JP2003283571A - Defensive method and apparatus against disability-of- service attack, and computer program therefor - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a defensive method with which defense is made possible by detecting more kinds of attacks and the communication band of a network is prevented from being wasted by traffic caused by the attack. <P>SOLUTION: In order to defense a computer 7000a of a person to be attacked, shields 7001b and 7001c distributed with a variable level number are located. Each of the shields analyzes a packet associated with the computer 7000a of the person to be attacked, narrows down the band of suspicious traffic by an examination and detects the attack. When the attack is detected, each shield transfers the program of a probe toward the upstream of the attack. When the packet of the attack is found out, a probe 7001e discards the packet and transfers the program of the probe toward the further upstream side. <P>COPYRIGHT: (C)2004,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a defense method for protecting an attack aimed at causing a functional failure by sending a large amount of communication packets (communication traffic) to an attacked person in a communication network,
And a communication device and a computer program for realizing the protection method. In particular, Denial of Service (DoS) attacks in communication networks, especially distributed denial of service (DDoS, Distribu).
ted Denial of Service) Technology for defending against attacks.

[0002]

2. Description of the Related Art In recent years, in communication networks (specifically, the Internet), DDoS attacks on well-known websites have often been performed, which has become a serious problem. The DDoS attack is, as the name implies, a distributed DoS attack. The DoS attack is a method of sending a large amount of communication traffic to a computer (such as a web server) connected to the network. Do
There are various types of S attacks, but there are two
There are two types. The first type aims to cause a malfunction by wasting the resources of the attacked computer, and the second type simply wastes the bandwidth of the attacked communication network with a large amount of communication traffic. It aims at that.

As a first conventional technique, it is conceivable to use a firewall device to protect against a DDoS attack. This is based on the assumption that the source address (specifically, IP address) of the communication packet of the malicious attack could be identified by some means, and the corresponding source address of the communication packet arriving from outside the firewall. It is a defense method of discarding those having the above in the firewall device so as not to adversely affect the resources of the computer inside the firewall.

As a second conventional technique, there is also a defense method for which the present inventors have already applied for a patent. this is,
A DDoS is installed on a communication device (specifically, a router or a switch) for transferring a communication packet on the network.
An environment in which a computer program for detecting an attack or a DDoS attack detected can be executed is provided, and a computer of an attacked person is protected from the attack by the following procedure. In the procedure, first, in a communication device (boundary communication device, boundary router) closest to the attacked person's computer, a communication packet passing through the communication device is monitored, and a program module for detecting a DDoS attack is activated. When the DDoS attack is detected, the module that discards the communication packet of the DDoS attack is activated. Then, the module that searches for a higher-level communication device, that is, a communication device closer to the attack source is activated. Next, the search module is transmitted to the searched upper communication device. Then, the higher-level communication device is searched for a higher-level communication device. In this way, the communication devices in the upper order are sequentially searched, and the communication device closest to the attack source is set as the defense position. A module that discards a communication packet of a DDoS attack is transmitted to the communication device at the defined defense position, and the communication device at the defense position activates this module to perform protection.

[0005]

In the first prior art described above, since the attack communication packet reaches the location of the firewall, even if the resources of the protected computer can be protected, the firewall does not There is a problem that the communication traffic due to the attacks in the parts up to this point cannot be reduced, and the communication band required for the protected computer is wasted.

The second conventional technique also has a problem that some types of attacks cannot be detected. Also,
In a situation where it cannot be reliably determined that the traffic is an attack traffic, there is a problem that the usable communication band is narrowed due to the existence of such suspicious traffic.

The present invention has been made in consideration of such circumstances, and an object thereof is to provide a defense method and apparatus capable of detecting and defending more kinds of attacks, and a computer program thereof. To do. Another object of the present invention is not only to protect the resources of the protection target computer but also to provide a protection method in which the communication band of the network is not wasted by attack traffic or traffic suspected of being an attack.

[0008]

In order to solve the above problems, the present invention provides a defense method for protecting a defense target computer connected to a network composed of a plurality of communication devices from a denial of service attack. Then, based on the command information from the border communication device, which is the communication device closest to the protection target computer, the shield communication device connected within a predetermined number of stages from the border communication device, An analysis process for analyzing a communication packet arriving at the shielded communication device is performed, and according to the result of the analysis process, the communication packet has a priority according to the possibility that the communication packet is an attack communication packet for the defense target computer. The communication packet is transferred to the transfer destination according to this priority, and the result of the analysis process If it Shin packet is a communication packet attacks on reliably the protection target computer is found in the subject matter of the defense of the denial of service attack and having a discarding shielding process of the communication packet.

Further, the denial-of-service attack protection method of the present invention allows two or more stages of connection with the shielded communication device at the farthest position from the boundary communication device and dynamically changes the number of stages. It is characterized in that it can be changed to.

Further, in the method of protecting against a denial of service of the present invention, when the communication packet is surely found to be a communication packet of an attack against the defense target computer in the shield process, the shield communication device is more effective. A probe program code transmission process of transmitting a probe program code to an adjacent communication device on the side close to the attack source, and a probe communication device that has received the probe program code executes the probe program code to generate the probe program code. The communication packet arriving at the communication device is analyzed, and as a result, when the communication packet is a communication packet of an attack on the defense target computer, the communication packet is discarded and the adjacent communication device on the side closer to the attack source is detected. In contrast to the probe pro It sends a ram code, when a packet results certain time attack analysis is not detected, characterized by further comprising a probe process to terminate the processing of the probe program code.

Further, in the denial of service attack defense method of the present invention, in the probe process, a communication packet whose destination address is the address of the defense target computer is captured, and a source address of the communication packet is obtained in advance. If the address is the same as the attack source address, it is determined that the communication packet is an attack packet, and in other cases, the communication packet is not an attack packet.

Further, in the denial of service attack protection method of the present invention, in the probe process, a communication packet in which at least one of a destination address and a source address is the address of the protection target computer is captured, and a) When the source address of the communication packet is the same as the previously obtained attack source address, or b)
If the source address of the communication packet is the address of the protection target computer and the destination address of the communication packet is the broadcast address of the attack source address, it is determined that the communication packet is an attack packet. However, when neither of the above a) or b) is applicable, the communication packet is determined not to be an attack packet.

The denial of service attack protection method of the present invention comprises:
It is characterized in that the dynamic inspection process is performed by comparing the value of the parameter at the time of inspection with the log information by using the log information including the value of the parameter obtained in advance at the normal time.

Further, the present invention is a shielded communication device that executes a process of a protection method for protecting a defense target computer from a denial of service attack, which is a communication device closest to the protection target computer. An analysis process for analyzing a communication packet arriving at the shield communication device is performed based on command information from the device, and the communication packet may be an attack communication packet for the defense target computer according to the result of the analysis process. The priority of the communication packet is determined according to the priority, the communication packet is transferred to the transfer destination according to the priority, and the result of the analysis processing ensures that the communication packet is an attack communication against the defense target computer. If the packet is found to be a packet, execute the process to discard the communication packet. And it is characterized in and.

Further, in the shield communication device of the present invention, in the analysis process, the log information including the parameter value obtained in advance at the normal time is used to calculate the parameter value at the time of inspection and the log information. It is characterized in that the processing of the dynamic inspection by comparison is executed.

Further, the present invention is a probe communication device for executing processing of a defense method for protecting a defense target computer from a denial of service attack, wherein a shield communication device detects a communication packet of an attack on the defense target computer. At this time, the probe program code is received from the shield communication device and the communication packet arriving at the probe communication device is analyzed by executing the probe program code. As a result, the communication packet attacks the protection target computer. If the packet is a communication packet, the communication packet is discarded, and the probe program code is transmitted to the adjacent communication device on the side closer to the attack source. Is the probe program It is characterized in performing the process of the probe process to terminate the processing of the code.

