JP2005167364A - Communication connection method, server computer, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication connection method of a server computer with higher security for various accesses from client computers. <P>SOLUTION: The server computer 1 is provided in advance with a group identification table 120 wherein a name of a group comprising a plurality of users and the number of times of receiving connection request packets secretly assigned to each user belonging to the name of group. A group identifying unit 15 authenticates whether the number of times of received connection requests within a prescribed period from the same client computer 2 exists in the table 120, and acquires the corresponding group name when existing. A resource management unit 16 discriminates whether the server computer can assign resources to the group indicated by the group name and generates the connection request acknowledgement packet as an acknowledgement with respect to any one of the received connection request packets when the resource management unit 16 discriminates the resources to be assignable. A transmitting unit 17 transmits the connection request acknowledgement packets to a network. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to a server computer communication connection method, a server computer, and a program that can securely connect to an access from a client computer.

  In recent years, clients that use the Internet or the like to connect an unspecified number or number of specified client computers to a server computer via a packet switching network and supply data from the server computer in response to a request from the client computer Server systems are widely used.

  Here, a packet refers to a group of data flowing on the network, and roughly divided into a header and a data body. Further, the header includes a start point IP (Internet Protocol) address, an end point IP address, and the like. As an example of a legitimate access request in such a TCP / IP (Transmission Control Protocol / IP) protocol, (1) the client computer sends a connection request packet (SYN (SYNchronize) packet) to the server computer, (2) The server computer sends a connection request confirmation packet (SYN + ACK (ACKnowledgement) packet) to the client computer, and (3) the client computer sends an acknowledgment packet (ACK) packet to the server computer to create a logical communication path ( Connection) is established, and data is sent and received by the higher-level application in the established (Established) state. This access request is called a three-way handshake method.

  By the way, when establishing a connection using the TCP / IP protocol, the server computer needs to secure a certain amount of resources (memory area and disk area) for TCP connection processing in advance. When the connection is discarded, the server computer releases the processing resources. This TCP connection processing resource is allocated without distinguishing the connection requester (pointing to the client computer user or the client computer itself), and if this resource is insufficient, a new connection cannot be established. Situation. Therefore, the following two problems arise. The first is an attack that makes it impossible for a server computer to provide a service by establishing a large number of connections with the server computer and using up resources for connection processing. Will be performed). Second, in the state where many low-priority people (or general people) use the service, people with a high priority cannot use the service.

In order to solve such a problem, a method has been proposed in which phase users are divided into groups in advance, and resources for TCP connection processing are managed based on the priority order in each group (for example, Patent Document 1). reference). This method goes through the following processing.
1) The client computer sends a connection request packet to the server computer,
2) The server computer refers to the user identifier (source address of the connection request packet) of the received connection request packet, identifies the user group to which the connection requester belongs,
3) The communication processing resource set corresponding to the confirmed user identifier is checked, and finally, if the resource is available, a TCP connection processing resource is allocated.

In this way, resources for TCP connection processing are allocated to each user group, so the influence of connection floods by unauthorized clients can be limited to the user group to which the unauthorized client belongs, and server computer service stoppage can be prevented. It was. Also, by forming groups according to priority, TCP connection processing resources can be allocated to users with high priority even in situations where users with low priority are using mass services. did it.
Japanese Patent Laid-Open No. 2003-122502

  In the method described above, a computer address (IP address, MAC address) included in the connection request packet is used as a user identifier, and resources for TCP connection processing are allocated based on the user identifier.

  However, according to this method, when a plurality of users use the same client computer, resource allocation according to the users cannot be performed. Also, if the IP address is dynamically assigned, it will be necessary to re-register each time. The MAC address included in the connection request packet can only be used when the server computer and the client computer are on the same network. There is. Also, since IP addresses and MAC addresses can be forged relatively easily, an unauthorized client or a client with a low priority disguises these computer addresses and connects to the server computer to impersonate other user groups. We could not prevent you from enjoying the service.

