the suspect signature, releases the transmission band limitation of the regular packet identified by the regular signature, and the signature transmission unit, And transmitting the legitimate signature to the downstream communication device.

The invention described in claim 11 is a computer executed on a gate device interposed between a network formed by connecting a plurality of communication devices in a mesh and a computer to be protected and a LAN. In the program, a step of checking whether the input communication traffic matches the predetermined detection condition of the attack suspect packet, and when the matched traffic is detected, the detected attack suspect packet is detected. A step of generating a suspect signature for identifying, a step of generating a regular signature for identifying a regular packet based on a predetermined regular condition and the suspect signature, and a transmission band of the attack suspect packet identified by the suspect signature. Limiting step and solving the transmission bandwidth limitation of the legitimate packet identified by the legitimate signature. The step of transmitting the suspect signature and the legitimate condition to an upstream communication device, analyzing the traffic of the attack suspect packet to detect attack traffic, and the source of the packet making up the attack traffic. Identify the network,
A distributed denial-of-service attack prevention program characterized by causing a computer to execute a step of further limiting a transmission band of an attack packet transmitted from the transmission source network.

According to a twelfth aspect of the present invention, there is provided a computer program executed on a communication device constituting a network in which a computer to be protected and a LAN are connected via a gate device, which is a downstream gate device or Receiving a suspicious signature and a legitimate condition from a communication device; limiting a transmission band of an attack suspicious packet identified by the suspicious signature; and identifying a legitimate packet based on the legitimate condition and the suspicious signature. Creating a canonical signature, releasing the transmission band limitation of the canonical packet identified by the created canonical signature, transmitting the alleged signature and the canonical condition to an upstream communication device, and the alleged attack packet Detecting the attack traffic by analyzing the traffic of A distributed denial-of-service attack characterized by causing a computer to execute a step of specifying a transmission source network of a packet constituting attack traffic and further limiting a transmission band of an attack packet transmitted from the transmission source network. It is a prevention program.

According to a thirteenth aspect of the present invention, a computer executed on a gate device interposed between a network formed by connecting a plurality of communication devices in a mesh and a computer to be protected and a LAN. A computer-readable recording medium having a program recorded therein, the step of checking whether or not the input communication traffic matches a predetermined attack suspect packet detection condition, and detecting the matched traffic. Generating a suspect signature identifying the detected attack suspect packet, generating a canonical signature identifying a canonical packet based on a predetermined canonical condition and the suspect signature, and identifying with the suspect signature Limiting the transmission band of the suspected attack packet,
The step of releasing the transmission band limitation of the legitimate packet identified by the legitimate signature, the step of transmitting the suspect signature and the legitimate condition to the upstream communication device, and analyzing the traffic of the attack suspect packet to detect the attack traffic. A distributed type for causing a computer to execute each of the steps of detecting and specifying a transmission source network of a packet forming the attack traffic and further limiting a transmission band of an attack packet transmitted from the transmission source network. A recording medium characterized by recording a denial of service attack prevention program.

According to a fourteenth aspect of the present invention, there is provided a computer program executed on a communication device constituting a network in which a computer to be protected and a LAN are connected via a gate device, which is a downstream gate device or Receiving a suspicious signature and a legitimate condition from a communication device; limiting a transmission band of an attack suspicious packet identified by the suspicious signature; and identifying a legitimate packet based on the legitimate condition and the suspicious signature. Generating a canonical signature, releasing the transmission band limitation of the canonical packet identified by the canonical signature, transmitting the alleged signature and the canonical condition to an upstream communication device, and traffic of the alleged attack packet Analyzing and detecting attack traffic; Recording a distributed denial-of-service attack prevention program for causing a computer to execute the steps of: specifying the source network of the packets making up the Hick, and further limiting the transmission band of the attack packet transmitted from the source network. The recording medium is characterized by:

[0023]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of the present invention will be described below with reference to the drawings. FIG. 1 is a configuration diagram of a network to which the embodiment is applied. In this figure, 2000 is a server, 2001 is a gate device (gateway) according to an embodiment of the present invention, and 2002-20.
Reference numeral 06 is a communication device (router) according to an embodiment of the present invention, and 2007 to 2010 are terminal devices. DDoS
LA containing the server 2000 of the attack target
N (local area network) is a gate device 20
01 is connected to the external network. Then, the network includes communication devices 2002, 2003, and 2.
It has 004, 2005, and 2006. Terminal devices 2007, 2008 operated by a DDoS attacker,
2009 transmits the attack packet to the attacker's server 2000
Attack packet, the attack packet is
When the congestion occurs in the AN, the resources of the gate device 2001 are consumed, and the terminal 2000 of the regular user irrelevant to the DDoS attacker can access the server 2000.
The phenomenon occurs that you cannot connect to.

The gate device 2001 is previously installed in the server 200.
The attack suspect detection condition and the normal condition set by the user who holds 0 are stored. FIG. 2 shows an example of setting the attack suspicion detection condition, and FIG. 3 shows an example of setting the normal condition. Further, the gate apparatus 2001 stores the server 2000 to be protected and the transmission band limit value preset by the owner of the LAN in which the server 2000 is housed.

