JP2014236461A - Interception system, interception server, interception method and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To efficiently intercept an attack.SOLUTION: An interception system, installed at an inflow entrance of a network, includes: an SGW 10 having a mounted interception program to intercept attack communication on the basis of specific trigger information; and an interception server 20 for transmitting only trigger information to intercept the attack communication to an attack target server 200, to the SGW 10 determined to be passing the attack communication by UDP. The SGW 10 to which the trigger information is transmitted executes the interception program to intercept the attack communication to the attack target server 200.

Description

  The present invention relates to a blocking system, a blocking server, a blocking method, and a program, and more particularly to a technique for blocking a DDoS attack.

  Conventionally, several countermeasure methods against a Dos attack or a DDoS attack are known. In the case of a DoS attack, since the attack source is specified, the connection of the server of the attack source is generally rejected. On the other hand, in the case of a DDoS attack, since there are an unspecified number of attack sources, there has been a method of preventing a server from being down by means of efficiently performing a connection refusal at the attack target server (for example, non- Patent Document 1).

Internet <URL: http://www.atmarkit.co.jp/flinux/rensai/iptables207/iptables207a.html>

  However, as in Non-Patent Document 1, if connection refusal is performed on the attack target server, the total number of connections including the correct connection is limited. In other words, there is a problem that even a correctly connected user may not be able to connect.

  In view of the conventional technology described above, an object of the present invention is to provide a blocking system, a blocking server, a blocking method, and a program that can efficiently block an attack.

  In order to achieve the above object, the invention according to the first aspect is a blocking system, which is installed at an inflow port of a network and includes a blocking program for blocking attack communication based on specific trigger information And a blocking server that transmits only trigger information for blocking the attack communication to the attack target server to the SGW determined to communicate the attack communication. Then, the gist is that the SGW to which the trigger information is transmitted blocks the attack communication to the attack target server by executing the blocking program.

  In order to achieve the above object, the invention according to the second aspect is a blocking server that determines a SGW that communicates attack communication by analyzing communication logs collected from a plurality of SGWs. The gist is to include a log analysis unit and a distribution processing unit that transmits only trigger information for blocking attack communication to the attack target server based on the analysis result of the communication log analysis unit.

  The gist of the invention according to the third aspect is that, in the invention according to the second aspect, the communication log analysis unit determines the SGW communicating with the attack communication based on a change in traffic.

  Further, the invention according to a fourth aspect is the invention according to the second or third aspect, wherein the communication log analysis unit defines an SGW that may communicate attack communication as an SGW that communicates attack communication. The gist is to judge.

  Moreover, in order to achieve the said objective, the invention which concerns on a 5th aspect is the interruption | blocking method for interrupting | blocking the attack communication to an attack target server, Comprising: By analyzing the communication log collected from several SGW, A communication log analysis step for determining the SGW that communicates the attack communication, and a delivery that transmits only trigger information for blocking the attack communication to the attack target server based on the analysis result in the communication log analysis step by UDP The gist is that the blocking server executes the processing step.

  In order to achieve the above object, the invention according to the sixth aspect is a program for blocking attack communication to an attack target server, by analyzing communication logs collected from a plurality of SGWs. A communication log analysis step for determining an SGW that is communicating, and a distribution process for transmitting only trigger information for blocking attack communication to an attack target server by UDP based on an analysis result in the communication log analysis step The gist is to cause a computer to execute the steps.

  According to the present invention, it is possible to provide a blocking system, a blocking server, a blocking method, and a program that can efficiently block an attack.

It is a figure for demonstrating the outline | summary of a general interruption | blocking system. It is a figure for demonstrating the outline | summary of the interruption | blocking system in embodiment of this invention. It is a flowchart which shows the operation | movement of the interruption | blocking server and SGW in embodiment of this invention. It is a block diagram of the interruption | blocking server and SGW in embodiment of this invention. It is a figure which shows an example of the scanning pattern of the judgment rule in embodiment of this invention. It is a figure which shows an example of the interruption | blocking process in embodiment of this invention. It is a graph which shows an example of transition of the number of received packets of the interception server in an embodiment of the invention. It is a flowchart which shows operation | movement of the interruption | blocking server during the packet reception shown by FIG.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