  The present invention has been made in view of the above problems, and provides a server computer communication connection method, a server computer, and a program with higher security against various accesses from a client computer. For the purpose.

  The present invention is a communication connection method of a server computer for connecting to a client computer via a network, wherein the server computer identifies a group of a plurality of users permitted to connect to the server computer. The server computer includes a storage unit that stores the identification information and the unique connection request packet count secretly assigned to the group in association with each other, and the server computer receives the connection request from the client computer received within a predetermined period. Counts the number of packets, authenticates whether or not the number of connection request packets that match the count result is stored in the storage means, and if stored, group identification information corresponding to the number of connection request packets And the resource of the server computer for the group indicated by the acquired group identification information It is determined whether allocation is possible, and when it is determined that allocation is possible, a connection request confirmation packet is generated as a response to at least one of the received plurality of connection request packets, and the generated connection request confirmation The packet was sent to the network.

  The present invention also provides a server computer that performs connection processing with a client computer, group identification information for identifying a group of a plurality of users permitted to connect to the server computer, and the group A storage means for storing in advance a correspondence with the number of unique connection request packets assigned to the secret, a connection request counting means for counting the number of connection request packets received from the client computer within a predetermined period, and the storage Authenticating whether or not the number of connection request packets that match the count result is stored in the means, and if stored, group identification means for acquiring group identification information corresponding to the number of connection request packets, and acquisition Whether the server computer can allocate resources to the group indicated by the group identification information Resource management means for generating a connection request confirmation packet as a response to at least one of the received plurality of connection request packets, and the generated connection request confirmation packet in the network And a transmission means for sending to the mobile phone.

  The present invention also relates group identification information for identifying a group of a plurality of users allowed to connect to the server computer and the number of unique connection request packets secretly assigned to the group. A program executed by a server computer comprising storage means for storing in advance, the first code for counting the number of connection request packets received from the client computer within a predetermined period, and the storage means The second code for authenticating whether or not the number of connection request packets that match the count result is stored, and for acquiring the group identification information corresponding to the number of connection request packets when stored, and the acquired Determine whether the server computer can allocate resources to the group indicated by the group identification information. A third code for generating a connection request confirmation packet as a response to at least one of the received plurality of connection request packets when it is determined to be possible, and a third code for transmitting the generated connection request confirmation packet to the network 4 code, and let the server computer execute.

  According to the present invention, the group authentication is performed for the connection request and the resources of the server computer that can be used in units of groups are allocated, so that it is difficult for an unauthorized connection requester to attack and the right connection requester. Can also prevent denial-of-service attacks due to access concentration (regardless of intentions). Therefore, the security of the server computer can be further improved.

  Embodiments of the present invention will be described below with reference to the drawings.

  FIG. 1 shows a communication system to which the present embodiment is applied. The server computer 1 and the client computer 2 include an open network such as the Internet and various communication networks 3 including a dedicated line connected thereto. Connected with.

  In general, communication between the server computer 1 and the client computer 2 is performed by TCP / IP. TCP / IP is separated into a network access layer, a network layer, a transport layer, and an application layer in order from the lower layer to the upper layer.

  The network access layer is equivalent to the physical layer and data link layer of the OSI (Open Systems Interconnection) reference model, and it sends and receives data using electrical and optical signals and adjusts the flow of information between adjacent nodes It is a processing layer that enables the control necessary for the purpose.

  The network (Internet) layer corresponds to the network layer of the OSI reference model, and is a processing layer that is responsible for data routing between networks and data distribution to computers for communication purposes.

  The transport layer substantially corresponds to the transport layer of the OSI reference model, and is a processing layer that provides a delivery service to a designated application layer port and a data error check function. In the transport layer, two protocols, TCP (Transmission Control Protocol) and UDP (User Datagram Protocol), can be used. As will be described later, TCP provides a connection-type environment and guarantees data reachability. In contrast, UDP provides a connectionless environment and does not guarantee data reachability.