The attack suspicion detection condition in FIG. 2 is made up of three sets of records including a detection attribute, a detection threshold, and a detection interval. Numbers are used here for convenience to identify records. The attack suspicion detection condition is used to detect an attack suspicion packet in which the received packet may be an attack packet, and if the traffic matches the condition of any one of the three sets of records,
The communication packet of this traffic is recognized as an attack suspect packet. The detection attribute is 3/4 of the IP packet.
A layer attribute type and a set of those attribute values are designated, but the attribute type "Destination IP Address" of the third layer attribute IP is always designated. In FIG. 2, the detection attribute of the record with number 1 is “Destination
"IP Address" is "192.168.1.1/3"
2 ”(dst = 192.168.1.1 / 32), the“ Protocol ”indicating the protocol type of the upper layer (fourth layer) of IP is“ TCP ”(Protocol = TCP), and the fourth It is specified by a pair of an attribute type of "Destination Port (destination port number)" that indicates which application information the layer protocol is "80" (Port = 80) and those attribute values. The record detection attribute of number 2 is "Destinat
"ion IP Address" is "192.168.1.
2/32 "(dst = 192.168.1.2 / 32) and" Protoc
ol (protocol) "is" UDP (User Datagram protoc
ol) ”(Protocol = UDP). The record detection attribute of number 3 is designated by the attribute type whose "Destination IP Address" is "192.168.1.0/24" and its attribute value. The detection threshold indicates the minimum transmission band for detecting the traffic of the received packet having the detection attribute designated by the same record as the attack suspicious traffic, and the detection interval indicates the minimum continuous time.

The normal condition in FIG. 3 is composed of a plurality of records each consisting of a combination of the third and fourth layer attribute types of the IP packet and their attribute values. Numbers are used here for convenience to identify records. The legitimate condition is a condition that the received packet is a packet from the terminal device of the legitimate user, that is, a legitimate packet, and even if the packet matches the attack suspect detection condition of FIG. If it does, it is determined to be a regular packet. Figure 3
In, the detection attribute of the record with the number 1 is “So
urce IP Address ”is“ 172.16.
10.0 / 24 "is specified (src = 172.16.10.0 / 2
4), the detection attribute of the record of number 2 specifies that the "Type of Service" indicating the quality of service on IP is "01 (hex)" (TOS = 0x
01). This legitimate condition includes, for example, a branch of a company of the server owner, an affiliated company, or the like, of a server 2000 to be protected and a network in which the owner of the LAN accommodating the server 2000 is recognized as an authorized user. Source I
The P address and the like are set.

Further, the gate device 2001 and the communication device 2
002 to 2006 hold the illegal traffic detection condition for analyzing the traffic of the attack suspect packet and detecting the illegal traffic. FIG. 4 shows an example of setting the unauthorized traffic detection condition. Numbers are used here for convenience to identify records. The illegal traffic condition is composed of a plurality of traffic patterns of a known DDoS attack, and when the traffic of the attack suspect packet matches any of the traffic patterns, it is recognized as illegal traffic. The illegal traffic condition with the number 1 in FIG. 4 indicates a traffic pattern that "packets with a transmission band T1 Kbps or more are continuously transmitted for S1 seconds or more". In addition, the illegal traffic condition of number 2 is "transmission band T2 Kbps or more, IC that is the third layer protocol.
A packet of an echo response (Echo Reply) message on MP (Internet Control Message Protocol) is continuously transmitted for S2 seconds or more. " The illegal traffic condition of the number 3 is "fragment packet indicating that the data included in the packet is divided into a plurality of IP packets and is transmitted because the data is too long for the transmission band T3 Kbps or more and is continuously transmitted for S3 seconds or more. Traffic pattern.

Here, the band control model provided in the gate device 2001 and the communication devices 2002 to 2006 will be described. FIG. 5 shows a band control model included in the gate device 2001 and the communication devices 2002 to 2006 in this embodiment. The bandwidth control model is a model for classifying input packets into classes and realizing output bandwidth control of packets according to the classes. The filter 2021 uses the input packet as a regular class 2022 and a suspect class 2
026 and illegal class 2024 are classified into three classes. The classification algorithm of this filter 2021 will be described later. The regular class 2022 is a default class, and packets classified into the regular class 2022 are connected to the regular queue 2023 and output without limiting the transmission band. The packets classified into the suspicion class 2026 are connected to the suspicious queue 2027 generated for each of the protection target server 2000 and the LAN in which the server 2000 is accommodated, and possession of the protection target server 2000 and the LAN in which the server 2000 is accommodated. The output transmission band is limited to the transmission band limit value preset by the user. Server 20
As the transmission band limit value of the suspicious queue of the gate device 2001 accommodating 00, the transmission band limit value preset by the owner of the protected server 2000 and the LAN in which the server 2000 is accommodated is used. In the communication devices 2002 to 2006, the transmission band limit value received from the downstream router is used. The generation of the suspect signature will be described later. The packets classified into the fraud class 2024 are connected to the fraud queue 2025, and are limited to 0 or a transmission band close to 0 regardless of the server owner or the policy of the network.

Subsequently, the gate device 2001 and the communication devices 2002 to 2006 execute the transmission band limitation,
The classification algorithm of the filter 2021 will be described. Gate device 2001 and communication devices 2002-200
6 classifies all the input communication packets by this classification algorithm.

FIG. 6 shows a classification algorithm in the filter 2021. First, in step S3001,
The filter 2021 determines whether the input packet matches the regular signature. If the packet matches the regular signature, the packet is classified into the regular class 2022 (step S3002). If the packet does not match the legitimate signature, the process advances to step S3003 to determine whether the packet matches the unauthorized signature. If the packet matches the illegal signature, the packet is classified into the illegal class 2024 (step S3004). If the packet does not match the fraudulent signature, the process advances to step S3005 to determine whether the packet is a suspect signature, and if the packet matches the suspect signature, the packet is classified into a suspect class 2026 (step S3006) and does not match the suspect signature. Regular class 20 if the signature does not match
It is classified into 22 (step S3007). Packets classified into each class in this way are output without a transmission band limit if they are regular queues, and output with a transmission band limited according to their transmission band limit values if they are suspicious queues and illegal queues. It Note that the canonical signature,
The generation of suspect signatures and fraudulent signatures will be described later.