Further, in the probe communication apparatus of the present invention, in the processing of the probe process, the communication packet whose destination address is the address of the defense target computer is captured, and the source address of the communication packet is obtained in advance. If the address is the same as the attack source address, it is determined that the communication packet is an attack packet, and in other cases, the communication packet is not an attack packet.

Further, the probe communication device of the present invention, in the processing of the probe process, captures a communication packet in which at least one of a destination address and a source address is the address of the defense target computer, and If the source address of the communication packet is the same as the previously obtained attack source address, or b) the source address of the communication packet is the address of the defense target computer and the destination address of the communication packet is If it is a broadcast address of the attack source address, it is determined that the communication packet is an attack packet, and if neither of the above a) or b) is applicable, the communication packet is an attack packet. It is characterized by determining that it is not.

Further, the present invention is a communication device for executing processing of a protection method for protecting a defense target computer from a denial of service attack, and an arrival packet capturing section for capturing a communication packet arriving from the network side, As a result of the processing of the computer program in the active network execution environment unit, the active network execution environment unit that performs the processing of the computer program that acts on the communication packet, and the queues that respectively correspond to a plurality of classes are provided. Depending on the class to be determined, a class-based queue processing unit that performs processing for putting the communication packet in the queue corresponding to the class, and sequentially from each queue provided in the class-based queue processing unit Take out the communication packet and The active network execution environment unit, and a program transfer processing unit that transfers the computer program to be executed by the active network execution environment unit to another communication device. The execution environment unit includes a code storage unit that stores a computer program, and a code execution unit that reads and executes the computer program stored in the code storage unit. The result of this analysis is to determine the class of the communication packet according to the possibility that the communication packet is an attack communication packet, and if the communication packet is definitely an attack communication packet, A shield module that causes a computer to execute the process of discarding the communication packet. And a probe module that analyzes the incoming communication packet and causes the computer to execute a process of discarding the communication packet if the communication packet is a communication packet of an attack on the defense target computer as a result. When an attack communication packet is found as a result of the computer executing the module's processing, it causes the computer to execute the processing of transmitting a copy of its own program code to the adjacent communication device closer to the attack source. As a result of the computer executing the processing of the duplicate transmission module and the probe module, if the attack communication packet is not found continuously for a predetermined time,
At least a self-destructing module that causes a computer to execute a process of eliminating its own program code is stored.

Further, the present invention is a computer program for causing a computer to execute processing of a defense method for protecting a defense target computer connected to a network constituted by a plurality of communication devices from a denial of service attack, Based on the command information from the border communication device, which is the communication device closest to the protection target computer, the shield communication device connected within the predetermined number of stages from the border communication device becomes the shield communication device. Performs analysis processing to analyze incoming communication packets,
According to the result of this analysis processing, the priority of the communication packet is determined according to the possibility that the communication packet is an attack communication packet for the defense target computer, and the communication packet is transferred to the transfer destination according to the priority. In addition to transferring the packet to the computer, the computer causes the computer to execute the process of the shield process of discarding the communication packet when the communication packet is definitely found to be an attack communication packet for the defense target computer as a result of the analysis process. Is.

Further, the present invention is a computer program that causes a computer to execute a process of a defense method for protecting a defense target computer connected to a network composed of a plurality of communication devices from a denial of service attack. The communication packet is analyzed, and as a result, if the communication packet is a communication packet for attacking the defense target computer, the communication packet is discarded and the computer is compared with the adjacent communication device closer to the attack source. The program itself is transmitted, and when the result of the analysis indicates that no attack packet has been detected for a certain period of time, the computer is caused to execute the processing of a probe process that terminates the computer program.

According to the present invention, in the above computer program, in the probe process, a communication packet whose destination address is the address of the defense target computer is captured, and a source address of the communication packet is obtained in advance. If it is the same as the attack source address, it is determined that the communication packet is an attack packet,
In other cases, the communication packet causes the computer to execute processing to determine that the communication packet is not an attack packet.

The present invention, in the above computer program, captures a communication packet in which at least one of a destination address and a source address is an address of the defense target computer in the probing process. If the source address of the communication packet is the same as the previously obtained attack source address,
Or b) When the source address of the communication packet is the address of the defense target computer and the destination address of the communication packet is the broadcast address of the attack source address, the communication packet is an attack packet. If it is determined that the communication packet is not the attack packet, the computer is caused to execute the process of determining that the communication packet is not an attack packet.

[0024]

BEST MODE FOR CARRYING OUT THE INVENTION An embodiment of the present invention will be described below with reference to the drawings. FIG. 1 shows a network configuration premised on the present embodiment. As shown in Figure 1,
The communication network is connected by a plurality of communication devices 7001. The communication device 7001 can be connected to one or more user computers 7000. When exchanging communication data between users' computers 7000,
The communication device 7001 located in each node on the communication network sequentially transfers the packet transmitted by the computer 7000 of the transmission source user so that the packet is delivered to the computer 7000 of the destination user.

Next, the configuration of the communication device will be described.
FIG. 2 is a block diagram showing an internal configuration of the communication device 7001 according to the present embodiment. As shown in FIG. 2, the communication device 7001 is captured by an arrival packet capturing unit 7531 that captures a communication packet that has arrived from another communication device or a computer via a network (communication line), and an arrival packet capturing unit 7521. Transfer processing unit 7521 that performs processing for transferring a communication packet, and a queue (queue) corresponding to a plurality of classes with different priorities
Class-based queue processing unit 7532 for controlling the communication band for each class by using the, and a network for transferring the packet output from the class-based queue processing unit 7532 to another communication device or computer. And a packet sending unit 7533 for sending.

Further, the communication device 7001 includes an active network execution environment 7510 and a program transfer processing unit 7540. The active network execution environment 7510 executes a program code that acts on a packet to be transferred, and has a code storage unit 7512 that stores the program code therein.
And a code execution unit 7511 that executes the program code read from the code storage unit 7512. The program transfer processing unit 7540 receives a program code to be executed in the active network execution environment 7510 from another communication device via the network, or conversely, a program code to be executed on another communication device. It is transmitted to the communication device.

Active network execution environment 7510
The internal code storage unit 7512 can store a DDoS attack protection program for protecting a DDoS attack. This DDoS attack protection program includes a sensor module, a shield module, a probe module, a self-replicating transmission module, and a self-destructing module. The sensor module has a function of detecting whether or not communication traffic of a DDoS attack is occurring by continuously analyzing communication packets that arrive at the communication device. The shield module is based on the analysis result by the sensor module,
The communication packet of the DDoS attack is discarded, or the output class is determined according to the characteristics of the communication packet, and the communication packet is passed to the class-based queue processing unit 7532 so as to enter the queue corresponding to this class. Have a function. When a DDoS attack is detected, the probe module has a function of performing protection processing in a higher-level communication device, that is, in a communication device closer to the attack source. The self-copy transmission module has a function of transferring the DDoS attack program code itself or a part thereof to the upstream communication device via the program transfer processing unit 7540. The self-destruction module is DD
It has a function of ending the execution of the DDoS attack protection program itself or deleting it from the code storage unit of the communication device when the traffic of the oS attack continues for a predetermined time or longer. Note that in a communication device or the like that is directly adjacent to the protected computer, DD
It is possible to always operate at least only the sensor module without self-destructing the oS attack protection program.

Next, a flow of processing when the communication device 7001 transfers a communication packet will be described. The communication packet arriving from the network side is the arrival packet capturing unit 75.
It is captured by 31 and passed to the transfer processing unit 7531. The transfer processing unit 7531 transfers the communication packet as it is to the class-based queue processing unit 7532 according to the destination address of the communication packet or the like, or transfers the communication packet to the active network execution environment 7510.
Pass it to the program running above. This program performs a predetermined process and normally passes the communication packet to the class-based queuing processing unit 7532. However, as described above, when the communication packet is recognized as a DDoS attack communication packet, the communication packet May be discarded as is. The communication packet passed to the class-based queue processing unit 7532 is once put in the queue of the designated class, the communication packet is sequentially taken out from the queue for each class, and passed to the packet sending unit 7533. The packet sending unit 7533 sends the communication packet to a predetermined transfer destination on the network.