(General shut-off system)
FIG. 1 is a diagram for explaining an outline of a general shut-off system. As shown in this figure, a server to be attacked, such as a DoS attack that is a mass connection from an identifiable attack source, and a DDoS attack that is a mass connection from a plurality of client PCs that have been compromised by a malicious program recently. The attack method to 200 is diversified. The client 101 that is the attacking side of the DDoS attack is unintentionally infected with a malicious program, and attacks the server 200 as an attack target according to an instruction from the malicious handler 100. There are various types of infections, such as executing a program prepared by a malicious person, being guided and connected to the server, direct intrusion, and propagation from an infected person. Hereinafter, the trigger of the DDoS attack will be described as a sign of an attack by the malicious handler 100.

  Conventionally, since an attack source can be specified for a DoS attack, it is usual to refuse connection from a specific attack source on the server 200 side. On the other hand, for a DDoS attack, the attack target server 200 may detect a cause of server down such as an increase in the CPU usage rate or an increase in the packet discard rate in the attack target server 200 and reject the connection on the attack target server 200 side. It was customary. Direct load connection to the server 200 is prevented by load balancing by installing a load balancer, installation of a firewall, and installation of a dedicated device, but this is synonymous in terms of preventing at the entrance on the server 200 side. Since a large amount of traffic is concentrated at the entrance on the server 200 side, it is necessary to reject a certain ratio at the entrance on the server 200 side. In such a case, originally necessary user communication is also blocked, and a reduction in service quality is inevitable.

(Blocking system in the present embodiment)
FIG. 2 is a diagram for explaining the outline of the shut-off system in the present embodiment. As shown in this figure, in the blocking system in the present embodiment, the blocking server 20 and the blocking program on the SGW (client) 10 cooperate to block communication to the attack target before entering the network. Select and transmit various communications. In other words, most of the blocking programs and blocking rules are distributed in advance with confirmation of arrival, and a small amount of information such as attack targets is distributed all at once, so that the blocking rules are applied to the entrance of the network in a short time.

  Hereinafter, the configuration of such a shutoff system will be specifically described. In the following description, the blocking server 20 may be simply referred to as “server”, and the SGW 10 may simply be described as “GW”. In some cases, the blocking program and the blocking rule are collectively described as “blocking program”.

  The GW in the present embodiment blocks all connections started from the network side in order to prevent intrusion from the network side (intrusion into the network under SGW and GW in FIG. 2). For this reason, all of the programs that are distributed in advance to the GW and the blocking rules that are distributed in advance start from the GW or operate only by using a predetermined signal as a trigger. For example, even if an unknown TCP syn is transmitted to the GW, the TCP session is not started and discarded without consuming GW resources. When receiving the above-mentioned predetermined signal, the GW executes the connection operation and can continue other operations. The connection destination of the GW after this is a connection destination determined in advance and the operation of the internal program, and is robust because it cannot be specified freely. This initial signal is a UDP trigger, and using this as an opportunity, a connection sequence with httpGET and various delivery confirmations can be started from the GW side. Conventionally, there has been no implementation in which an instruction is included and operated in a UDP trigger used as a trigger for starting a connection sequence from the GW side.

(Operation example, configuration example)
FIG. 3 is a flowchart showing operations of the blocking server 20 and the SGW 10 in the present embodiment. The blocking server 20 and the blocking program on the SGW 10 cooperate to block communication to the attack target before entering the network and selectively transmit necessary communication (S1 to S18 in FIG. 3). In FIG. 3, the dotted line is attached | subjected to the boundary of the step performed by the side of SGW10, and the step performed by the cutoff server 20 side. Of course, the subject of each step can be changed as necessary.