Next, a flow chart showing an operation of the gate apparatus 2001 in FIG. 7 when an attack suspect packet is detected, a flow chart showing an operation of the communication apparatuses 2002 and 2003 in receiving a signature, and the gate apparatus 2001 and communication in FIG. A processing procedure of the DDoS attack countermeasure method will be described using a flowchart showing an operation of the devices 2002 to 2006 at the time of detecting unauthorized traffic.

In step S3011 of FIG. 7, the gate apparatus 2001 continuously continues for a longer time than the detection interval specified in accordance with the attack suspicion detection condition (FIG. 2).
If you check the traffic that matches the detection attribute and that uses the transmission band that is greater than the detection threshold, and matches any one of the three records,
This traffic is detected as attack suspect traffic.
Then, in step S3012, the detection attribute of the record of the attack suspected detection condition satisfied by the detected attack suspect traffic is generated as a suspect signature. The suspect signature identifies a communication packet of attack suspect traffic, that is, an attack suspect packet. further,
The normal condition (FIG. 3) is referred to, the suspect signature and the AND condition are taken for every record of the normal condition, and this is generated as a normal signature. The legitimate signature is used to identify a legitimate packet that is a legitimate user's communication packet from the suspect signature. For example, to explain using the setting examples of FIGS. 2 and 3, the suspicious signature of the packet detected under the condition of the record of number 1 in FIG. 2 is {dst = 192.168.1.1 / 32, Protocol = TCP, Port = 80. }, And the canonical signature is {src = 172.16.10.24, dst from Figure 3.
= 192.168.1.1 / 32, Protocol = TCP, Port = 80} and {TOS = 0x
01, dst = 192.168.1.1 / 32, Protocol = TCP, Port = 80}.

Next, in step S3013, the gate apparatus 2001 filters the suspect signature and the canonical signature generated in step S3012.
21 is registered and the suspect queue 2027 for restricting the transmission band to the transmission band limit value preset by the owner of the protection target server 2000 and the LAN in which the server 2000 is housed is generated.
If a suspicion queue for the same defense target has already been generated, a new suspicion queue is not generated. As a result, the band control model shown in FIG. 5 and the filter 2 shown in FIG.
According to the classification algorithm of 021, the transmission band limitation of the attack suspect packet that matches the suspect signature and the transmission band limitation of the regular packet that matches the regular signature are canceled.

Then, the gate apparatus 2001 executes step S3014. That is, the gate device 2001
Transmits the suspect signature, the legitimate condition, and the bandwidth limit value of the attack suspect packet to the upstream communication devices 2002 and 2003. As for the bandwidth limit value of the traffic of the attack suspect packet transmitted here, for example, the transmission bandwidth limit value corresponding to the record of the attack suspect detection condition stored in the gate device 2001 is evenly distributed to all the upstream communication devices. Calculated by the method.

Next, the communication device 200 at the time of receiving the suspect signature, the legitimate condition, and the bandwidth limit value of the attack suspect packet.
2, 2003 will be described. Step S30 of FIG.
At 21, the communication devices 2002 and 2003 receive the suspect signature, the legitimate condition, and the bandwidth limit value of the suspect packet transmitted by the gate device 2001 (step S3014). Then, in step S3022, the communication devices 2002 and 2003 generate a canonical signature based on the received suspect signature and the canonical condition. That is, the regular signature takes the received suspicious signature and AND condition for every record of the received regular condition, and generates this as a regular signature. Next, step S3
Proceeding to 023, the communication devices 2002 and 2003 register the received suspect signature and the calculated regular signature in the filter 2021, and generate the suspect queue 2027 corresponding to the transmission band limit value of the traffic of the suspect signature and the attack suspect packet. As a result, according to the band control model shown in FIG. 5 and the classification algorithm of the filter 2021 shown in FIG. 6, the transmission band limitation of the attack suspect packet matching the suspect signature and the transmission band limitation of the regular packet matching the regular signature are released. Is executed. Then, in step S3024, the communication device 2002 causes the communication device 2004 upstream thereof to communicate with the communication device 2003.
Transmits the transmission band limit value of the attack suspicion packet that is smaller than the received suspect signature, the normal condition, and the received transmission band limit value to the communication devices 2005 and 2006 located upstream thereof. Here, the transmission band limit value of the attack suspect packet is
For example, it is calculated by a method such that the transmission band limit value received by the communication devices 2002 and 2003 is evenly distributed to all upstream communication devices.

Then, the communication devices 2004 to 2006 are
The suspicious signature, the normal condition, and the transmission band limit value of the suspicious attack packet are received from the communication devices 2002 and 2003,
Step S302 in the communication devices 2002 and 2003
1 to S3023 operate in the same manner.

Next, the gate device 2001 and the communication device 2
The operation at the time of detecting unauthorized traffic 002 to 2006 will be described. In step S3031 of FIG. 9, the gate device 2001 and the communication devices 2002 to 2006 are set to the DDoS.
The attacker analyzes the input packet to identify the network sending the packet and detects traffic that matches any pattern of the illegal traffic conditions (FIG. 4). Then, the gate device 2001 and the communication device 2
002 to 2006 specify the source IP address of the packet satisfying the detected illegal traffic condition (FIG. 4) as an illegal address range in step S <b> 3032, which is the illegal address range and matches the suspect signature. The condition is an invalid signature. Then, the gate device 2001 and the communication devices 2002 to 200
6 registers this false signature in the filter 2021 in step S3033. As a result, the transmission band of the attack packet identified by the illegal signature is further limited according to the band control model shown in FIG. 5 and the classification algorithm of the filter 2021 shown in FIG.