Next, an outline of a method for protecting the DDoS attack through the entire network by the above-mentioned communication devices operating cooperatively will be described. FIG. 3 is a logical schematic diagram showing a defense mechanism according to the present embodiment. Figure 3
In the above, reference numeral 7000a is the computer of the attacked person. The computer 7001a of the attacked person may be, for example, a server computer of a well-known website.
The defense mechanism works when receiving a DoS attack. Also,
Reference numerals 7001a to 7001e are communication devices (specifically, routers, switches, etc.) configuring a network, and correspond to the communication device 7001 described with reference to FIG.

These communication devices (7001a to 7001)
In e), the communication device 7001a is directly adjacent to the attacked computer 7000a, that is, it serves as a contact point to the network when viewed from the attacked computer 7000a side. Will be referred to as “edge communication device”. Then, this boundary communication device serves as a defense command source, that is, as a center for controlling the entire defense mechanism. In addition, the communication devices 7001b and 701
01c (shield communication device) inspects communication traffic based on a command from the defense command source, and
It acts as a shield by discarding communication packets for S attacks. In addition, the communication device 7001e (probe communication device) plays a role as a probe for protecting the shield further above.

The specific processing contents of each communication device as a defense command source, a shield, and a probe will be described below. One of the processes performed by the defense command source is setting the shield level. Here, the shield level is the number of stages (depth) of the connection of the communication device to the outside of the network as viewed from the defense command source. In the configuration shown in FIG. 3, since the shield level is set to “2”, the communication device 7001b in the first stage and the communication device 7001c in the second stage are viewed from the communication device 7001a that is the defense command source.
Acts as a shield. Although FIG. 3 shows an example in which the shield level is set to “2”, it is also possible to set it to another level, and it is also possible to change the level dynamically. For example, when the degree of attack on the computer 7000a by the attacked person is large, the shield level can be dynamically changed to be high. The defense command source controls all shield modules transferred from the defense command source and operating on other communication devices. Further, the defense command source can stop the operation of the shield module in operation as necessary.

As will be described later, the shield module performs two types of inspections on each communication device (7001b, 7001c), that is, a local static inspection and a local dynamic inspection, so that some kind of attack is effective by the shield module. You can defend yourself. However, among other attacks,
Some can only be detected by analyzing data on the status of the entire network. Therefore, the defense command source performs a global dynamic inspection process.

When the protection according to this embodiment is applied to a network, the defense command source first performs the learning stage processing. In the processing of this learning stage, snapshot data of the arriving packet (communication traffic) is periodically acquired, and statistical processing is performed on this snapshot data to acquire the characteristic data of the network in the normal state. The feature data represents different feature patterns for each network depending on the purpose of use of the protected computer. The characteristic data in this normal state will be referred to as “fingerprint data” for convenience.

When the fingerprint data is obtained in the learning stage, in the next stage, the defense command source can detect the abnormality by using the fingerprint data. Anomalies that can be detected here are, for example, that the distribution of the source addresses stored in the header part of the arriving packet is abnormally random (high randomness), and such anomalies are detected. This implies that an attack is being carried out using a packet in which the source address is spoofed by a randomly selected address. Once an anomaly is detected, the defense commander can issue a new packet filtering rule for all shields.

Next, the shield (communication device 7 in FIG. 3)
The specific processing contents of the roles played by 001b and 7001c) will be described. The shield is designed to act as a "first stage" response to combating DDoS attacks. In each communication device, the shield module monitors the communication packet transferred to the protected computer. this is,
In the mechanism of the active network described later, it becomes possible by calling a specific program code in the active network execution environment with a packet having a specific communication address (IP address) as a trigger. Therefore, control of the shield module extends to all communication packets for the owner of this module.

FIG. 4 is a schematic diagram showing an outline of the processing of classifying communication packets by the shield module.
As shown in the figure, when the communication packet to be processed by the shield module arrives from the network side via the input interface, it is once put in the input queue,
Sequentially passed to the shield module. Further, the class-based queue processing unit 7532 has three queues whose output (send to the network) priority levels are “high”, “medium”, and “low”, respectively. Then, the class-based queue processing unit 7532 stores the communication packet in the queue according to the class determined by the shield module operating on the active network execution environment 7510, and sequentially extracts the communication packet from each queue. Output.

The shield module operating on each communication device has a classifying function for classifying the communication traffic according to the class, and the classifying function is such that the arrived communication packet constitutes flood traffic of the DDoS attack. It is possible to obtain a certain probability. Then, the communication packets belonging to the category most likely to be the DDoS attack, that is, the communication packets of the most suspicious class are designated to enter the lowest priority queue (“low”), and the class-based queue. Processing unit 7
532. Conversely, normal communication packets belonging to the category that are least likely to be a DDoS attack are designated to enter the highest priority queue ("high").
Communication packets of the medium suspiciousness class are designated to enter the "medium" priority queue.

When the shield module processes the output using the class-based queue as described above, the following two effects can be obtained. The first effect is that while the protected computer is being attacked, it makes it difficult for suspicious communication traffic to reach the protected computer, while communication traffic that is likely to be normal reaches the protected computer. It is possible to increase the possibility of doing. That is, it is possible to suppress the band of suspicious communication traffic and secure the band of normal communication traffic. The second effect is that the algorithm for detecting DDoS attacks can be given more flexibility and accuracy.

Compared with the prior art in which whether or not the packet is a DDoS attack communication packet was judged and processed binaryly, the above two effects greatly improve the defense method. Can be said. The reason is that when the communication traffic occupying a wider band than the normal communication traffic is flowing, whether the communication traffic is caused by the DDoS attack, or the normal communication volume happens to peak. This is because it is not a simple matter to determine whether or not it is a problem. Further, even under the condition that the DDoS attack is confirmed, it is difficult to highly reliably distinguish the flood packet due to the DDoS attack from the legitimate communication packet. In other words, to minimize the damage that makes it difficult for even normal communication packets to reach,
It can be said that the detection algorithm is preferably one that calculates the possibility (probability) of an attack communication packet, rather than one that makes a binary judgment as to whether it is true or false. Then, only communication packets that are very likely to be attack communication packets should be discarded.

The classification function in the shield module performs two types of inspection, local static inspection and local dynamic inspection, as described below. The local static test is a test that is performed based on a state, and is a test that is performed on each arriving packet based on many static parameters. Here, the static parameters include a source address and a destination address of a communication packet, parameters on a communication protocol included in a header (specifically, an IP header, etc.), a communication packet length, a destination port number, and an ICMP (Internet). -Control message protocol type.

For example, if the computer to be protected is a website server, the computer to be protected will not send a "ping" request to other computers, so the shield will The type 0 ICMP packet (echo response) directed to the computer and the UDP (User Datagram Protocol) whose source port number is 7 can be discarded as soon as it is detected. Another example of the abnormality that can be detected by the static inspection is a communication packet in which the source address and the destination address are the same. Since such a communication packet is an attack aimed at causing a computer having the address to fall into a loop of transmitting and receiving the communication packet, the shield should discard all such communication packets.

The local dynamic inspection is an inspection performed based on the state, and is an inspection performed using a log file (log information) recorded by the shield. This log file records and holds the values of certain parameters for a predetermined period as data used for detecting an abnormality.