  FIG. 4 is a configuration diagram of the blocking server 20 and the SGW 10 in the present embodiment. A solid line arrow shown in FIG. 4 indicates a normal processing path, a dotted line arrow indicates a communication log collection path, and a one-dot chain line arrow indicates a blocking process instruction path. As shown in FIG. 4, the SGW 10 includes a signal transmission / reception unit 11, a signal extraction unit 12, a blocking processing unit 13, a blocking rule 14, a signal insertion unit 15, an abnormal fixed phrase 16, and a UDP trigger receiving unit 17. And an attack target list 18 and a random number generator 19. On the other hand, the blocking server 20 includes a DB 21, a distribution destination 22, a distribution processing unit 23, a communication log analysis unit 24, and a DB 25. The communication log analysis unit 24 and the DB 25 may be provided not on the blocking server 20 side but on the SGW 10 side. Here, the blocking rule 14, the attack target list 18, the attack target list 18, the distribution destination 22 and the like are described, but it goes without saying that these are electronic data and stored in a storage unit such as a hard disk. Absent.

  Hereinafter, the configuration of the blocking server 20 and the SGW 10 will be described together with the operation thereof with reference to FIGS. 3 and 4. In the following description, the step of FIG. 3 and the subject of the step may be described in one bracket.

  First, when receiving a UDP trigger, the SGW 10 starts executing a blocking program (blocking rule) arranged in advance (S1 → S2 in FIG. 3, the blocking processing unit 13). If it takes a long time to start the process, wait in the state where it was started in advance. The latest IP address of the attack target is described in the UDP trigger (S18 in FIG. 3, communication log analysis unit 24 → distribution processing unit 23). The UDP trigger packet is repeatedly or divided so that it can be distributed at high speed. In the trigger, a plurality of IP addresses including a domain can be described. The maximum is possible up to the UDP packet length excluding the header, but the server side and the SGW 10 side make the trigger as light as possible and shorten the time required for execution. When a domain is an attack target, notification including the domain is effective because the DNS connection that increases during the attack as a whole network can be blocked and reduced by the SGW 10 before entering the network. Avoid the IP address of the attack target and the domain of the attack target. Of course, prefix notation is allowed as the IP address notation.

  In general, the presence or absence of a UDP response depends on the application implementation. In other words, UDP may not be transmitted on the protocol. In other words, since there is an advantage that a sequence management resource is unnecessary, UDP is adopted. Compared with TCP, UDP can be executed lightly and quickly because it does not require sequence management. When the OSGi function is used, the subsequent sequence is not expected. As a result, a UDP packet with a full transmission bandwidth can be transmitted using all the CPU resources on the server side. Theoretically, when a v6 address to be attacked is notified by a 100-byte trigger packet using a 1 Gbps line, 1.2 billion UDP packets can be transmitted per second. Since the receiving SGW 10 side receives one and does not need a response, a small performance is sufficient. The transmission side does not require time because the transmission contents are the same, but it takes time to selectively read out the transmission destination (SGW 10). For example, if the server side process takes 10 ms, 100 transmission targets are selectively read per second (S17 in FIG. 3). Therefore, as described above, the SGW 10 of the transmission destination is extracted in advance using a dedicated transmission network interface to create a packet, and only the attack target IP address is described in the UDP trigger. Good.

  Here, as described above, since non-delivery is not considered, a device that does not decrease the initial speed for transmission by selecting a transmission destination SGW 10 that has been selected in advance is implemented. If you have a dedicated interface, create a packet.

  For the UDP trigger standby port number used in the SGW 10, old numbers other than well-known ports are randomly used. This is to prevent this function from becoming an attack target. The SGW 10 generates a port number based on the time, the prefix, and the random number (random number generator 19 → signal transmission / reception unit 11). A port number can also be generated on the server side. On the server side, in order to notify triggers to many different port numbers in a short period of time, consideration is given to a light generation logic. The listening port numbers of UDP triggers of different SGWs 10 are not overlapped in the same time zone. The change time is shorter than the time taken for the port scan per SGW 10.

  It is desirable that the IP address and port number of the UDP trigger transmission source also change at random on the server side. This is because the load is distributed to transmit at the fastest speed, and conversely, it does not become a weak point of the network as an attack target. As described above, it is desirable to use up resources such as a network bandwidth and a CPU usage rate when a large number of UDP triggers are transmitted in a short time. For this reason, an interface, a server, and a dedicated device dedicated to UDP trigger transmission are used.

  The program distribution and attack target distribution mechanism in the present embodiment is described using bundle distribution by OSGi, but the present invention is not limited to this. That is, it is possible to divert OSGi as it is in the mounted SGW 10, and it is possible to install the corresponding program from the time of factory shipment and distribute the latest additional data for search by another means such as FTP. .