By the way, the operation described above is executed on the active network described below.

An active network capable of carrying out an embodiment of the present invention will be described below with reference to the drawings. FIG. 10 shows a network configuration premised on the present embodiment. As shown in FIG. 10, the communication network is connected by a plurality of communication devices 7001.
The communication device 7001 can be connected to one or more user computers 7000. When exchanging communication data between the user computers 7000, the packets transmitted by the transmission source user computer 7000 are sequentially transferred by the communication device 7001 located in each node on the communication network. To the computer 7000 of the destination user.

Next, the configuration of the communication device will be described.
FIG. 11 is a block diagram showing an internal configuration of the communication device 7001. As shown in FIG. 11, the communication device 7001 includes communication lines 7024a, 7024b, 7024c, and 702.
4d is connected so that the communication device 7001 can exchange packets with another communication device adjacent thereto via these communication lines. Further, the communication device 7001 includes the above-mentioned communication lines 7024a to 7024.
interface units 7023a to 7023d corresponding to d
And a transfer processing unit 7 for performing processing for transferring a packet
021, a transfer destination table 7022 that stores transfer destination information when transferring a packet, and an Active Network Execution Environment 7010 for performing processing on an active packet. The active network execution environment 7010 internally has a code execution unit 7011 for executing an active code (program) and a code storage unit 7012 for storing the active code.
It has and. The active code here is
The code of a computer program that acts on packets in an active network.

Here, an outline of an operation example of the communication device 7001 will be described with reference to FIG. When a packet arrives from another adjacent communication device via the communication line 7024d, the interface unit 7023d receives the packet and transfers it to the transfer processing unit 7021. Transfer processing unit 7021
Reads the source address and the destination address stored in the header part of the passed packet, and further, using those addresses as a key, the transfer destination stored in the transfer destination table storage unit 7022. Determine what to do with the packet by looking up the table.

There are roughly two ways to deal with packets. There are a case where the active code is applied to the packet and a case where the packet is directly transferred to another communication device. As a result of referring to the transfer destination table, when the active code is to be applied to the packet, the transfer processing unit 7021 passes the packet to the active network execution environment 7010. In the active network execution environment 7010, the code execution unit 7011 receives the packet, reads the active code to be applied to the packet from the code storage unit 7012, and executes it. Note that the code execution unit 7011 may pass the packet, which is the processing target, to the transfer processing unit 7021 again and transfer it to another communication device when necessary as a result of executing the active code. As a result of referring to the transfer destination table, if the packet is to be directly transferred to another transfer device without applying the active code, the transfer processing unit 7021
Is an interface unit (702) corresponding to an appropriate transfer destination.
3a, 7023b, 7023c, etc.), and the interface section of the communication line (7024a, 7024b, 70).
24c) to transfer the packet to another communication device.

Here, the case where a packet arrives from another communication device via the communication line 7024d has been described as an example, but the process when the packet arrives via another communication line is similar.

Next, the transfer processing unit 7 in the communication device 7001
A specific description will be given of how the 021 determines the action to be taken on the packet (whether to apply the active code or simply transfer it to another communication device).

In the framework on which this embodiment is based, the active network execution environment is activated based on the IP address specified in the packet. Let I be the set of all (global) IP addresses. A packet having a source IP address of s and a destination IP address of d is represented by (s, d). Further, all active codes stored in the active network execution environment of the communication device belong to a particular user, and a set of IP addresses owned by a particular user is represented by O.

In this framework, each active code belonging to the above-mentioned specific user is a packet represented by a set A by the following formula, and a communication device (node) equipped with the active network execution environment. Has permission to access packets received by. That is, A = {(s, d) ε [(O × I) ∪ (I × O)] | s ≠
d}. In other words, the general meaning of this formula is that an active code belonging to a specific user has access right to a packet whose source or destination address is any of all IP addresses owned by the user. Is to have.

When n active codes belonging to the user are stored in a communication device (node), i
The th (1 ≦ i ≦ n) active code is the set C
(I) The active network execution environment is requested in advance to capture and process a packet belonging to (C (i) ⊆A). That is, for the user, the active network execution environment is c (1) ∪c
(2) ∪ ... · ∪c (n) is started by the packet (s, d) which is an element of the union,
Such a packet can be called an "active packet".

FIG. 12 is a schematic diagram showing an example of the transfer destination table stored in the transfer destination table storage unit 7022 shown in FIG. Information necessary for implementing the above framework can be stored in such a transfer destination table.

As shown in FIG. 12, the transfer destination table is
Each item of type (Type), destination address (Destination), source address (Source), and transfer destination (Send to) is included. The type item represents the type of entry in the table and is "Active".
Alternatively, it takes one of the values “Regular”.
The items of the destination address and the source address correspond to the destination IP address and the source IP address of the transfer target packet, respectively. The transfer destination items are
It represents the identification information of the active code to be applied or the IP address of the communication device of the transfer destination for the packet in which the combination of the destination address and the source address is matched.

An entry whose type value is "active" designates an active code to be applied to a target packet, and the transfer destination item has information for identifying the active code written therein. The entry whose type value is "normal" specifies the address of the communication device of the transfer destination of the target packet, and the IP address of the communication device of the transfer destination is written in the item of the transfer destination. .

