JP2017147516A - DDoS AGGRESSION INFORMATION SHARING DEVICE, OPERATION METHOD AND PROGRAM - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a technique for implementing cooperation of sharing of aggression information and dealing with high scalability, when dealing with DDoS aggression by the whole Internet while cooperating.SOLUTION: A DDoS aggression information sharing device provided in a system has a storage unit for storing the cooperation destination information related to a cooperation system capable of dealing with DDoS aggression, a processing unit for determining whether attack communication, flowing to a target address, is flowing in from an upstream network, upon receiving a support request including the target address of the DDoS aggression from other system, and a communication unit for transmitting a support request including the target address of the DDoS aggression to the cooperation system, when a determination is made that the attack communication is flowing in from an upstream network.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a network technology that realizes sharing of DDoS (Distributed Denial of Service attack) attack information and coping countermeasures between a plurality of organizations.

  A mechanism for signaling telemetry information, threat information, and countermeasure requests related to DDoS attacks in real time has been studied in IETF DOTS (DDoS Open Threat Signaling) shown in Non-Patent Document 1. By using this mechanism, for example, a DDoS attack is performed against an organization (ISP: Internet Service Provider, etc.) that manages a network located upstream from an organization that is damaged by a DDoS attack that consumes network bandwidth. By requesting countermeasures against the DDoS attack against the victim organization in the organization that received the request, the DDoS attack can be efficiently dealt with near the attack source (before consuming the victim's network bandwidth). (Non-Patent Document 2).

  On the other hand, in recent years, there have been cases where wide-area networks such as ISPs have been damaged by large-scale DDoS attacks in the hundreds of G classes. In order to efficiently deal with a large-scale DDoS attack, it is desirable to be able to deal with the DDoS attack in an organization (such as ISP) as close as possible to the attack source in cooperation with the entire Internet.

IETF, "DDoS Open Threat Signaling," https://datatracker.ietf.org/doc/charter-ietf-dots/, 2015.6 IETF, "Use cases for DDoS Open Threat Signaling," https://datatracker.ietf.org/doc/draft-ietf-dots-use-cases/, 2015.10 Toyo Technica, "Introduction to Arbor Peakflow SP," http://www.kyoei-ele.com/products/index.php/prod/info/280/file/4.pdf Mizuguchi Takanori et al., “Traffic analysis system SAMURAI and service development,” NTT Technical Journal, 2008.7, http://www.ntt.co.jp/journal/0807/files/jn200807016.pdf

  In the DOTS architecture described above, it is assumed that a countermeasure request is issued from the victim client to the server of the organization that wants to implement the countermeasure in the client-server model. However, in the case of a DDoS attack, there are many attack sources, and there is a possibility that the source is spoofed. For this reason, when application to the entire Internet is assumed, it is difficult to request countermeasures by designating an organization that can efficiently deal with (closest to the attack source) from the victim side. For this reason, it is necessary for the victim side to request countermeasures from all the organizations that own the DOTS system, which raises scalability issues.

  In addition, when cooperating with a plurality of organizations, adjustment of parameters and the like such as how much attack amount each organization should deal with has a scalability problem and cannot be performed efficiently.

  In view of the above-described problems, an object of the present invention is to provide a technique for realizing high scalability for sharing attack information and cooperating in dealing with a DDoS attack in cooperation with the entire Internet.

  In order to solve the above-described problem, an aspect of the present invention is a DDoS attack information sharing device provided in a system, the storage unit storing cooperation destination information regarding a cooperation system capable of dealing with a DDoS attack, and the DDoS attack When a support request including the target address of the target address is received from another system, a processing unit that determines whether the attack communication flowing into the target address flows from the upstream network, and the attack communication flows from the upstream network. And a communication unit that transmits a support request including a target address of the DDoS attack to the cooperation system in the cooperation destination information.

  Another aspect of the present invention is an operation method of a DDoS attack information sharing apparatus, wherein a support request including a target address of a DDoS attack is received from another system, and attack communication flowing into the target address is upstream. Determining whether the attack communication is flowing from the upstream network, and transmitting a support request including the target address of the DDoS attack to the cooperation system in the cooperation destination information. And an operation method including steps.