Here, a specific example of the dynamic inspection will be described. The first specific example is to inspect the duration of abnormal packets or suspicious packets when they continuously flow in. For example, if suddenly communication packets of the specified maximum size continuously flow from the same source for 5 minutes, the shield increases the suspiciousness of the communication packets from the source address. , Put the communication packet from that source address into the output queue of "low" priority. In the second specific example, the inspection is performed using the ratio of the amount (the number of packets, the amount of data, etc.) between the packet arriving at a specific computer and the packet sent out from that computer. Generally, the ratio between arrival and transmission differs depending on the computer (system, for example, website system), but when viewed from a certain computer, the ratio is almost constant. Therefore, the average ratio between long-term arrival and transmission is calculated in advance during normal times. Then, based on the average ratio, the threshold value of the ratio between arrival and transmission for detecting an abnormality is determined. When the ratio between arrival and transmission exceeds the threshold value during the inspection, it can be considered as an abnormality. In addition, the upper limit and the lower limit are determined in advance and the arrival /
It may be considered as abnormal if the ratio between the transmissions exceeds the upper limit value or falls below the lower limit value.

In the third specific example, the inspection is performed by utilizing the distribution of the source address of the communication packet. If you look at it in a normal situation for a long time,
The distribution of source addresses of communication packets should be almost constant. However, when a DDoS attack is performed, the source address is spoofed using a randomly selected address. Therefore, when the variation degree of the source address is abnormally high, in other words, when the randomness is high, Attacks can be detected. FIGS. 5A and 5B are graphs showing distribution states of source IP addresses. FIG. 5A shows an example of distribution in a normal state, and FIG. 5B shows an example of distribution when a DDoS attack is received. The horizontal axis represents the IP address, and the vertical axis represents the appearance of communication packets. It represents the number of times (or the frequency of appearance). As shown in FIG. 5A, in a normal state, the number of appearances of only communication packets of a specific small number of source addresses is large, and the number of appearances of communication packets of other source addresses is small or zero. , The number of appearances tends to concentrate on a specific address. On the other hand, as shown in FIG. 5B, when a DDoS attack is being performed, the number of appearances is uniformly high for all the source addresses because the address for camouflage is randomly selected. In other words, the distribution of the number of appearances has a large degree of variation in the IP address space.

A method of handling such randomness in digitization will be described. Let k be the number of all existing IP addresses. By measuring the appearance frequency of the i-th (1 ≦ i ≦ k) IP address over a long period of time, the expected number of times e (i) of the i-th appearance during a predetermined period is obtained in advance. Then, at the time of inspection, the i-th I-th
The number of times the P address appears o (i) is obtained. Then, d (i) = ((o (i) -e (i)) ^ 2) / e (i) is calculated for all IP addresses, and d for all i where 1 ≦ i ≦ k is calculated.
Calculate the sum of (i). If this total exceeds a predetermined threshold value, it can be considered as an abnormality.

In addition to the three types of specific examples described above, it is possible to inspect using various parameters such as communication packet length and TTL (Time-To-Live) value, and the randomness of these parameter values is possible. It is possible to inspect whether or not a DDoS attack is being performed by detecting a case where is abnormally high or a case where the degree of constant is abnormally high.

As shown in FIG. 3, by dispersing the shield in a plurality of communication devices, the following two effects can be obtained. The first effect is that the DDoS attack can be easily absorbed, and an abnormal increase in communication traffic can be suppressed. The second effect is that communication traffic can be inspected at different locations.

Next, the probe (communication device 7 in FIG. 3)
Specific processing contents of (role played by 001e) will be described. The defense method according to the present embodiment further uses a probe in addition to the defense using a shield for the purpose of minimizing the damage caused by the DDoS attack. Whereas the shield was designed to act as a "first stage" response, as described above, the probe was designed to perform a traceback and "second stage" response. There is. In other words, in the shield process, when it is found that the communication packet is an attack communication packet for the defense target computer, the shield communication device transmits the probe program code to the adjacent communication device closer to the attack source. The process of transmitting the probe program code is performed.
Further, the probe communication device that has received the probe program code analyzes the communication packet that arrives at the probe communication device by executing the probe program code, and as a result, the communication packet causes an attack communication to the defense target computer. If the packet is a packet, the communication packet is discarded, and the probe program code is transmitted to the adjacent communication device closer to the attack source. The process of the probe process is completed to terminate the processing of the probe program code.

If the defense mechanism of the present embodiment confirms the DDoS attack and decides to completely prevent the flood traffic due to the attack, the probe is sent to the source of the flood traffic. The purpose is the following two. The first purpose is to reserve as much network bandwidth as possible by blocking flood traffic as upstream as possible. The second purpose is
To collect evidence of an attack for legal use. This probe is also implemented as the active code of the active network. That is, the probe module behaves like an agent that moves from communication device to communication device step by step from downstream to upstream. In this embodiment, the following A
The algorithm of the probe module is designed so as to deal with the DDoS attacks of two models, type and type B.

First, the A-type DDoS attack will be described. FIG. 6 is a schematic diagram showing an A-type DDoS attack.
In this type A model, an attack is performed by a master (attacking computer) and a slave (computer) invaded by this master. The master computer uploads the DDoS attack program to the slave computer. The communication between the master and slave is called control traffic. Then, each slave computer sends a huge amount of packets to the attacked computer.
At this time, the source address of the communication packet sent from the slave computer to the attacker's computer is often spoofed for the purpose of preventing the attacker from identifying the attack source.

Next, the B-type DDoS attack will be described. FIG. 7 is a schematic diagram showing a B-type DDoS attack.
For example, D using "Smurf" or "Fraggle"
The DoS attack is included in this type B. The characteristic of the B-type attack is that the communication traffic is amplified using a network in order to increase the damage to the attacked computer. When the master (attacking computer) issues a command to the slave computer, the slave computer causes the ICMP echo request packet or UD
It broadcasts P's port 7 (echo) packet to some networks. At this time, the source address of each echo request packet is spoofed, and the address of the attacked computer is stored as the source address. Therefore, all computers (legitimate user's computer) connected to the network to which the echo request packet is broadcast.
Attempts to send an echo reply packet to the attacked computer. In this way, the flood traffic amplified by the network will be directed to the victim's computer.

Next, the A-type DDoS is probed.
The process of responding to an attack will be described. Generally, it is not possible to distinguish whether the source address of a certain communication packet is spoofed or not spoofed. Therefore, initially, it is assumed that the source addresses of all communication packets are forged.

FIG. 8 is a pseudo program code describing a probe algorithm for dealing with an A-type DDoS attack. Hereinafter, description will be given with reference to FIG. The source address of the attack traffic detected by the shield module is stored in the variable “attSrc”. In this embodiment, each active code executing in the active network execution environment is owned by a particular owner and is authorized to have full control over all communication packets for that owner. It is assumed. Therefore, on each communication device, the probe module can capture and process all packets related to the owner of the probe module.

As shown in FIG. 3, starting from the shielded communication device, the function of the self-replicating transmission module sequentially transfers replicas of the probe module to adjacent communication devices in the direction of the attack source. Will be done.
The code of the probe module shown in FIG. 8 arrives at a new node (communication device) u and is started to be executed.

First, in the first line of the pseudo code shown in FIG. 8, the variable "explored" has the value "false".
(False) "is stored. Next, a loop (do-while) from the second line to the eleventh line of the pseudo code is executed. In the third line of the pseudo code, the function "captu
By the function of "rePacketByDest ()",
A communication packet whose destination address is the address (IP address) of the attacked computer is captured, and the data of the communication packet is stored in a variable (structure) “p”. In the fourth line of the pseudo code, if the source address (p.src) of the communication packet stored in the variable "p" is equal to the value of the variable "attSrc", that is, equal to the source address of the attack traffic. If so, the processing from the fifth line to the ninth line is executed. Otherwise, the function "releasePacket" on the 10th line
The communication packet is released by the function of (p), that is, is sent to the transfer destination communication device. Four
If it is determined that the packet is an attack traffic communication packet in the processing of the line, the communication packet stored in the variable “p” is determined by the function of the function “discard (p)” in line 5 of the pseudo code. Will be discarded. That is, attack traffic is blocked here. Further, in the processing from the 7th line to the 9th line of the pseudo code, a node adjacent to the node u and not the original node that transmitted the probe module to the node u, that is, all upstream Node v (communication device, there may be a plurality) of the probe module itself.