  Upon receiving the UDP trigger (signal transmission / reception unit 11 → UDP trigger reception unit 17), the SGW 10 extracts the attack target address from the UDP trigger packet (signal extraction unit 12 → blocking processing unit 13), and thereafter to that address. Block communication. However, when the correct sequence continues, for example, SYN → SYNACK → ACK, the communication can be permitted (S8 in FIG. 3). Attacks that are not sequence patterns such as html may be blocked without confirming authentication. If a new SYN packet is to be issued, it is reserved. If the UDP trigger indicates that a countermeasure against SYN flood to the attack target is described, only the countermeasure of this example is necessary, and if it is ping, only the countermeasure for ping is sufficient. In FIG. 6C and FIG. 6D, notification is made with id in order to further shorten the instruction content. A short instruction can be written in the UDP trigger.

  The user displays the html file of the connection confirmation as the abnormal fixed sentence 16 by the program on the SGW 10 (S10 in FIG. 3, abnormal fixed sentence 16 → blocking processing unit 13 → signal inserting unit 15 → signal transmitting / receiving unit 11). The html file of the reason of the connection destination may be displayed as the abnormal fixed phrase 16. These fixed phrases can be distributed to the SGW 10 in advance together with the blocking program in the present embodiment. When the user presses the connection confirmation button, the connection is permitted (S11 in FIG. 3), and the original connection destination is connected. In this way, when the user is trying to make a connection intended from the browser instead of a connection by a malicious program, only the necessary user can be permitted. This is possible because the SGW 10 is the inflow of the network. An image of the PIN number may be generated using the random number described above, and the user may input the PIN number. This is to prevent an automatic press from a malicious advanced program.

  Since this embodiment is an extremely short time attack and a short time countermeasure, the connection flowing from the SGW 10 to the network may be delayed using the random number described above. For example, the transmission packet to the attack target is delayed by | 1000 ms−random number | ms. In the entire network, the transmission timing varies depending on random numbers, so that a sufficient effect can be expected. Delaying several hundred ms with respect to the TCP connection is an effective means that can be taken as long as no timeout occurs.

  The UDP trigger can also be used to cancel the emergency system to which the blocking rule is applied in the SGW 10 (S13 in FIG. 3). In this case, since there should be no cancellation leakage, expect a sequence that continues from the SGW 10 to the blocking server 20, and confirm that the cancellation is surely performed. In the present embodiment, both the UDP trigger only and the sequence starting from the UDP trigger can be implemented by the same program on the SGW 10. That is, the minimum program implementation is performed in the SGW 10 with limited resources.

  The SGW 10 also has a security problem, and is not configured to operate upon receiving any signal, but is configured to start communication from the SGW 10 upon receiving a UDP trigger or the like. Conversely, if it is a UDP trigger, it can accept and operate.

  A plurality of blocking rules are held in the GW as pre-distribution rules and can be updated from the server. In the traffic flowing into the network from the GW, which protocol is used to discard which part of the packet is discarded. If an instruction to apply only this blocking rule is given, blocking can be performed regardless of the IP address of the transmission source and the IP address of the transmission destination. When the target IP address is instructed, a packet including the IP address is blocked. One of the pre-distribution rules shown in FIG. 6C, which has an id of xyz, is a rule that blocks TCPSYN. Among several trigger examples held by the server (FIG. 6 (e)), if the first trigger is given, the packet with TCP SYN and destination IP address 222: 222: 222: 222 is blocked. become. When the second update is received, the blocking rule is changed to a rule that blocks packets whose destination IP address is yyy: yyy: yyy: yyy or whose destination IP prefix is yyy: yyy: xxx: xxx / 24. To do. The third fin means an instruction to end the xyz blocking rule. In the example, the target IP address and prefix are different depending on the update, but the present embodiment is not limited to this. For example, with this update, first set a relatively low-accuracy blocking rule to execute the analysis in a short time, and then perform the analysis, and then update the blocking rule to narrow the blocking width with higher accuracy You can also It is a very effective means because it can be assumed that it takes time and is too late to analyze by applying a highly accurate blocking rule from the beginning.