In the example of the transfer destination table shown in FIG. 12, in the first entry, the type is "active", the destination address is "1.2.3.4", and the source address is "Any ( Anything)), and the transfer destination is "active code A". This is because when the destination address matches "1.2.3.4", the active network execution environment is activated by the corresponding packet as a trigger and the active code A Is executed. In the second entry, the type is "active" and the destination address is "10.5".
0.0.0 ”and the source address is“ 11.12.
13.14 "and the transfer destination is" active code B ".
Has become. This means that, when both the destination address and the source address match the above values, the active packet execution environment is activated by the corresponding packet and the active code B is executed. In the third entry, the type is “active” and the destination address is “Any”.
(Anything is acceptable) "and the transmission source address is" 157.
2.3.0 ”and the transfer destination is“ active code C ”
Has become. This means that no matter what the destination address is, the source address is "157.2.3.
When it matches “0”, it means that the active network execution environment is activated by the corresponding packet as a trigger and the active code C is executed.

As shown in FIG. 12, in the transfer destination table, the entry whose type is "active" exists above the entry whose type is "normal". Then, the entry whose type is “active” is applied in preference to the entry whose type is “normal”. Also, each entry is applied only to the packet that has arrived at the communication device, and is not applied to the packet that is sent out for transfer.

The configuration of the communication device described above will be summarized.
The interface unit shown in FIG. 11 is provided for each communication line, and performs processing of receiving a packet arriving from the communication line and transmitting the packet to the communication line. Further, the transfer destination table storage unit stores a pattern of a source address and / or a destination address of the packet or both of them, information of a program (active code) corresponding to the pattern or information of a transfer destination address corresponding to the pattern. Stores the registered transfer destination table. Further, the active network execution environment stores the program in advance and executes the program. Further, the transfer processing unit, when the received packet arriving from the communication line is passed from the interface unit, refers to the transfer destination table based on the source address or the destination address of the received packet,
When the information of the transfer destination address corresponding to the pattern of the address of the received packet is registered in the transfer destination table, the transfer destination address is corresponded so that the received packet is sent to the predetermined transfer destination address. When the information of the program corresponding to the address pattern of the received packet is registered in the transfer destination table, the program is started in the active network execution environment section and Pass the received packet.

Next, the model relating to the security of the active code in this embodiment will be described. This security model is to ensure that each active code operates only on packets that are associated with the owner of the active code. For this reason, this security model assumes that a public key infrastructure exists and uses it.

FIG. 13 is a schematic diagram showing the above security model and the procedure of processing in the model. Figure 1
3, reference numeral 7051 is a user terminal device of the user A, and 7061 is a certification authority (Certification Authority) device. The function of this certification authority may be provided by a public institution, or ISP (Intern
et Service Provider, Internet connection service provider) or the like. In the example shown in FIG. 13, I of the user terminal device 7051
The P address is “1.2.3.4”. In the following, a procedure of processing for user A to register active code A in communication device 7001 will be described. In the following, the user A may be the developer of the active code A, but this is not inevitable, and the user A obtains the active code A developed by another developer, and the user A obtains it.
It may be registered in 001.

First, as shown in (1), the user terminal device 7051 of the user A generates a key pair, that is, a public key and a secret key, using a well-known technique. Then, as shown in (2), the user terminal device 7051 registers the public key generated above in the certificate authority device 7061. At this time, the certificate authority device 7061 verifies the IP address of the user terminal device 7051. If this verification is correctly performed, the public key itself, information for identifying the user A, and the IP address “1.2.3.4” of the user terminal device 7051.
Is stored in the certificate authority device 7061.

Next, as shown in (3), the user terminal device 7051 performs a process of digitally signing the active code A using the secret key generated above. Then, as shown in (4), the user terminal device 7051 performs a process of registering the active code A signed with the private key in the communication device 7001.

In response to this, the communication device 7001 (5)
As shown in, the electronic certificate of the user A who has registered the active code A is acquired from the certificate authority device 7061.
This electronic certificate includes information for identifying the user A, its IP address "1.2.3.4", and the public key itself registered in (2) above. Then, as shown in (6), the communication device 7001 verifies the electronic signature of the active code A registered in (4) above using the public key of the user A extracted from the above electronic certificate. Then, if this is correctly verified, the communication device 7001 performs a process of introducing the active code A into the active network execution environment. Further, in response to this, necessary entries are added to the transfer destination table.

Note that once the processes (1) and (2) are performed and the public key of the user A is registered in the certificate authority device 7061, the user terminal device 7051 sets the private key corresponding to the public key. It is also possible to register any number of active modules in the communication device 7001 by using it.

That is, the communication device 7001 is provided with a registration unit (not shown), and this registration unit receives a program electronically signed by the user's terminal device with the private key of the user, and then the electronic device of the user. Receive the certificate from the certificate authority device, verify the electronically signed program using the public key of the user included in the received electronic certificate,
If this verification is successful, the address pattern corresponding to the program and the information of the program are registered in the transfer destination table. If this verification fails, the information of the program is stored in the transfer destination table. Registration should not be performed.

In order for the procedure of registering the active code to the communication device described above to function effectively, the following two points are premised. As a first premise, it is known in advance to which communication device (node) the user should register the active code. Alternatively, a directory service is provided for recognizing which communication device (node) should register the active code. As a second premise, the communication device (node) can acquire the public key of the target certificate authority in advance off-line, from another certificate authority, or by some other means.

Next, the control for resolving the contradiction will be described. In a communication device (node), n active codes are registered, and the i-th (1 ≦ i ≦ n)
And the j-th (1 ≦ j ≦ n) active codes are set C (i) (C (i) ⊆A) and set C (j) (C), respectively.
(J) ⊆ A) is defined as a packet, a combination of i and j (where i ≠ j) such that the set (c (i) ∩c (j)) is not an empty set.
May exist. That is, if a packet is i
This is the case where the definition is applied so that it can be applied to both the jth active code and the jth active code.
Such a contradiction will be resolved by either of the following two scenarios.