In the conditional expression on the 11th line of the pseudo code, if the attack traffic is not found for a predetermined time, the loop from the 2nd line to the 11th line is exited and the self-destruction is performed on the 12th line. Extinguish yourself by the function of the module. That is, when the communication device, which has once started to operate as a probe, is not located at the upstream position of the attack, it ends its role as a probe.

As described above, the purpose of the algorithm shown in FIG. 8 is to find the communication device at the position closest to the attack source and block unnecessary traffic at that position. As a result, it is possible to prevent an attack communication packet from flowing downstream and prevent an unnecessary load from being applied to the communication device on the way. When the probe reaches the communication device closest to the attack source, the probe performs a process of reporting its position information (evidence information such as IP address) to the defense command source.

Next, the B-type DDoS is probed.
The process of responding to an attack will be described. As described above, in the B-type DDoS attack, the communication packet sent from the attack source (slave) to the network used for amplification has a spoofed source address. However, in the header of the communication packet of flood traffic sent from the computer belonging to the network used for amplification to the attacked computer, the legitimate source address of each computer is stored. Initially, the shield stores the address of the computer belonging to the network used for amplification in the variable “attSrc”. Therefore, as long as the algorithm shown in FIG. It can only reach the network used for it, and can't send the probe beyond that, to the communication device closer to the true attacker.
Therefore, a new algorithm will be used as a probe for dealing with the B-type DDoS attack.

FIG. 9 is a pseudo program code describing a probe algorithm for dealing with a B-type DDoS attack. Hereinafter, description will be given with reference to FIG. The characteristic of the pseudo program code shown in FIG. 9 lies in the processing on the third and fourth lines. In the third line of the code, the function "c
capturePacketAssociatedWit
The function "h ()" captures communication packets related to the address of the attacked computer. That is, for example, a communication packet in which either the source address or the destination address is the same as the address of the attacked computer is captured. The conditional expression for the determination by the if statement in the fourth line of the code is not only the case where the source address of the captured communication packet is equal to the variable "attSrc", but the source address is the computer of the attacked person. And the destination address is the variable "attSr
Even in the case of the broadcast address of the address stored in “c”, the value is described as “true”. For example, the attack source IP address stored in the variable “attSrc” is “101.102.10”.
When it is "3.104", "101.102.10"
3.255 "is the broadcast address.
By making the conditional expression of the if statement in the 4th line such that the address of the attacked computer is the source address and the broadcast address of the network used for amplification is the destination address. Communication packets, that is, spoofed communication packets sent from the attack source (slave in FIG. 7) to the network for amplification can be discarded (processing in line 5 of the same code), and The probe module can be sent to the communication device close to (the processing of the sixth line to the ninth line of the same code).

The attacking IP address stored in the variable "attSrc" may be a plurality of addresses. Further, as the probe moves from the communication device to the communication device, the attack source IP address information is also passed.

In order for the above-mentioned defense mechanism to work, it is not always necessary that all the communication devices that make up the network have an active network execution environment. That is, the network does not have to be composed of only active nodes, and active nodes and inactive nodes (nodes of communication devices that do not have an active network execution environment and only transfer communication packets) may be mixed. In this case, the DDoS attack protection program code is transferred between the active nodes and executed only in the active nodes. The inactive node then merely serves to transfer the communication packet.

Next, with reference to FIGS. 10 to 13, an example of an active network implementation method presupposed by this embodiment will be described.

FIG. 10 is a block diagram showing the internal configuration of communication apparatus 7001. As shown in FIG. 10, the communication device 7001 includes communication lines 7024a, 7024b, and 702.
4c and 7024d are connected to the communication device 7001.
Is capable of exchanging packets with other adjacent communication devices via these communication lines.
Further, the communication device 7001 includes the above-mentioned communication lines 7024.
interface unit 7023a corresponding to a to 7024d
To 7023d, a transfer processing unit 7021 for performing a packet transfer process, a transfer destination table 7022 for storing information of a transfer destination at the time of packet transfer, and an active network execution environment for performing a process for an active packet (Active Network Execution Environmen
t) 7010 are provided. The active network execution environment 7010 is internally provided with a code execution unit 70 for executing active code (program).
11 and a code storage unit 7012 for storing the active code. The active code is a code of a computer program that acts on a packet in the active network.

Here, an outline of an operation example of the communication device 7001 will be described with reference to FIG. When a packet arrives from another adjacent communication device via the communication line 7024d, the interface unit 7023d receives the packet and transfers it to the transfer processing unit 7021. Transfer processing unit 7021
Reads the source address and the destination address stored in the header part of the passed packet, and further, using those addresses as a key, the transfer destination stored in the transfer destination table storage unit 7022. Determine what to do with the packet by looking up the table.

There are roughly two ways to deal with packets. There are a case where the active code is applied to the packet and a case where the packet is directly transferred to another communication device. As a result of referring to the transfer destination table, when the active code is to be applied to the packet, the transfer processing unit 7021 passes the packet to the active network execution environment 7010. In the active network execution environment 7010, the code execution unit 7011 receives the packet, reads the active code to be applied to the packet from the code storage unit 7012, and executes it. Note that the code execution unit 7011 may pass the packet, which is the processing target, to the transfer processing unit 7021 again and transfer it to another communication device when necessary as a result of executing the active code. As a result of referring to the transfer destination table, if the packet is to be directly transferred to another transfer device without applying the active code, the transfer processing unit 7021
Is an interface unit (702) corresponding to an appropriate transfer destination.
3a, 7023b, 7023c, etc.), and the interface section of the communication line (7024a, 7024b, 70).
24c) to transfer the packet to another communication device.

Here, the case where the packet arrives from another communication device via the communication line 7024d has been described as an example, but the process when the packet arrives via the other communication line is similar.

Next, the transfer processing unit 7 in the communication device 7001
A specific description will be given of how the 021 determines the action to be taken on the packet (whether to apply the active code or simply transfer it to another communication device).

In the framework on which this embodiment is based, the active network execution environment is activated based on the IP address specified in the packet. Let I be the set of all (global) IP addresses. A packet having a source IP address of s and a destination IP address of d is represented by (s, d). Further, all active codes stored in the active network execution environment of the communication device belong to a particular user, and a set of IP addresses owned by a particular user is represented by O.

In this framework, each active code belonging to the above-mentioned specific user is a packet represented by a set A by the following formula, and a communication device (node) equipped with the active network execution environment. Has permission to access packets received by. That is, A = {(s, d) ε [(O × I) ∪ (I × O)] | s ≠
d}. In other words, the general meaning of this formula is that an active code belonging to a specific user has access right to a packet whose source or destination address is any of all IP addresses owned by the user. Is to have.

When n active codes belonging to the user are stored in a communication device (node), i
The th (1 ≦ i ≦ n) active code is the set C
(I) The active network execution environment is requested in advance to capture and process a packet belonging to (C (i) ⊆A). That is, for the user, the active network execution environment is c (1) ∪c
(2) ∪ ... · ∪c (n) is started by the packet (s, d) which is an element of the union,
Such a packet can be called an "active packet".

FIG. 11 is a schematic diagram showing an example of the transfer destination table stored in the transfer destination table storage unit 7022 shown in FIG. Information necessary for implementing the above framework can be stored in such a transfer destination table.