  The application layer corresponds to an OSI reference model application, and is a processing layer that performs communication processing control for the application to perform data transmission / reception and processing specific to the application.

  Communication in a layer higher than the network layer is performed using IP packets. FIG. 2 shows a general IP packet configuration. An IP packet is composed of an IP header portion and a data portion.

  The IP header part includes the version indicating the IP version (IPv4, IPv6, etc.), the header length indicating the header length of the IP header part, the service type for instructing the router about the quality of the communication service, and the total length of the IP packet. Packet length, identifier for restoring the fragment, flag for controlling the fragmentation process, fragment offset for indicating the position of the fragmentation, lifetime indicating the number of routers that can be passed, upper layer Protocol number indicating the protocol (ICMP is 1, TCP is 6, UDP is 17), header checksum to ensure that the data is not damaged, source IP address indicating the source address, destination address Destination IP address, options for use in various optional functions, IP header length is 32 bits Each consisting of information padding to adjust to be the integral multiple.

  The data part includes a TCP, UDP, or ICMP segment.

  FIG. 3 shows the structure of a general TCP segment. The TCP segment is composed of a TCP header and a data portion. The TCP header includes a start port number indicating the source port number, an end port number indicating the destination port number, a sequence number indicating the position of the transmitted data, an acknowledgment number indicating the position of the received data, and a TCP carry Data offset indicating the start position of the data being read, extension reserved bit, control flag indicating the processing method and type of the TCP segment, window size indicating the receivable data length used for flow control, TCP header, data Is composed of a checksum for ensuring that the data is not damaged, an urgent pointer indicating the position of data to be urgently processed, an option used for improving communication performance by TCP, and padding information.

  FIG. 4 shows the structure of a general UDP segment. The UDP segment is composed of a UDP header and a data portion. In the UDP header, the source port number indicating the source port number, the destination port number indicating the destination port number, the packet length indicating the length of this UDP segment, the UDP header, IP address, and protocol number are damaged. It consists of each information of checksum to guarantee that there is no.

  In TCP, generally 1) the client computer sends a connection request packet (SYN (SYNchronize) packet) to the server computer, and 2) the server computer sends a connection request confirmation packet (SYN + ACK (ACKnowledgement) packet) to the client computer. 3) A communication path (connection) is established between logical ports between devices using a three-way handshake method in which the client computer sends an acknowledgment packet (ACK) packet to the server computer. Send and receive data with the host application. Note that logical ports up to 65535 are allowed to be used.

  On the other hand, since UDP and ICMP are connectionless communications, such connection establishment processing is not performed and data is transmitted and received.

Now, in the present embodiment, all connection requesters are divided into a plurality of groups in advance between a certain server computer 1 side and all connection requesters permitted to access the server computer 1. The number of times of transmission of the same connection request packet is determined as at least authentication information in each group although it differs among the groups. It is assumed that the number of outgoing calls used as authentication information is secretly shared between the server computer 1 and each connection requester. This number of outgoing calls can be shared online using a secure channel secured using a cryptographic protocol (such as SSL (Secure Socket Layer) as an existing technology) or offline such as by mail. Or secretly shared with a third party. It should be noted that the connection requester may hold different criteria information depending on a plurality of servers.

  FIG. 5 shows functional blocks of a portion according to the present embodiment of the client computer 2 in the system of FIG.

  The connection request packet generator 21 generates a connection request packet when receiving a connection request instruction to the server computer 1 via a user interface (not shown) from the connection requester. The connection request packet generation unit 21 refers to the connection establishment table 100, acquires the number of connection request packet transmissions necessary for connection with the designated server computer 1, and acquires the generated connection request packet. The number of transmissions is sequentially output to the transmission unit 22. Normally, the access port of the connection request packet to the server computer 1 is No. 80. In this embodiment, No. 80 may be used. Of course, if it is determined in advance that an access port number M different from the number 80 is used, the number M may be used. Further, a plurality of access ports may be accessed in order by a predetermined number.