The first contradiction resolution scenario is (s, d) because (sεO (k) ΛdεO (l)) Λ (k ≠ l) for packet (s, d). ) ∈ c (i) ∩ c (j). However, O (k) and O (l) are a set of IP addresses owned by users k and l, respectively. That is, regarding a certain packet, both the active code for the source user and the active code for the destination user are registered in the communication device, and this packet (s, d) arrives at such a communication device. This is the case. In such a case, it is considered desirable to preferentially apply the active code of the destination user.

That is, in the pattern registered in the transfer destination table, the first entry in which only the source address is designated and the destination address may be any, and the source entry in which only the destination address is designated The second entry, which is supposed to have any address, is included in the received packet.
If both of the entries are matched, the second entry is prioritized over the first entry and the program corresponding to the pattern of the second entry is activated.

As described above, giving priority to the active code of the destination user over the active code of the user of the transmission source is performed by using the function of the active network.
DoS (Distributed Denial of Servic
e) Especially important when constructing a mechanism to defend against attacks. By doing so, the active code of the destination user, that is, the person who can be the attacked person, is prioritized over the active code that may become the attacker.

The second contradiction resolution scenario relates to the case where two or more active codes to be applied to a packet (s, d) are registered by the same user. In such cases, the oldest registered active code is
It may be desirable to have priority applied over others. By doing so, when the user attempts to register a new active code, it is guaranteed that the old active code will be deleted in advance in order for the new active code to become effective.

Next, an example of the implementation of the communication device functioning as a node of the active network as described above will be described. FIG. 14 shows L
A Java (registered trademark) virtual machine (JV) on Linux
It is a schematic diagram at the time of realizing a communication apparatus which processes an active packet using M).

In the example shown in FIG. 14, a dedicated IP stack is constructed as a part of the process. As a result, the transfer destination table as shown in FIG. 12 is realized, and entries can be added to or deleted from the transfer destination table from the execution environment (active network execution environment). Along with this, the kernel (kerne
Since the IP stack in l) is unnecessary, routing in the kernel is deactivated. Then, a copy of the arriving packet is created from the data link portion, and the packet is Java-transmitted through the library libpcap.
(Registered trademark) A virtual machine can be used for supplementation.

The dedicated IP stack constructed as a part of the process creates an active packet, that is, an IP address (destination IP address, source IP address, or a combination thereof) that matches a predetermined definition on the transfer destination table. The packet that it has is passed to the active code that is activated on the execution environment. On the other hand, normal packets other than active packets are transferred to the adjacent communication device or the like by the same method as the IP stack in the kernel. All packets, whether active packets or normal packets, sent from this communication device are sent through the library libnet. By doing so, the source address recorded in the header of each processed packet is sent to the network in the state of the original source address.

In addition, a standard Java (registered trademark) AP
It is possible to implement a security model by using "java.security" which is I (application program interface). This standard API provides most of the functionality needed to build a security model. As the format for the certificate, the “X.509” certificate format can be used, and the IP address of the owner of the active code is the identification name (DN, distin) of the “X.509”.
The security model of the present embodiment can be realized by including it as a part of the guished name).

Needless to say, in the above implementation, a communication system having an active network execution environment is constructed by using a computer system. Then, the series of processes described above, that is, the creation and capture of a copy of the arriving packet, the process of transferring the active packet and the normal packet while referring to the transfer destination table, and the activation of the active code on the active network execution environment And the execution of that process,
The process of each process such as sending the processed packet to the network is stored in a computer readable recording medium in the form of a program, and the above process is performed by the computer reading and executing the program. .

Each of the computer programs described above is recorded on a computer-readable recording medium, and a CPU (central processing unit) mounted on a communication device or the like reads the computer program from this recording medium to prevent attacks. Alternatively, each process for providing a service module or the like is executed. The "computer-readable recording medium" means a magnetic disk, a magneto-optical disk,
A portable medium such as a ROM or a CD-ROM, or a storage device such as a hard disk built in a computer system. Furthermore, "computer-readable recording medium"
Is a volatile memory (RAM) inside a computer system that serves as a server or client when a program is sent via a network such as the Internet or a communication line such as a telephone line, and holds the program for a certain period of time. Those that are present are also included.

The above program may be transmitted from a computer system that stores the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the "transmission medium" for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

Further, the program may be a program for realizing a part of the functions described above. Further, it may be a so-called difference file (difference program) that can realize the above-mentioned functions in combination with a program already recorded in the computer system.

Data transmission from the downstream gate communication device to the upstream communication device is not limited to the use of the active network, and any communication protocol can be used.

The gate device and the communication device are not limited to the gateway and the router, but may be a bridge, an Ethernet (registered trademark), an interface conversion device, or the like.
It may be any communication node having an IP address.

The embodiments of the present invention have been described in detail above with reference to the drawings. However, the specific configuration is not limited to these embodiments, and the design etc. within the scope not departing from the gist of the present invention are also possible. included.

[0078]

As described above, each communication device on the network can recursively notify the suspect signature of the attack suspect traffic detected by the attribute designated by the attacker of the DDoS attack. It is possible to limit the transmission band of the attack suspect traffic requested by the attacker in the entire network, and it is possible to improve the network congestion at an early stage. Then, each communication device on the network can further limit only the attack packet by monitoring the attack suspect traffic and identifying the attack packet, so that the packet of the legitimate user is erroneously classified as the attack packet. It is possible to prevent the waste of the transmission band of the network by reducing the possibility of being discarded and discarded, and protecting the attack at the most upstream communication device closest to the attack source, that is, by discarding the communication packet of the DDoS attack. .