  The blocking rule is closely related to a determination rule as to whether or not it is an attack on the server side, which will be described later, and whether or not it can be an attack source. The determination rule makes the destination IP address and port number clear. At that time, if all of the communication histories that have been used as a judgment material are TCPSYN as described above, it is necessary to distribute in advance a blocking rule of STOP (blocking) TCPSYN. If it is a short rule, it is transmitted together with a UDP trigger. On the contrary, if the rule is long, first, all packets to the destination IP address instructed by the UDP trigger are blocked, and then the range to be blocked is relaxed based on the updated blocking rule.

  By using OSGi, the blocking rule on the SGW 10 can be updated without stopping the service. It is generally said that it is difficult to update a program with a dedicated device, and in particular, it is difficult to distribute a large amount. In an environment equipped with OSGi, this is realized without service interruption. In addition, the necessity / necessity of some programs distributed to the SGW 10 and the interrelationships can be surely ensured, including the fact that the blocking rule has been reliably updated by the OSGi sequence. Currentization can be easily realized, such as deleting obsolete rules.

  Execution of the blocking process by the SGW 10 can be realized regardless of activation of a terminal, OS, or application in the home. Since it is realized by GW, there is no need to worry about the application of anti-virus software even for white goods connected to networks that have become popular in recent years.

  Since the blocking process is executed by the SGW 10, a common logic independent of the OS, application, or terminal can be applied. On the other hand, anti-virus software depends on the OS and terminal, and since it is the same as the application to be restricted, the application can be restricted from the anti-virus, and at the same time, the anti-virus software may not function due to restrictions from the suspect application. is there. When the blocking process is executed by the SGW 10, such a problem can be avoided.

  Since the SGW 10 serves as an entrance to the network as seen from the home network and home equipment, the blocking process can be executed at many entrances of the network. The dedicated device is generally complicated, highly functional, and expensive because it corresponds to a wide range, and it is not realistic to arrange it for each client. When the dedicated device is arranged on the network, it is necessary to consider the place to arrange it, but it is difficult to arrange it at an appropriate position on the distributed network. The Internet service provider (ISP) can also prevent it at the entrance of the ISP network independently, but it is different from the idea of preventing it in front of the server group, and whether the target to increase the load is a dedicated device, load balancer, or firewall? It becomes such a difference. Also, it is not efficient to collect the traffic once flowing into the network. This is because normal traffic and illegal traffic are mixed on the network, and the load on the network and the network device is increased. That is, it is efficient to limit at the network inflow source as in this embodiment.

  Since the DDoS attack is an attack from a plurality of clients, it is difficult to distinguish from a normal use when observing a client on the attacking side (such as a PC operated by a malicious handler 100). As in the present embodiment, when collecting and analyzing communication history information of a plurality of clients, it is easy to identify an attack. There are various methods for collecting such communication history information, and there is no particular limitation. For example, the SGW 10 may transmit the communication history information to the blocking server 20 each time communication is performed. Since the SGW 10 has a processing capability at the entrance to the network, only necessary information elements are selected from the communication under the GW and transmitted to the blocking server 20. Further, the SGW 10 may reduce the transmission frequency by aggregating the same continuous data and the like, and reduce the transmission amount for the transmission header. Furthermore, the communication history information may be transmitted to the blocking server 20 at a time when a specific time comes in order to distribute the load on the network and the blocking server 20 side.

  In order to investigate server vulnerabilities and client vulnerabilities as a predictor of DDoS attacks, communications differ only by ID or port number from the malicious handler 100 or from the infected client to the same connection destination. Will occur. Also, the client that is the source of the attack has been guided and connected to the same server in the past. For this reason, by collecting the communication history of a plurality of GWs for a long time, it is possible to find a sign of an attack that cannot be found from a single communication history.

  An example in which an SGW 10 that can be an attack target whose countermeasure speed is important is specified with reference to FIG. As shown to Fig.6 (a), the communication log | history from each SGW10 is rearranged and the difference extraction is performed. In this example, the header and payload of the packet are expanded. Furthermore, rearrangement including communication histories from a plurality of SGWs 10 and differential extraction are performed. The difference extraction may be a difference extraction of past histories for a preset time and the most recent number. In the example of FIG. 6B, the communication history is described in rows for convenience, but the communication history received in this unit time among the communication history developed on the memory is scanned in a sliding window manner. This will be described later with reference to FIG.