  The connection establishment table 100 stores at least the number of transmissions of connection request packets necessary for the connection requester when connecting to the server computer 1. An example of the connection establishment table 100 is shown in FIG. The connection establishment table 100 in this example corresponds to each server computer 1... 1 and the prescribed number of connection request packets (number of transmissions) for each server computer secretly shared with this connection requester. The list is attached. It is important that the number of times of transmission is managed secretly as described above. Instead of providing the connection establishment table 100, the connection requester inputs information necessary for generating a connection request packet such as the number of outgoing calls stored in the connection establishment table 100 via a user interface (not shown). May be.

  The transmission unit 22 transmits IP packets to the network 3, and sequentially transmits connection request packets sequentially output by the connection request packet generation unit 21 to the network 3.

  The receiving unit 23 receives an IP packet addressed to the own computer 2 from the network 3. The received IP packet is sent to the connection request confirmation packet determination unit 24, and whether or not the IP packet is a connection request confirmation packet responded to any of the connection request packets transmitted from the transmission unit 22. Determine whether. As a result, when it is determined that the packet is a connection request confirmation packet, the client computer 2 performs a process for establishing a connection with the server computer 1.

  FIG. 6 shows functional blocks of a part of the server computer 1 according to the present embodiment.

  The receiving unit 11 receives an IP packet addressed to its own computer 1 from the network 3 and sends it to the table updating unit 12 when this IP packet is a connection request packet.

The table updating unit 12 registers or updates entries in the connection control table 110 during the connection establishment process. An example of the connection control table 110 is shown in FIG. The connection control table 110 transmits the identifier of the connection requester during the connection establishment process (for example, the IP address of the client computer) and the connection requester transmits from the start of the connection establishment process to that point. The number of connection request packets received and the number of entries including the elapsed time since the connection requester started the authentication process are temporarily stored as many as the number of connection establishment processes.

  When an entry indicating the same client computer 2 as the received connection request packet is already registered in the connection control table 110, the table update unit 12 updates the entry by increasing the packet reception count by one. On the other hand, if the connection request packet is not registered in the connection control table 110, an entry is newly added. At this time, information (for example, client name, start point IP address, etc.) that can identify the client computer 2 that transmitted the connection request packet is described, the packet reception count is 1, and the elapsed time is 0.

  The table updating unit 12 is connected to the timer 13 and updates the elapsed time column of each entry in the connection control table 110 at a predetermined time interval (for example, every second) based on the timer-13. That is, the elapsed time column of each entry keeps track of the elapsed time from the reception of the first packet to the present.

  The monitoring unit 14 monitors whether or not a predetermined time has passed in the elapsed time column of each entry temporarily held in the connection control table 110 at predetermined intervals (for example, 1 second). When there is an entry determined to have elapsed, the entry is read and the entry is deleted from the connection control table 110. The monitoring unit 14 transmits the read entry to the group identification unit 15.

  The group identification unit 15 authenticates whether or not the number of received connection request packets included in the transmitted entry is in the group identification table 120 stored in advance, and if there is an appropriate number of times, the group associated with it Is transmitted to the resource management unit 16 together with the entry. The group identification table 120 is, for example, as shown in FIG. 7C. The number of connection request packets uniquely assigned to each group and the identification information of each group (here, the group name may be a group ID, etc.) Is a list in which

  Based on the received group identification information, the resource management unit 16 refers to the resource management table 130 and confirms the status of resources that can be currently allocated to the group. The resource management table 130 is, for example, as shown in FIG. 7 (d). Each group name (information for identifying a group), the number of connections that can be simultaneously connected obtained from resources that can be simultaneously assigned to each group, and each group It is composed of a list that associates the number of connections that are currently connected. If there is a resource that can be allocated as a result of referring to such a resource management table 130, the resource management unit 16 increments the value of the connection number column that is currently connected to the entry of that group in the resource management table 130 by one. . Then, the resource management unit 16 generates a connection request confirmation packet for any one of the plurality of connection request packets from the client computer 2 and outputs the connection request confirmation packet to the transmission unit 17 in order to establish a connection. To do. When a connection in a group is terminated, the resource management unit 16 receives a notification to that effect, and sets the value in the number of connections currently connected to the entry of the group in the resource management table 130 to 1. Decrease. Note that a connection request confirmation packet is generated for which connection request confirmation packet is individually determined in advance between the client apparatus 2 and the server apparatus 1 for the Nth connection request packet. There is also a method in which the server apparatus determines each time, but here, it is uniquely generated for the last connection request packet.