  According to the present invention, it is possible to realize a high degree of scalability for sharing attack information and cooperating when dealing with a DDoS attack in cooperation with the entire Internet.

FIG. 1 is a block diagram of a network according to an embodiment of the present invention. FIG. 2 shows a block diagram of an AS having a DDoS attack information sharing apparatus according to an embodiment of the present invention. FIG. 3 is a diagram illustrating a configuration of a DDoS attack information sharing apparatus according to an embodiment of the present invention. FIG. 4 is a diagram illustrating an example of the attack information table. FIG. 5 is a diagram illustrating an example of a traffic information table. FIG. 6 is a diagram illustrating an example of the cooperation destination AS information table. FIG. 7 is a diagram illustrating an example of the mitigation device information table. FIG. 8A is a sequence diagram illustrating an operation procedure between DDoS attack information sharing apparatuses according to an embodiment of the present invention. FIG. 8B is a sequence diagram showing an operation procedure between DDoS attack information sharing apparatuses according to an embodiment of the present invention. FIG. 9 is a sequence diagram showing an operation procedure between DDoS attack information sharing apparatuses according to an embodiment of the present invention. FIG. 10 is a sequence diagram showing a cooperation handling procedure using the mitigation device according to the embodiment of the present invention. FIG. 11A is a sequence diagram showing a cooperation handling procedure using the mitigation device according to the embodiment of the present invention. FIG. 11B is a sequence diagram showing a cooperation handling procedure using the mitigation device according to the embodiment of the present invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  In the following embodiments, a technique for realizing sharing of DDoS attack information (such as a target IP address) and cooperating countermeasures over the entire Internet with high scalability using a distributed processing architecture is disclosed. Specifically, in an organization that owns and manages the network that constitutes the Internet, that is, an autonomous system (hereinafter referred to as AS: Autonomous System), there are an arbitrary number of ASs that have a DDoS attack information sharing function like a DOTS system. In some cases, the DDoS attack information sharing function of an AS exchanges DDoS attack information and countermeasure requests only with the DDoS attack information sharing function of an AS (s) that are located in a network-like location. Similarly, the AS that has received the DDoS attack information, countermeasure request, etc., communicates with the DDoS attack information sharing function of the AS (s) that is different from the information transmission source AS that exists in a network-like location. In this way, by sequentially propagating the received DDoS attack information and countermeasure requests, information is gradually transmitted toward the AS closer to the attack source.

  By this mechanism, ASs that each AS communicates directly are limited to several neighboring ASes, and by distributed processing, by determining an appropriate information transmission destination (close to the attack source) and transmitting information, When applied to the entire Internet, it is possible to share and deal with DDoS attack information with high scalability.

  Also, parameters such as the attack volume handled by each AS can be adjusted in a distributed manner as needed from neighboring ASes to the AS direction closer to the attack source in the direction of the attack. Coordinated measures (setting of response parameters) can be realized.

  First, a network according to an embodiment of the present invention will be described with reference to FIG. FIG. 1 shows a block diagram of a network according to an embodiment of the present invention. In the present embodiment, some of the plurality of organization networks (AS) constituting the network (Internet) have a system (DDoS attack information sharing apparatus) according to the present invention. As an example, assume that a server in AS1 (ISP network, etc.) is the target (target server) of a DDoS attack from an attacker's terminal in another AS. Explains how to share DDoS attack information and information necessary for parameter adjustment when cooperating, and how to request countermeasures to other ASs for coping and coordinating coping parameters with other ASs To do.

  As shown in FIG. 1, the network 10 has an arbitrary number of ASs (AS1 to AS8, etc.), and the network topology of the network 10 is configured by interconnecting these ASs. These ASs include DDoS mitigation device 50 (hereinafter referred to as “mitigation device 50”) and AS (AS1, AS2, AS3, AS5, AS8) having DDoS attack information sharing device 100, and mitigation device 50 and DDoS attack. It is roughly classified into AS (AS4, AS6, AS7) that does not have the information sharing apparatus 100.