  FIG. 5 shows an example of the scanning pattern of the judgment rule. Here, scanning patterns P1, P2, P3,... Of the short interval execution rule and scanning patterns P1, P2, P3,. The short interval execution rule is a rule when scanning a communication history for a relatively short period, and the long interval execution rule is a rule when scanning a communication history for a relatively long period. Details will be described later with reference to FIG.

  As shown in FIG. 5, when the same destination IP addresses are extracted, those that are the same as the preset number or more (in the figure, 222: 222: 222: 222) are extracted (FIG. 5). P1). Thereby, when the distribution of SGWID (each of three types) and the distribution of transmission destination port numbers (each of three types) match, connections with different transmission destination port numbers are performed for each SGWID. Can be detected. Since the number of receptions per unit time and the scanning time need to be verified individually for each server, details of the rate of matching will not be described, but a rate relative to the number of receptions may be specified. As shown in FIG. 6B, it can be detected that the TCP syn for the address 222: 222: 222: 222 is transmitted by changing only the port number. Further, as shown in FIG. 6D, since the source address is performed with a 111: 111: 111: 000 prefix, it is possible to determine the subsequent address and prefix as a target that can be an attack source. Yes (P3 in FIG. 5). Since the attack content is a general syn attack, the rule id sent in advance is specified as shown in FIG. 6C, and the rest is the target syn as shown in FIG. 6E. It is only necessary to transmit address information indicating whether it is a packet.

  FIG. 7 is a graph showing an example of the transition of the number of received packets of the blocking server 20, and FIG. 8 is a flowchart showing the operation of the blocking server 20 during packet reception shown in FIG. In this embodiment, communication information of a plurality of clients passing through a GW is collected as a communication history for a plurality of GWs, and a difference evaluation for a predetermined time is repeatedly performed (S21 to S24 in FIG. 8). As illustrated in FIG. 7, a plurality of pattern scans are performed on the communication history of the section A based on a plurality of determination rules and determination thresholds held in advance. That is, a plurality of patterns P1, P2, P3,... Shown in FIG. 5 are appropriately combined, and a sign of an attack is determined based on a combination of the execution results.

  In FIG. 6, the communication history is described in rows. However, the communication history developed on the memory is rearranged for each pattern, and the type and amount count, the match with various distribution functions, and the like are investigated. Regarding the coincidence with the distribution function, the ratio is specified and held separately (for example, when the ratio of the maximum away from the average is σ).

  Since a new connection is generated from the SGW 10 during the passage of the scanning time of the section A, the communication history of the section B is scanned. Thereafter, the slide window type is repeated. In the sliding window method, the connection for the next unit time is received while scanning for the unit time, so after executing a plurality of predefined scanning patterns, the next unit time is received. Is to start scanning.

  Separately, the handler operation trace and the client connection trace, which are signs of the above-described attack, are extracted. For example, as a long-term analysis subject to a short-term decision rule in which difference extraction of intervals (several days to several weeks) set in advance in the long-term processing of section C is applied in section A, It is extracted whether there is any change in only the number or only the destination IP address. In addition, long-term changes in traffic trends are also analyzed.

  Scanning for the next unit time (section B) is performed on the new communication history added while scanning for a certain unit time (section A). For this new communication history, it is preferentially determined whether it matches the determination rule determined as the attack source in section A (S22 in FIG. 8). In the example of FIG. 6, it is preferentially determined whether the destination IP address is the same and the SGWID and the port number are different. In this way, the decision on new connection is accelerated.

  Judgment rules and judgment thresholds are stored in advance. Here, an example of the determination rule is shown. For example, when the IP addresses are arranged in the order of high frequency IP addresses, if the destination IP addresses are the same and all the destination port numbers are 80, it may be determined that the scanning is not aimed at the port numbers. it can. On the other hand, as shown in FIG. 6, when regularity is seen in the destination port number with a high-frequency destination IP address, a port using a plurality of SGWs 10 for the destination IP address is used. It can be seen that the number is scanned. In this case, an instruction to perform restriction is issued to the SGW 10 attempting this connection. The instruction content is the transmission destination IP address of the attack target. In this way, rearrangement and difference extraction are performed, regularity such as order and randomness is evaluated, ranking is performed, and it is determined whether or not it is an attack source.