  The transmission unit 17 sends a connection request confirmation packet from the resource management unit 16 to the network 3. The sent connection request confirmation packet is received by the receiving unit 13 of the client computer 2 described above.

  Next, the operation of the client computer 2 according to the present embodiment will be described with reference to FIG. 8, and the operation of the server computer 1 will be described with reference to FIGS.

  When the connection requester instructs the client computer 2 to connect to the server computer 1, first, the connection request packet generation unit 21 of the client computer 2 sets “1” as an initial value in a transmission connection counter (not shown) provided therein. "Is set (step C101). Next, the connection request packet generator 21 generates a connection request packet addressed to the server computer 1 (step C102). The generated connection request packet is output to the network 3 via the transmitter 22 (step C103).

  The connection request packet generation unit 21 refers to the specified connection request packet number of the entry of the server computer 1 registered in the connection establishment table 100, and transmits a specified number of connection request packets compared to the transmitted connection counter. (Step C104).

  If the number of connection request packets transmitted has not yet reached the regulation, the transmitted connection counter is incremented by 1 (step C105), the process returns to step C103, and the same connection request packet is transmitted again.

  On the other hand, when it is confirmed in step C104 that a prescribed number of connection request packets have been transmitted, the server waits for a connection request confirmation packet sent from the server computer 1 (step C106). Then, the client computer 1 determines whether or not a connection request confirmation packet is received from the server computer 1 within a predetermined period (step C107). More specifically, the own IP packet received by the receiving unit 23 is sent to the connection request confirmation packet determination unit 24, and the connection request confirmation packet determination unit 24 determines that the IP packet is a connection request confirmation packet from the server computer 1. Or other IP packets, and this is performed within a predetermined period after at least a prescribed number of connection request packets are transmitted.

  If no connection request confirmation packet is received within a predetermined period, it is determined that the authentication has failed, and the process is terminated.

  On the other hand, when a connection request confirmation packet for at least one of the plurality of connection request packets is received from the server computer 1, a response confirmation packet is transmitted in response thereto (step C108). As a result, a connection is established between the client computer 2 and the server computer 1.

  On the other hand, the server computer 1 is roughly classified into an operation related to reception of a connection request packet and an operation related to transmission of a connection request confirmation packet.

  First, an operation related to reception of a connection request packet will be described with reference to FIG. The server computer 1 receives the connection request packet from the client computer 2 at the reception unit 11 and transmits it to the table update unit 12 (step S101).

  The table updating unit 12 checks whether or not the connection requester entry has been registered in the connection control table 110 (step S102). In this embodiment, an IP address is used to identify each entry in the connection control table 110, but it may be a MAC address or other identifiers.

If it is determined in step S102 that there is no entry in the connection control table 110, a new entry for the client computer 2 is registered (step S103). The new registration entry stores an IP address value, an initial value 1 for the number of connection request packets, and an initial value 0 for elapsed time.

  On the other hand, if it is determined in step S102 that the entry of the client computer 2 already exists in the connection control table 110, the number of connection request packets of the entry including the IP address is increased by "1" and updated (step S104). ).

  Note that the operation is not specified in the flow here, but the elapsed time column of each entry after registration is notified by the timer 13 at predetermined intervals, and is updated by the table updating unit 12 each time. To do.

  Next, the operation related to the transmission of the connection request confirmation packet will be described with reference to FIG.