As shown in FIG. 11, the transfer destination table is
Each item of type (Type), destination address (Destination), source address (Source), and transfer destination (Send to) is included. The type item represents the type of entry in the table and is "Active".
Alternatively, it takes one of the values "Regular".
The items of the destination address and the source address correspond to the destination IP address and the source IP address of the transfer target packet, respectively. The transfer destination items are
It represents the identification information of the active code to be applied or the IP address of the communication device of the transfer destination for the packet in which the combination of the destination address and the source address is matched.

The entry whose type value is "active" specifies an active code to be applied to the target packet, and the transfer destination item has information for identifying the active code written therein. The entry whose type value is "normal" specifies the address of the communication device of the transfer destination of the target packet, and the IP address of the communication device of the transfer destination is written in the item of the transfer destination. .

In the example of the transfer destination table shown in FIG. 11, in the first entry, the type is "active", the destination address is "1.2.3.4", and the source address is "Any ( Anything)), and the transfer destination is "active code A". This is because when the destination address matches "1.2.3.4", the active network execution environment is activated by the corresponding packet as a trigger and the active code A Is executed. In the second entry, the type is "active" and the destination address is "10.5".
0.0.0 ”and the source address is“ 11.12.
13.14 "and the transfer destination is" active code B ".
Has become. This means that, when both the destination address and the source address match the above values, the active packet execution environment is activated by the corresponding packet and the active code B is executed. In the third entry, the type is “active” and the destination address is “Any”.
(Anything is acceptable) "and the transmission source address is" 157.
2.3.0 ”and the transfer destination is“ active code C ”
Has become. This means that no matter what the destination address is, the source address is "157.2.3.
When it matches “0”, it means that the active network execution environment is activated by the corresponding packet as a trigger and the active code C is executed.

As shown in FIG. 11, in the transfer destination table, the entry whose type is "active" exists above the entry whose type is "normal". Then, the entry whose type is “active” is applied in preference to the entry whose type is “normal”. Also, each entry is applied only to the packet that has arrived at the communication device, and is not applied to the packet that is sent out for transfer.

The configuration of the communication device described above will be summarized.
The interface unit shown in FIG. 10 is provided for each communication line, and performs processing of receiving a packet arriving from the communication line and transmitting the packet to the communication line. Further, the transfer destination table storage unit stores a pattern of a source address and / or a destination address of the packet or both of them, information of a program (active code) corresponding to the pattern or information of a transfer destination address corresponding to the pattern. Stores the registered transfer destination table. Further, the active network execution environment stores the program in advance and executes the program. Further, the transfer processing unit, when the received packet arriving from the communication line is passed from the interface unit, refers to the transfer destination table based on the source address or the destination address of the received packet,
When the information of the transfer destination address corresponding to the pattern of the address of the received packet is registered in the transfer destination table, the transfer destination address is corresponded so that the received packet is sent to the predetermined transfer destination address. When the information of the program corresponding to the address pattern of the received packet is registered in the transfer destination table, the program is started in the active network execution environment section and Pass the received packet.

Next, the model relating to the security of the active code in this embodiment will be described. This security model is to ensure that each active code operates only on packets that are associated with the owner of the active code. For this reason, this security model assumes that a public key infrastructure exists and uses it.

FIG. 12 is a schematic diagram showing the security model and the procedure of processing in the model. Figure 1
2, reference numeral 7051 is a user terminal device of the user A, and 7061 is a certification authority (Certification Authority) device. The function of this certification authority may be provided by a public institution, or ISP (Intern
et Service Provider, Internet connection service provider) or the like. In the example shown in FIG. 12, I of the user terminal device 7051
The P address is “1.2.3.4”. In the following, a procedure of processing for user A to register active code A in communication device 7001 will be described. In the following, the user A may be the developer of the active code A, but this is not inevitable, and the user A obtains the active code A developed by another developer, and the user A obtains it.
It may be registered in 001.

First, as shown in (1), the user terminal device 7051 of the user A generates a key pair, that is, a public key and a secret key, using a well-known technique. Then, as shown in (2), the user terminal device 7051 registers the public key generated above in the certificate authority device 7061. At this time, the certificate authority device 7061 verifies the IP address of the user terminal device 7051. If this verification is correctly performed, the public key itself, information for identifying the user A, and the IP address “1.2.3.4” of the user terminal device 7051.
Is stored in the certificate authority device 7061.

Next, as shown in (3), the user terminal device 7051 performs a process of digitally signing the active code A using the secret key generated above. Then, as shown in (4), the user terminal device 7051 performs a process of registering the active code A signed with the private key in the communication device 7001.

In response to this, the communication device 7001 (5)
As shown in, the electronic certificate of the user A who has registered the active code A is acquired from the certificate authority device 7061.
This electronic certificate includes information for identifying the user A, its IP address "1.2.3.4", and the public key itself registered in (2) above. Then, as shown in (6), the communication device 7001 verifies the electronic signature of the active code A registered in (4) above using the public key of the user A extracted from the above electronic certificate. Then, if this is correctly verified, the communication device 7001 performs a process of introducing the active code A into the active network execution environment. Further, in response to this, necessary entries are added to the transfer destination table.

Note that once the processes (1) and (2) are performed and the public key of the user A is registered in the certification authority device 7061, the user terminal device 7051 sets the private key corresponding to the public key. It is also possible to register any number of active modules in the communication device 7001 by using it.

That is, the communication device 7001 is provided with a registration unit (not shown), and this registration unit receives a program electronically signed by the private key of the user from the terminal device of the user, and the electronic unit of the user. Receive the certificate from the certificate authority device, verify the electronically signed program using the public key of the user included in the received electronic certificate,
If this verification is successful, the address pattern corresponding to the program and the information of the program are registered in the transfer destination table. If this verification fails, the information of the program is stored in the transfer destination table. Registration should not be performed.

In order for the procedure of registering the active code to the communication device described above to function effectively, the following two points are premised. As a first premise, it is known in advance to which communication device (node) the user should register the active code. Alternatively, a directory service is provided for recognizing which communication device (node) should register the active code. As a second premise, the communication device (node) can acquire the public key of the target certificate authority in advance off-line, from another certificate authority, or by some other means.

Next, the control for resolving the contradiction will be described. In a communication device (node), n active codes are registered, and the i-th (1 ≦ i ≦ n)
And the j-th (1 ≦ j ≦ n) active codes are set C (i) (C (i) ⊆A) and set C (j) (C), respectively.
(J) ⊆ A) is defined as a packet, a combination of i and j (where i ≠ j) such that the set (c (i) ∩c (j)) is not an empty set.
May exist. That is, if a packet is i
This is the case where the definition is applied so that it can be applied to both the jth active code and the jth active code.
Such a contradiction will be resolved by either of the following two scenarios.

The first contradiction resolution scenario for packet (s, d) is (sεO (k) ΛdεO (l)) Λ (k ≠ l) ) ∈c (i) ∩c (j). However, O (k) and O (l) are a set of IP addresses owned by users k and l, respectively. That is, regarding a certain packet, both the active code for the source user and the active code for the destination user are registered in the communication device, and this packet (s, d) arrives at such a communication device. This is the case. In such a case, it is considered desirable to preferentially apply the active code of the destination user.

That is, in the pattern registered in the transfer destination table, the first entry in which only the source address is designated and the destination address may be any, and the source entry in which only the destination address is designated The second entry, which is supposed to have any address, is included in the received packet.
If both of the entries are matched, the second entry is prioritized over the first entry and the program corresponding to the pattern of the second entry is activated.

As described above, giving priority to the active code of the destination user over the active code of the user of the transmission source is performed by using the function of the active network.
DoS (Distributed Denial of Servic
e) Especially important when constructing a mechanism to defend against attacks. By doing so, the active code of the destination user, that is, the person who can be the attacked person, is prioritized over the active code that may become the attacker.