  By collecting connection information from a plurality of SGWs 10 as in the present embodiment, it is possible to capture a change in traffic as a sign of an attack. Connection information is continuously collected from a plurality of SGWs 10 and rearranged according to connection frequency. When grouping is performed with a high connection frequency, the connection tendency of the group does not change at a stretch, and thus a change in the tendency of the group can be regarded as a change in traffic. The same is true in terms of traffic volume. In other words, when grouping with large, medium, and small traffic due to a difference in traffic volume for a certain period of time, the traffic volume of this group does not change as a whole, so it is possible to capture the change in trends in the group as a change in traffic. Is possible.

  It becomes more prominent if it is classified from the viewpoint of preference of connection information. Correlations can be classified by the similarity of connection destinations from the SGW 10. For example, the SGW 10 is classified into a certain level (IP address), a high level SGW 10 connected to a certain domain (IP address), a medium level SGW 10, and a low level SGW 10. In this case, when the SGW 10 that is an attacker matches the frequent SGW group, the SGW 10 belonging to this group is very likely to be an attacker. Therefore, these SGW10 can be narrowed down as SGW10 which implements the countermeasure of this Embodiment preferentially. That is, the blocking server 20 determines the SGW 10 that communicates the attack communication, but the “SGW 10 that communicates the attack communication” here includes “SGW 10 that may communicate the attack communication”. . Since the SGW 10 distributes a necessary and sufficient program according to the contract information, the SGW 10 manages the program (particularly a program distributed by OSGi) in association with the contract information. As a result, it is possible to associate with more detailed areas and contractor information.

  The system targeted by this embodiment accommodates the SGW 10. The SGW 10 is connected to the edge router of the network, and a specific IP prefix is issued. Moreover, in the server which accommodates SGW10, SGW10 is stored in the database which can be conscious of an area based on line | wire information or accommodation information. When the malicious handler 100 is operated based on the IP address (for example, when the IP address is brute force within the range of the IP prefix), the IP prefix issued from the network to the SGW 10 The case where it becomes object is assumed. Therefore, it becomes a judgment index in the case of taking countermeasures as a target of the attack source of the hijacked client.

  As described above, according to the present embodiment, it is possible to instruct a large number of clients in a short period of time to instruct communication to the attack target, in particular, to block the start of communication. Also for the DDoS attack, since the inflow of traffic is prevented at the inflow port of the network, not only the attack target but also the load on the network can be reduced. Further, there is an effect that a necessary connection can be selected and permitted.

  The characteristics of the shutoff system in the present embodiment are summarized as follows. That is, a plurality of GWs are arranged at a plurality of entrances to the network. The GW blocks all connections started from the network side and can operate only with specific UDP packets. For such a GW, a blocking rule is periodically distributed (subscribed) by a connection sequence starting from the GW side using a UDP packet as a trigger. Then, with the detection of the difference between the communication histories of the plurality of GWs on the server side, the blocking rule is applied to the plurality of GWs located at the inflow of the network by a very short instruction including the address included in the UDP trigger. . Since the amount of transmission in a short period is small, the load on the server side can be reduced, and a large amount of instantaneous measures can be applied in a short period. Further, selection and combination of distribution destinations and preparation for packet distribution can be performed, and the operation from the start of distribution can be speeded up. At the time of interruption, the continuation sequence is relieved according to the rule. It is fast enough to determine this before the sequence timeout. A more appropriate blocking rule can be applied to an authenticable sequence by interposing an authentication operation. Furthermore, because the same mechanism as the distribution mechanism is used to instruct the termination of the blocking rule, the termination instruction can be reliably issued and the blocked service can be resumed. In addition, since communication histories of a plurality of GWs are collected, and differences in communication histories to the same destination are extracted and rearranged, it is possible to determine a large number of connections from a plurality of GWs. For example, a plurality of GWs having a communication history that is highly similar to the communication history of the GW that has already become a mass connection source are extracted, and the blocking rule is applied at high speed. As a result, a blocking rule can be applied before joining a large number of connection source GWs to prevent a large amount of traffic from flowing into the network.