  The monitoring unit 14 constantly monitors whether any of the elapsed time columns of each entry in the connection control table 110 has reached a predetermined time limit (step S121). When the monitoring unit 14 detects that there is an entry whose elapsed time has reached the time limit, the monitoring unit 14 reads out the entry and transmits it to the group identification unit 15 (step S122). Further, the monitoring unit 14 deletes the entry from the connection control table 110 (step S123).

  The group identification unit 15 refers to the group identification table 120 and authenticates whether there is a packet that matches the number of connection request packets included in the received entry. If there is a match, the corresponding group name (identification information indicating the group) is acquired (step S124). For example, in FIG. 7C, if the number of connection request packets from the connection requester is 200, it is determined to belong to group 1. In the present embodiment, the number of connection request packets is a constant, but it may be a numerical range (for example, 200 or more and less than 220 or 200 or more). The group identification unit 15 sends the entry and the acquired group name to the resource management unit 16.

  Based on the group name, the resource management unit 16 refers to the resource management table 130 and confirms the availability of resources for connection processing in this group (step S125). This process is performed by referring to this group name entry and confirming the current number of connections and the maximum number of connections. Specifically, it is confirmed that the result of increasing the current number of connections by one does not exceed the maximum number of connections. In this embodiment, the availability of resources is confirmed from the number of connections at the time of reference. However, a field indicating the current resource availability status is added to each entry of the resource management table and updated as needed. You may make it refer to a field.

  As a result of checking the resource availability, if the resource management unit 16 confirms that the resource is not available, the resource management unit 16 rejects the connection request (step S126) and ends the process. On the other hand, as a result of checking the resource availability, if the resource availability exists, the resource usage status is changed by incrementing the current number of connections in the resource management table 130 (step S127).

  The resource manager 16 generates a connection request confirmation packet for the last connection request packet from the client computer 2 (S128), and transmits it to the network 3 via the transmitter 17 (S129). As described above, in this embodiment, the connection request confirmation packet is generated for the last connection request packet, but for which connection request packet the connection request confirmation packet is generated, there are various methods. Can be realized.

According to the present embodiment described above, since the connection processing resource is checked for the identified user group and the connection establishment process is executed, the connection requester having a low priority is Connections cannot be established using resources assigned to a user group with a higher priority than yourself. As a result, it is possible to avoid a connection flood caused by an unauthorized client having a low priority and a threat that the service is occupied by a connection requester having a low priority, and the security of the server computer can be further improved.

  By the way, the number of requests secretly shared between the client computer 2 and the server computer 1 can be combined with other various usage forms and other various information to use an authentication method that is more resistant to attacks. .

Below, each authentication method is illustrated and operation | movement with the client computer 2 and the server computer 1 in that case is demonstrated.
(First example)
In the first example, the access port number for transmitting the connection request packet is not set to 80, which is generally used, and the access port M number different from the 80 is previously secreted between the connection requester and the server computer 1. Authentication is performed using the number of requests secretly shared and the access port number M. This port number may be registered in the connection establishment table 100 and the group identification table 120. However, instead of registering in the connection establishment table 100, the port number is input by a connection requester (such as password input). May be. In the group identification table 120, the secret access port number of each connection requester in the same group may be registered for one entry, or an entry may be provided for each connection requester. Also good. Furthermore, the access numbers of connection requesters belonging to the same group may be made common. Then, an access port number is logged for each entry of the connection request packet in each entry of the connection control table 110, and it is authenticated whether there is a group identification 15 that matches the request count and the access port number. If there is, the group identification information corresponding to it may be acquired.

In addition, the above access port number is not set to one, but a combination of a plurality of access port numbers and a predetermined number of connection request packets is shared secretly, and these are used for authentication. A strong authentication method can be provided. There are other points that need to be improved easily, but they are easy to implement, so the explanation is omitted here. In addition to the access port number, each header request packet data is secretly shared and used. Of course, it can be considered. For example, the values of other fields such as the sequence number, confirmation response number, reserved bit, and window size of the TCP header can be used as secrets. In particular, the sequence number is a value that is determined at random when the sender originally constructs the connection request packet / connection request confirmation packet, and is therefore suitable for storing secret data.