Further, each communication device of the network is DDo
By recursively notifying the legitimate signature designated by the attacker of the S attack, each communication device can release the limitation of the transmission band of the communication traffic of the legitimate user designated by the attacker. Therefore, while discarding the communication packet of the DDoS attack, it is possible to reflect the service policy specified by the attacked person and to ensure the communication of the traffic of the legitimate user on the network, which adversely affects the entire network. Can be suppressed.

Further, even in a network which originally does not have an attack protection function, such as the Internet, by applying the present invention, effective protection against an attack becomes possible. When the present invention is used, the administrator of the network to which the attacker is directly connected does not need to take any action, and the defense function is automatically provided by the action of the network side to which the device under attack is connected. Will be activated and you will be able to prevent attacks.

[Brief description of drawings]

FIG. 1 is a configuration diagram of a network to which an embodiment of the present invention can be applied.

FIG. 2 is an example of setting an attack suspect detection condition according to the embodiment.

FIG. 3 is an example of setting a normal condition according to the embodiment.

FIG. 4 is an example of setting an unauthorized traffic detection condition according to the embodiment.

FIG. 5 is a band control model included in the gate device 2001 and the communication devices 2002 to 2006 according to the same embodiment.

FIG. 6 is a classification algorithm in the filter 2021 according to the same embodiment.

FIG. 7 is a flowchart showing an operation of the gate device 2001 according to the same embodiment when an attack suspicion packet is detected.

FIG. 8 shows communication devices 2002 and 20 according to the same embodiment.
It is a flowchart which shows the operation | movement at the time of 03 signature reception.

FIG. 9 is a flowchart showing an operation of the gate apparatus 2001 and communication apparatuses 2002 to 2006 according to the same embodiment when detecting unauthorized traffic.

FIG. 10 is a network configuration premised on an active network capable of executing the embodiment.

FIG. 11 is a block diagram showing an internal configuration of a communication device by an active network capable of executing the embodiment.

FIG. 12 is a schematic diagram showing an example of a transfer destination table stored in a transfer destination table storage unit by an active network capable of executing the embodiment.

FIG. 13 is a schematic diagram showing a security model by an active network capable of executing the embodiment and a procedure of processing in the model.

FIG. 14 is a schematic diagram of a case where a communication device of an active network capable of executing the same embodiment is realized so as to perform active packet processing using a Java (registered trademark) virtual machine (JVM) on Linux.

[Explanation of symbols]

2000 ... server 2001 ... Gate device 2002-2006 ... Communication device 2007-2010 ... Terminal device 2021 ... Filter 2022 ... Regular class 2023 ... Regular queue 2024 ... Illegal class 2025 ... Illegal queue 2026 ... suspect class 2027 ... suspect queue 7000 ... User's computer 7001 ... Communication device 7010 ... Active network execution environment 7011 ... Code execution unit 7012 ... Code storage unit 7021 ... Transfer processing unit 7022 ... Transfer destination table storage unit 7023a, 7023b ... Interface unit 7024a, 7024b ... communication line 7051 ... User terminal device 7061 ... Certificate authority device

Continued front page    (72) Inventor Fuji Hitoshi             2-3-1, Otemachi, Chiyoda-ku, Tokyo             Inside Telegraph and Telephone Corporation F-term (reference) 5K030 GA13 GA15 HA08 HB14 KA06                       KX24 KX30 LC15                 5K033 AA05 AA08 CB06 CB08 DA16                       DB19 DB20 EC03

Claims (14)