The second contradiction resolution scenario relates to the case where two or more active codes to be applied to a packet (s, d) are registered by the same user. In such cases, the oldest registered active code is
It may be desirable to have priority applied over others. By doing so, when the user attempts to register a new active code, it is guaranteed that the old active code will be deleted in advance in order for the new active code to become effective.

Next, an example of the implementation of the communication device that functions as a node of the active network as described above will be described. FIG. 13 shows L
A Java (registered trademark) virtual machine (JV) on Linux
It is a schematic diagram at the time of realizing a communication apparatus which processes an active packet using M).

In the example shown in FIG. 13, a dedicated IP stack is constructed as a part of the process. As a result, the transfer destination table as shown in FIG. 11 is realized, and entries can be added to or deleted from the transfer destination table from the execution environment (active network execution environment). Along with this, the kernel (kerne
Since the IP stack in l) is unnecessary, routing in the kernel is deactivated. Then, a copy of the arriving packet is created from the data link portion, and the packet is Java-transmitted through the library libpcap.
(Registered trademark) A virtual machine can be used for supplementation.

The dedicated IP stack constructed as a part of the process creates an active packet, that is, an IP address (destination IP address, source IP address, or a combination thereof) that matches a predetermined definition on the transfer destination table. The packet that it has is passed to the active code that is activated on the execution environment. On the other hand, normal packets other than active packets are transferred to the adjacent communication device or the like by the same method as the IP stack in the kernel. All packets, whether active packets or normal packets, sent from this communication device are sent through the library libnet. By doing so, the source address recorded in the header of each processed packet is sent to the network in the state of the original source address.

In addition, a standard Java (registered trademark) AP
It is possible to implement a security model by using "java.security" which is I (application program interface). This standard API provides most of the functionality needed to build a security model. As the format for the certificate, the “X.509” certificate format can be used, and the IP address of the owner of the active code is the identification name (DN, distin) of the “X.509”.
The security model of the present embodiment can be realized by including it as a part of the guished name).

Needless to say, in the above implementation, a communication system having an active network execution environment is constructed by using a computer system. Then, the series of processes described above, that is, the creation and capture of a copy of the arriving packet, the process of transferring the active packet and the normal packet while referring to the transfer destination table, and the activation of the active code on the active network execution environment And the execution of that process,
The process of each process such as sending the processed packet to the network is stored in a computer readable recording medium in the form of a program, and the above process is performed by the computer reading and executing the program. . Here, the computer-readable recording medium means a magnetic disk, a magneto-optical disk, a CD-RO.
M, DVD-ROM, semiconductor memory, etc. Further, the computer program may be distributed to the computer via a communication line, and the computer that receives the distribution may execute the program.

Although the embodiments of the present invention have been described in detail above with reference to the drawings, the specific configuration is not limited to these embodiments, and the design etc. within the scope not departing from the gist of the present invention are also possible. included. For example, in the above embodiment, the communication address is written as a 4-byte IP address on the assumption that the Internet protocol is used. The present invention can also be applied.

[0096]

As described above, according to the present invention, the shield communication device performs the analysis process for analyzing the incoming communication packet, and the communication packet is transferred to the protection target computer according to the result of the analysis process. The priority of the communication packet is determined according to the possibility that it is an attack communication packet, and the communication packet is transferred to the transfer destination according to the priority. Therefore, in comparison with the case where the conventional technique binaryly determines whether or not the packet is an attack packet and processes, it is possible to minimize the damage that a normal communication packet becomes difficult to reach under an attack. it can. Further, even when it cannot be determined whether the packet is an attack packet, the band occupied by the suspicious communication packet can be gradually narrowed down.

Further, according to the present invention, since the number of stages of connection with the shield communication device farthest from the boundary communication device is allowed to be 2 or more, that is, the number of stages (depth) of the shield communication device. Since it can be set to 2 or more, the load of the defense processing can be dispersed, and since the defense is performed at a position closer to the attack source, the bandwidth of the communication line on the downstream side can be effectively used without wasting it. .

Further, according to the present invention, when an attack is detected, the function of the probe is gradually moved from the shield communication device to the upstream, so that the defense at a place closer to the attack source is possible. Becomes As a result, the bandwidth of the communication line on the downstream side can be effectively used, and the process of collecting evidence information about the attack source can be performed.

According to the present invention, as the processing of the probe, the communication packet whose destination address is the address of the defense target computer is captured, and the transmission source address of the communication packet is the same as the previously obtained attack source address. If it is, the communication packet is determined to be an attack packet, so that the A-type DDoS attack described in the description of the embodiment can be protected.

Further, according to the present invention, as the processing of the probe, the communication packet in which at least one of the destination address and the source address is the address of the defense target computer is captured, and the source address of the communication packet is Since it is determined that this communication packet is an attack packet even when the address of the defense target computer and the destination address of the communication packet are the broadcast addresses of the attack source address,
The type B DDoS attack described in the description of the embodiment can be protected.

Further, according to the present invention, by introducing the dynamic inspection, it becomes possible to detect and defend against an attack which cannot be detected by the conventional technique.

[Brief description of drawings]

FIG. 1 is a network configuration presumed by an embodiment of the present invention.

FIG. 2 is a block diagram showing an internal configuration of a communication device according to the same embodiment.

FIG. 3 is a logical schematic diagram showing a defense mechanism according to the embodiment.

FIG. 4 is a schematic diagram showing an outline of a process of classifying communication packets by the shield module of the embodiment.

FIG. 5 is a graph showing a distribution state of source IP addresses used when the shield module according to the embodiment performs a dynamic inspection, (a) being a normal distribution, and (b) being attacked. An example of the distribution at time is shown.

FIG. 6 is a schematic diagram showing an A-type DDoS attack.

FIG. 7 is a schematic diagram showing a B-type DDoS attack.

FIG. 8 illustrates an A-type DDoS according to an embodiment of the present invention.
This is a pseudo program code that describes a probe algorithm for responding to an attack.

FIG. 9 is a pseudo program code describing a probe algorithm for dealing with a B-type DDoS attack according to the embodiment.

FIG. 10 is a block diagram showing an internal configuration of a communication device according to the same embodiment.

FIG. 11 is a schematic diagram showing an example of a transfer destination table stored in a transfer destination table storage unit according to the same embodiment.

FIG. 12 is a schematic diagram showing a security model according to the same embodiment and a procedure of processing in the model.

FIG. 13 shows the communication device of the same embodiment as J on Linux.
It is a schematic diagram at the time of realizing so that it may process an active packet using an ava (registered trademark) virtual machine (JVM).

[Explanation of symbols]

7000 User's computer 7001 Communication device 7010 Active network execution environment 7011 Code execution unit 7012 Code storage unit 7021 Transfer processing unit 7022 Transfer destination table storage units 7023a, 7023b, ... Interface units 7024a, 7024b ,. Communication line 7051 User terminal device 7061 Certificate authority device 7510 Active network execution environment 7511 Code execution unit 7512 Code storage unit 7521 Transfer processing unit 7531 Arrival packet capturing unit 7532 Class-based queue processing unit 7533 Packet sending unit 7540 Program transfer processing Department

Claims (16)