  Further, it is not always necessary to use each data of the header of the connection request packet, and some other defined information shared between the server computer 1 and the client computer 2 may be used as a secret. In this case, the data may be described in the data field of the connection request packet (in the SYN packet). Further, this secret information may be changed for each connection request packet, or the same information may be used.

In such a first example, in order to make it appear that an unauthorized user belongs to another user group, not only the number of connection request packets but also the access port number and the header of the connection request packet Therefore, it is more difficult to authenticate illegally and the security of the server computer 1 is further improved.
(Second example)
In the second example, a time interval for transmitting a plurality of connection request packets is secretly determined in advance, and authentication is performed by using the connection request count packet reception time interval together with the number of connection requests. This time interval is registered in the connection establishment table 100 and the group identification table 120, and the connection control table 110 is provided with an additional area for each time a connection request packet is received. The elapsed time from the reception of the packet or the elapsed time from the first connection request packet is added. Then, the group identifying unit 15 may determine whether each of the plurality of additional elapsed times satisfies the time interval. Actually, assuming that there is variation in communication delay, the time interval registered in the group identification table 120 with respect to the transmission time interval may be a moderate amount of time width. is necessary. Note that the time interval may be individual for each connection requester, or may be set commonly for the group, as in the first example.

In this example, in order to perform unauthorized access, it is necessary to estimate not only the number of connection request packets but also the access time interval, so that the security of the server is further improved. (Third example)
In the third example, the type of each of a plurality of connection request packets is specified, and this specification is kept secret, and authentication is performed using the types of connection request packets together with the number of connection request packets.

  In the above embodiment, a TCP SYN packet is assumed as a plurality of transmission packets from the client computer 2 to the server computer 1, but the TCP SYN packet is used to return a connection request confirmation packet. Other connection request packets can use ICMP packets and UDP packets in addition to SYN packets.

  Therefore, in this example, between the client computer 2 and the server computer 1, not only the number of connection request packets to be transmitted but also the packet type is defined for each connection request packet. The specified packet type is registered in the connection establishment table 100 and the group identification table 120, and the entry (UDP / TCP / ICMP) log for each connection request packet received in each entry of the connection control table 110 To take. Then, for example, it is possible to perform stronger authentication by determining whether the numbers for each type match. There are other points that need to be improved easily, but since they can be easily realized, the description is omitted here. As described above, since the connection request confirmation packet generated when the authentication is successful corresponds to the TCP SYN packet, it is necessary to always include one SYN packet. Note that the packet type may be individual for each connection requester or may be commonly set for each group, as in the first and second examples.

  In this example, in order to perform unauthorized access, it is necessary to infer not only the number of connection request packets but also the type of packet, so that the security of the server is further improved.

  The information used for authentication in the present embodiment and the first to third examples described above introduces, for example, a synchronized one-time password technology between the server computer 1 and the client computer 2. In this case, the security of the server computer is further improved.

In addition, this invention is not limited to the said embodiment, In the implementation stage, it can change variously in the range which does not deviate from the summary. Further, the above embodiments include inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent elements. For example, even if some constituent requirements are deleted from all the constituent requirements shown in the embodiment, the problem described in the column of the problem to be solved by the invention can be solved, and the effect described in the column of the effect of the invention Can be obtained as an invention.