[Claims] 1. A network formed by connecting a plurality of communication devices in a mesh, a computer to be protected, and an L.
In a network system having an AN and a gate device interposed between the LAN and the network, the gate device checks whether communication traffic matches a predetermined attack suspect packet detection condition. When a matched traffic is detected, a suspect signature for identifying the detected attack suspect packet is generated and transmitted to the upstream communication device, and thereafter, the transmission band of the attack suspect packet identified by the suspect signature is transmitted. The communication device transmits the suspect signature received from the downstream gate device or the communication device to the upstream communication device and limits the transmission band of the attack suspect packet identified by the suspect signature. Distributed denial of service attack prevention method characterized by performing processing 2. The gate device and the communication device analyze the traffic of an attack suspect packet identified by the suspect signature to detect attack traffic, and specify a transmission source network of a packet forming the attack traffic. 2. The distributed denial of service attack prevention method according to claim 1, further comprising the step of further limiting the transmission band of the attack packet transmitted from the transmission source network. 3. The gate device transmits a predetermined legitimate condition, which is a condition of a communication packet from a terminal device of a legitimate user, to an upstream telecommunication device, and based on the legitimate condition and the suspected signature. To generate a regular signature for identifying a regular packet, and thereafter perform processing to release the transmission band limitation of the regular packet identified by the regular signature, wherein the communication device receives the downstream gate device or the communication device. The normal condition is transmitted to the upstream communication device, and a normal signature for identifying the normal packet is generated based on the normal condition and the suspect signature, and thereafter, the transmission band limitation of the normal packet identified by the normal signature is released. The distributed denial of service attack prevention method according to claim 1 or 2, further comprising: 4. The distributed denial of service attack prevention method according to claim 1, wherein the method operates on an active network. 5. A network formed by connecting a plurality of communication devices in a mesh, a computer to be protected, and an L.
A gate device inserted between the AN and a packet detection condition storage unit that stores a detection condition of an attack suspicion packet of a distributed denial of service attack, and checks a communication packet that is input and stores the packet detection condition storage unit. Traffic monitoring means for detecting the occurrence of an attack suspicious packet based on the detection condition of the attack suspicious packet stored by, a bandwidth control means for limiting the transmission bandwidth of the attack suspicious packet detected by the traffic monitoring means, and the attack A signature generation unit that generates a suspicious signature that identifies the attack suspicious packet based on a detection condition of the suspicious packet; and a signature transmission unit that transmits the suspicious signature to an upstream communication device. Gate device. 6. The traffic monitoring means analyzes the traffic of the input attack suspect packet to detect attack traffic, and the bandwidth control means specifies a transmission source network of a packet forming the attack traffic. The gate apparatus according to claim 5, further limiting a transmission band of an attack packet transmitted from the transmission source network. 7. The packet detection condition storage unit further stores a normal condition indicating a condition that the communication packet is a communication packet from a terminal device of a normal user, and the signature generation means stores the suspected signature and the suspected signature. A regular signature that identifies a regular packet based on a regular condition is generated, the bandwidth control unit releases the transmission bandwidth limitation of the regular packet identified by the regular signature, and the signature transmission unit determines the regular condition. 7. The gate device according to claim 5, wherein the gate device transmits to the upstream communication device. 8. Computer and LA to be protected
In a communication device that constitutes a network in which N is connected via a gate device, a signature receiving unit that receives a suspect signature from a downstream gate device or a communication device, and a transmission band of an attack suspect packet identified by the suspect signature are provided. A communication device comprising: a band control unit for limiting; and a signature transmitting unit for transmitting the suspected signature to an upstream communication device. 9. A traffic monitoring means for analyzing the traffic of the attack suspect packet input to detect the attack traffic, wherein the bandwidth control means specifies a transmission source network of a packet constituting the attack traffic. 9. The communication device according to claim 8, further comprising: limiting a transmission band of an attack packet transmitted from the transmission source network. 10. The signature receiving unit receives a regular condition from the downstream gate device or communication device, and the bandwidth control unit identifies a regular packet based on the regular condition and the suspect signature. 9. The signature transmission unit generates a transmission restriction of a transmission band of a regular packet identified by the regular signature, and the signature transmitting unit transmits the regular condition to the upstream communication device. 9. The communication device according to item 9. 11. A computer program executed on a gate device interposed between a network, which comprises a plurality of communication devices connected in a mesh, and a computer to be protected and a LAN, which is input. A step of checking whether the communication traffic to be detected matches a predetermined attack suspect packet detection condition, and, when the matched traffic is detected, generates a suspect signature that identifies the detected attack suspect packet. Generating a regular signature for identifying a regular packet based on a predetermined regular condition and the suspect signature; limiting a transmission band of an attack suspect packet identified by the suspect signature; Removing the transmission bandwidth limitation of the regular packet identified by the signature, A step of transmitting the signature signature and the legitimate condition to an upstream communication device, a step of analyzing the traffic of the attack suspect packet to detect attack traffic, and a transmission source network of a packet forming the attack traffic is specified. A distributed denial-of-service attack prevention program, which causes a computer to further limit the transmission band of an attack packet transmitted from the transmission source network. 12. Computer and L to be protected
A computer program executed on a communication device forming a network to which an AN is connected via a gate device, the step of receiving a suspect signature and a regular condition from a downstream gate device or a communication device, and the suspect signature. A step of limiting the transmission band of the attack suspect packet identified by 1., creating a regular signature for identifying a regular packet based on the regular condition and the suspect signature, and the regular packet identified by the created regular signature The step of releasing the transmission band limitation of, the step of transmitting the suspect signature and the regular condition to an upstream communication device, the step of analyzing the traffic of the attack suspect packet to detect attack traffic, and the attack traffic Identify the source network of the packets to be composed and Distributed denial of service attack prevention program characterized by executing the steps to further limit the transmission band of the attack packets delivered from the delivery source network, to the computer. 13. A computer-readable computer program in which a computer program executed on a gate device interposed between a network formed by connecting a plurality of communication devices in a mesh and a computer to be protected and a LAN is recorded. A recording medium, the step of checking whether the input communication traffic matches the predetermined attack suspect packet detection condition, and the detected attack suspect when the matched traffic is detected. Generating a suspect signature for identifying a packet; generating a canonical signature for identifying a canonical packet based on a predetermined canonical condition and the suspect signature; transmitting an attack suspect packet identified by the suspect signature Band limiting, and the legitimate pattern identified by the legitimate signature. Releasing the transmission bandwidth limitation of the packet, transmitting the suspect signature and the regular condition to an upstream communication device, analyzing the traffic of the attack suspect packet and detecting attack traffic, and the attack Record a distributed denial-of-service attack prevention program that specifies the source network of the packets that make up the traffic and further limits the transmission bandwidth of the attack packets sent from the source network. A recording medium characterized by: 14. A computer to be protected and L
A computer program executed on a communication device forming a network to which an AN is connected via a gate device, the step of receiving a suspect signature and a regular condition from a downstream gate device or a communication device, and the suspect signature. Limiting the transmission band of the attack suspicious packet identified by 1., generating a regular signature that identifies a regular packet based on the regular condition and the suspicious signature, and transmitting the regular packet transmission band identified by the regular signature. A step of releasing the restriction; a step of transmitting the suspect signature and the legitimate condition to an upstream communication device; a step of analyzing attack traffic by analyzing traffic of the attack suspect packet; and a packet constituting the attack traffic. The source network of the Recording medium and recording the steps to further limit the transmission band of the attack packets sent from network, the distributed denial of service attack prevention program for executing each processing in the computer.