[Claims] 1. A defense method for protecting a defense target computer connected to a network composed of a plurality of communication devices from a denial of service attack, which is a boundary of communication devices closest to the protection target computer. Based on the command information from the communication device, the shield communication device connected within the range of a predetermined number of stages from the boundary communication device performs an analysis process of analyzing communication packets arriving at the shield communication device. According to the result of the analysis process, the priority of the communication packet is determined according to the possibility that the communication packet is an attack communication packet for the defense target computer, and the communication packet is transferred to the transfer destination according to the priority. As a result of the analysis processing, the communication packet is reliably transmitted to the protection target computer while being transferred. Methods of preventing denial of service attacks, comprising discarding shielding process of the communication packet if it is a communication packet hammer was found. 2. The denial-of-service attack protection method according to claim 1, wherein the number of stages of connection with the shield communication device located farthest from the boundary communication device is 2 or more, and A denial-of-service attack defense method characterized in that the number of stages can be dynamically changed. 3. The denial-of-service attack protection method according to claim 1, wherein in the shield process, it is determined that the communication packet is an attack communication packet for the defense target computer. A shield communication device transmits a probe program code to an adjacent communication device closer to the attack source, and a probe communication device that receives the probe program code executes the probe program code. By analyzing the communication packet arriving at the probe communication device, if the communication packet is a communication packet of an attack on the defense target computer as a result, the communication packet is discarded and the side closer to the attack source For the adjacent communication device, Over Bed program sends a code, and methods of preventing denial of service attacks, wherein if the packet results certain time attack analysis is not detected, further comprising a probe process to terminate the processing of the probe program code. 4. The denial of service attack protection method according to claim 3, wherein in the probing process, a communication packet whose destination address is the address of the defense target computer is captured, and the transmission source of the communication packet is captured. If the address is the same as the previously obtained attack source address, it is determined that the communication packet is an attack packet, and in other cases, the communication packet is not an attack packet. How to defend against denial of service attacks. 5. The denial of service attack protection method according to claim 3, wherein in the probe process, a communication packet in which at least one of a destination address and a source address is an address of the protection target computer is transmitted. A) if the source address of the communication packet is the same as the previously obtained attack source address, or b) if the source address of the communication packet is the address of the defense target computer and When the destination address of the communication packet is the broadcast address of the attack source address, it is determined that the communication packet is an attack packet, and if neither of the above a) or b) is applicable, Denial of service characterized by determining that the communication packet is not an attack packet And methods of preventing attack. 6. The method of protecting against a denial of service attack according to claim 1, wherein in the analysis processing in the shield process, log information including a parameter value obtained in advance in a normal state is used. A method of preventing a denial of service attack, which is characterized by performing a dynamic inspection process by comparing a parameter value at the time of inspection with the log information. 7. A shield communication device for executing processing of a protection method for protecting a defense target computer from a denial of service attack, and a command from a boundary communication device which is a communication device closest to the protection target computer. Based on the information, an analysis process for analyzing the communication packet arriving at the shielded communication device is performed, and according to the result of this analysis process, the communication packet is determined to be a communication packet of an attack on the defense target computer. The priority of the communication packet is determined, the communication packet is transferred to the transfer destination according to the priority, and the result of the analysis processing is that the communication packet is definitely a communication packet of an attack on the defense target computer. If it is found, the process of discarding the communication packet is executed. Shield communication device. 8. The shielded communication device according to claim 7, wherein in the analysis processing, log information including a parameter value obtained in advance in a normal state is used to detect a parameter value at the time of inspection. A shielded communication device, which executes a dynamic inspection process by comparing with the log information. 9. A probe communication device for executing processing of a defense method for protecting a defense target computer from a denial of service attack, wherein when the shield communication device detects a communication packet of an attack on the defense target computer, By receiving the probe program code from the shielded communication device and executing the probe program code, the communication packet that arrives at the probe communication device is analyzed, and as a result, the communication packet is an attack communication packet for the defense target computer. In some cases, the communication packet is discarded, and the probe program code is transmitted to the adjacent communication device on the side closer to the attack source. When the analysis result indicates that no attack packet is detected for a certain period of time, the probe program is used. Code processing Probe communication device and executes the processing of the probe process to terminate. 10. The probe communication device according to claim 9, wherein in the processing of the probe process, a communication packet whose destination address is the address of the defense target computer is captured, and a source address of the communication packet is captured. Is determined to be an attack packet if it is the same as the attack source address obtained in advance, and in other cases it is determined that the communication packet is not an attack packet. Probe communication device. 11. The probe communication device according to claim 9, wherein in the processing of the probe process, a communication packet in which at least one of a destination address and a source address is an address of the defense target computer is captured. A) if the source address of the communication packet is the same as the previously obtained attack source address, or b) if the source address of the communication packet is the address of the defense target computer and the communication When the destination address of the packet is a broadcast address of the attack source address, it is determined that the communication packet is an attack packet, and when the above neither a) nor b) is applicable, the communication is concerned. A probe communication device characterized by determining that the packet is not an attack packet . 12. A communication device for executing processing of a protection method for protecting a protection target computer from a denial of service attack, comprising an arrival packet capturing unit for capturing a communication packet arriving from a network side, and the communication packet A class that is provided as a result of the processing of the computer program in the active network execution environment unit, which includes an active network execution environment unit that processes the computer program that exerts an effect on the active network execution environment, and a queue that corresponds to each of a plurality of classes. In accordance with the above, a class-based queue processing unit that performs processing of putting the communication packet in the queue corresponding to the class, and sequentially extracting communication packets from each queue provided in the class-based queue processing unit Sent to the network side And a program transfer processing unit that transfers the computer program to be executed by the active network execution environment unit to another communication device. A code storage unit that stores a computer program; and a code execution unit that reads and executes the computer program stored in the code storage unit. The code storage unit analyzes incoming communication packets. , The result of this analysis,
While determining the class of the communication packet according to the possibility that the communication packet is an attack communication packet,
If the communication packet is definitely an attack communication packet, a shield module that causes the computer to perform processing to discard the communication packet and an incoming communication packet are analyzed, and as a result, the communication packet is transmitted to the defense target computer. If the packet is an attack communication packet, a probe module that causes the computer to execute a process of discarding the communication packet, and if the computer executes the process of the probe module, and if an attack communication packet is found, its own program A self-replicating transmission module that causes a computer to execute a process of transmitting a copy of the code to an adjacent communication device on the side closer to the attack source, and the computer executes the process of the probe module, and as a result, the communication packet of the attack is predetermined. Watch for hours continuing If no from a communication device and a self-destructing module for executing the processing to extinguish the self program code to the computer is characterized in that it is at least stored. 13. A computer program for causing a computer to execute a process of a defense method for protecting a defense target computer connected to a network composed of a plurality of communication devices from a denial of service attack. Based on the command information from the border communication device, which is the closest communication device, the shield communication device connected within a predetermined number of stages from the border communication device, the communication packet that arrives at the shield communication device. The communication packet is analyzed, and the priority of the communication packet is determined according to the result of this analysis processing depending on the possibility that the communication packet is an attack communication packet for the defense target computer. Accordingly, the communication packet is transferred to the transfer destination, and the result of the analysis process Computer program in the case where that said communication packet is a communication packet attacks on reliably the protection target computer has been found is to execute the process of discarding the shield process the communication packets to the computer. 14. A computer program for causing a computer to execute a process of a defense method for protecting a defense target computer connected to a network constituted by a plurality of communication devices from a denial of service attack, the incoming communication packet being received. If the communication packet is an attack communication packet for the defense target computer as a result of analysis, the communication packet is discarded and the computer program itself is transmitted to the adjacent communication device closer to the attack source. A computer program that causes a computer to execute the process of a probe process that terminates the computer program when an attack packet is not detected for a certain period of time as a result of analysis. 15. The computer program according to claim 14, wherein in the probing process, a communication packet whose destination address is the address of the defense target computer is captured, and a source address of the communication packet is obtained in advance. A computer that causes the computer to execute processing to determine that the communication packet is an attack packet if it is the same as the address of the attack source that has been determined, and otherwise determine that the communication packet is not an attack packet. program. 16. The computer program according to claim 14, wherein in the probing process, a communication packet in which at least one of a destination address and a source address is an address of the defense target computer is captured. ) When the source address of the communication packet is the same as the previously obtained attack source address, or b) the source address of the communication packet is the address of the defense target computer and the destination of the communication packet If the address is the broadcast address of the attack source address, it is determined that the communication packet is an attack packet, and if neither of the above a) or b) is applicable, the communication packet is attacked. Computer to execute the processing to determine that the packet is not Computer program.