The figure which shows the communication system with which this Embodiment is applied. The figure which shows the IP header in an IP packet. The figure which shows a TCP header. The figure which shows a UDP header. The figure which shows the functional block of the part which concerns on this Embodiment among the client computers. The figure which shows the functional block of the part which concerns on this Embodiment among the server computers. The figure which shows an example of the connection establishment table 100 concerning this form, the connection control table 110, the group identification table 120, and the resource management table 130. The flowchart which shows operation | movement of the client computer 2 of this Embodiment. The flowchart which shows the operation | movement which concerns on reception of the connection request packet of the server computer 1 of this Embodiment. The flowchart which shows the operation | movement which concerns on transmission of the connection request confirmation packet of the server computer 1 of this Embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 ... Server computer 2 ... Client computer 3 ... Network 11, 23 ... Reception part 12 ... Table update part 13 ... Timer 14 ... Monitoring part 15 ... Group identification part 16 ... Resource management unit 17, 22 ... Transmission unit 21 ... Connection request packet generation unit 24 ... Connection request confirmation packet determination unit 100 ... Connection establishment table 110 ... Connection control table 120 ..Group identification table 130 ... resource management table

Claims (8)

A server computer communication connection method for connecting to a client computer via a network,
The server computer associates group identification information for identifying a group consisting of a plurality of users permitted to connect to the server computer with the number of unique connection request packets secretly assigned to the group. , Comprising storage means for storing in advance,
Server computer
Count the number of connection request packets received from the client computer within a predetermined period,
Authenticates whether or not the number of connection request packets that match the count result is stored in the storage means,
If stored, obtain the group identification information corresponding to the number of connection request packets,
It is determined whether or not resource allocation of the server computer is possible for the group indicated by the acquired group identification information,
When it is determined that allocation is possible, a connection request confirmation packet is generated as a response to at least one of the received plurality of connection request packets;
A communication connection method, wherein the generated connection request confirmation packet is transmitted to a network. A part of the content of the connection request packet is secret information shared only between each user of the group and a server computer,
The server computer stores the secret information in association with the group identification information in the storage means, and performs authentication based on the secret information when acquiring the group identification information. The communication connection method according to claim 1. The secret information is at least a part of each data in the header part of the connection request packet, or at least a part of specific data defined between the server computer and the group stored in the data part of the connection request packet. The communication connection method according to claim 2, wherein the communication connection method is provided. At least a part of each time interval of the connection request packet is secret information shared only between each user of the group and a server computer,
The server computer stores the secret information in association with the group identification information in the storage means, and performs authentication based on the secret information when acquiring the group identification information. The communication connection method according to claim 1. The type of the connection request packet and the number of connection request packets of each type are secret information shared only between each user of the group and the server computer,
The server computer stores the secret information in association with the group identification information in the storage means, and performs authentication based on the secret information when acquiring the group identification information. The communication connection method according to claim 1. 6. The communication connection method according to claim 1, wherein the server computer changes the secret information in synchronization with the client computer. A server computer that performs connection processing with a client computer,
A storage which stores in advance a correspondence between group identification information for identifying a group of a plurality of users permitted to connect to the server computer and the number of unique connection request packets secretly assigned to the group Means,
A connection request counting means for counting the number of connection request packets received from the client computer within a predetermined period;
Authenticating whether or not the number of connection request packets matching the count result is stored in the storage means, and when stored, group identification means for acquiring group identification information corresponding to the number of connection request packets; ,
It is determined whether or not resource allocation of the server computer is possible for the group indicated by the acquired group identification information, and when it is determined that allocation is possible, at least one of the received plurality of connection request packets is determined. Resource management means for generating a connection request confirmation packet as a response to,
A server computer comprising transmission means for sending the generated connection request confirmation packet to a network. Storage means for previously storing group identification information for identifying a group consisting of a plurality of users permitted to connect to a server computer and the number of unique connection request packets secretly assigned to the group A program executed on a server computer comprising:
A first code for counting the number of connection request packets received from the client computer within a predetermined period;
A second code for causing the storage means to authenticate whether or not the number of connection request packets that match the count result is stored, and to acquire group identification information corresponding to the number of connection request packets if stored When,
It is determined whether or not the resource allocation of the server computer is possible for the group indicated by the acquired group identification information, and when it is determined that the allocation is possible, at least one of the plurality of connection request packets received A third code for generating a connection request confirmation packet as a response to
And a fourth code for sending the generated connection request confirmation packet to the network, and causing the server computer to execute the program.

Images