  As described above, the blocking system according to the present embodiment is installed at the entrance of a network (for example, the boundary between a network in a home or office and a wide area network) and performs attack communication based on specific trigger information. Trigger information for blocking attack communication to the attack target server 200 for the SGW 10 (for example, home gateway) on which the blocking program for blocking is installed and the SGW 10 that is determined to be communicating with the attack communication And a shut-off server 20 that transmits only by UDP. Then, the SGW 10 to which the trigger information is transmitted executes the blocking program, thereby blocking attack communication to the attack target server 200. As a result, since the amount of information is small and UDP is used, it is possible to efficiently issue a block instruction to a large number of SGWs 10 in a short time when an attack is detected, and it is possible to shorten the response time. Further, the attack can be blocked by the SGW 10 that is the gateway that flows into the network from the attack side, and the influence on the normal communication can be minimized in the network and the attack target server 200.

  In addition, the blocking server 20 in the present embodiment analyzes the communication logs collected from the plurality of SGWs 10, thereby determining the SGW that communicates the attack communication, and the communication log analysis unit 24. Based on the analysis result, a distribution processing unit 23 that transmits only trigger information for blocking attack communication to the attack target server 200 by UDP is provided. Specifically, the communication log analysis unit 24 determines the SGW 10 that communicates the attack communication based on the change in traffic. Further, the communication log analysis unit 24 determines that the SGW 10 that is likely to communicate attack communication as the SGW 10 that communicates attack communication. As a result, it is possible to efficiently and accurately determine whether the SGW 10 is communicating attack communication.

  The present invention can be realized not only as a shutoff system or a shutoff server 20, but also as a shutoff method using a characteristic processing unit included in such a shutoff system or shutoff server 20 as a step. It can also be realized as a program for causing a computer to execute steps. Needless to say, such a program can be distributed via a recording medium such as a CD-ROM or a transmission medium such as the Internet.

10 ... SGW
DESCRIPTION OF SYMBOLS 11 ... Signal transmission / reception part 12 ... Signal extraction part 13 ... Blocking process part 14 ... Blocking rule 15 ... Signal insertion part 16 ... Abnormal fixed phrase 17 ... UDP trigger receiving part 18 ... Attack target list 19 ... Random number generation part 20 ... Blocking server 21 ... DB
22 ... Distribution destination 23 ... Distribution processing unit 24 ... Communication log analysis unit 25 ... DB

Claims (6)

An SGW that is installed at the inflow of the network and is equipped with a blocking program for blocking attack communication based on specific trigger information;
A blocking server that transmits only trigger information for blocking attack communication to the attack target server to the SGW that is determined to communicate attack communication;
The blocking system characterized in that the SGW that has received the trigger information blocks the attack communication to the attack target server by executing the blocking program. Analyzing a communication log collected from a plurality of SGWs to determine an SGW communicating with the attack communication;
A blocking server, comprising: a distribution processing unit that transmits only trigger information for blocking attack communication to an attack target server based on an analysis result of the communication log analysis unit by UDP.   The blocking server according to claim 2, wherein the communication log analysis unit determines an SGW that communicates attack communication based on a change in traffic.   The blocking server according to claim 2, wherein the communication log analysis unit determines an SGW that may communicate attack communication as an SGW that communicates attack communication. A blocking method for blocking attack communication to an attack target server,
A communication log analysis step of determining an SGW communicating with attack communication by analyzing communication logs collected from a plurality of SGWs;
A blocking method, wherein the blocking server executes, based on the analysis result in the communication log analyzing step, a distribution processing step of transmitting only trigger information for blocking attack communication to the attack target server by UDP. A program for blocking attack communication to the attack target server,
A communication log analysis step of determining an SGW communicating with attack communication by analyzing communication logs collected from a plurality of SGWs;
A program for causing a computer to execute a distribution processing step of transmitting only trigger information for blocking attack communication to an attack target server by UDP based on an analysis result in the communication log analysis step.

Images