  As will be described later, the DDoS attack information sharing apparatus 100 exchanges DDoS attack information and the like between each AS, adjusts parameters for dealing with the DDoS attack based on the exchanged information, Requesting DDoS attacks. Here, each AS holds in advance cooperation destination AS information indicating which AS should communicate with the DDoS attack information sharing apparatus 100 when communication flows in from any adjacent AS direction. Note that it is possible to set a plurality of ASs as linked ASs for any adjacent AS direction. Here, for example, when dealing with an attack addressed to a target server shared by AS1, AS2, and AS3, a parameter for dealing with a DDoS attack is a mitigation device 50 for each traffic addressed to the target in each AS. The amount that indicates whether to reduce the communication addressed to the target in each AS (filtering threshold) or the like. These coping parameters are adjusted by calculating based on information such as the target communication volume flowing through each AS and the capacity of the mitigation device 50 held by each AS. Here, a more detailed description including a flow of information acquisition and a calculation formula when adjusting the communication traffic to be dealt with by taking into the mitigation apparatus 50 will be described in more detail below. Note that each AS has the DDoS attack information sharing apparatus 100 and a method for determining a close AS that is close to the network is arbitrary. For example, it is assumed that an appropriate AS is selected based on the Internet topology. For example, in FIG. 1, when AS1 is attacked from the direction of AS2, if AS2 has DDoS attack information sharing apparatus 100, only AS2 is selected as the cooperation destination AS, and AS2 is DDoS attack information sharing apparatus 100. If AS is not owned, an AS that owns the DDoS attack information sharing device is searched for among ASs adjacent to AS2 and selected as a cooperation destination AS.

  When AS1 is attacked, AS1 communicates directly only with the DDoS attack information sharing device 100 of the partner AS (assumed AS2 and AS5) corresponding to the neighboring AS into which the communication addressed to the target flows. Exchange DDoS attack information and countermeasure requests. Further, the cooperation destination AS (for example, AS2) deals with the communication addressed to the target based on the information received from the DDoS attack information sharing apparatus 100 of AS1. Furthermore, the partner AS is the next AS (the upstream AS that is sending the communication addressed to the target to its own AS and is set as the partner AS. In the case of AS2, AS3, AS5, and AS8. ) To send DDoS attack information and countermeasure requests. By repeating this in the upstream AS direction, DDoS attack information etc. is propagated to the AS near the attack source.

  The mitigation device 50 performs countermeasures for target addressed communication based on the received DDoS attack information and the like. Specific countermeasures for DDoS attacks include, for example, filtering of attack traffic using ACL (Access Control List) by a transfer device such as a router, bandwidth limitation (rate limit, etc.) for target communication of the attack, non-patent Use of the DDoS mitigation device described in Document 3 is assumed. In the operation procedure in the present embodiment, which will be described later, an operation procedure that does not depend on the handling method will be described with reference to FIGS. 8 and 9, and then, cooperation will be dealt with using the mitigation device 50 with reference to FIGS. 10 and 11. A specific operation procedure in this case will be described.

  Next, an AS having the DDoS attack sharing apparatus 100 according to an embodiment of the present invention will be described with reference to FIG. FIG. 2 shows a block diagram of an AS having a DDoS attack information sharing apparatus according to an embodiment of the present invention.

  As shown in FIG. 2, the AS includes a mitigation device 50, a DDoS attack information sharing device 100, a DDoS attack detection device 200, a network control device 300, and a packet transfer device 400.

  The DDoS attack detection device 200 is identified by analyzing flow information (such as IP address, port number, protocol number, TCP flag information and traffic for each flow) periodically collected from a packet transfer device 400 such as a router. Detect DDoS attacks on the destination. The DDoS attack detection apparatus 200 may be realized by, for example, SAMURAI described in Non-Patent Document 4. Further, the DDoS attack detection device 200 has a target IP address, traffic information of the packet transfer device 400, the maximum resource amount of the mitigation device 50, an available resource amount, etc. when a DDoS attack occurs or at an arbitrary timing To the DDoS attack information sharing apparatus 100.

  As described above, the mitigation device 50 is a device specialized in dealing with a DDoS attack, such as the DDoS mitigation device described in Non-Patent Document 3, and includes attack communication and normal communication among communication to a certain destination. Thus, it is possible to take measures such as blocking attack communications only. In the present embodiment, the case where the AS has the mitigation device 50 is described as an example of a means for dealing with the DDoS attack.

  The network control device 300 controls the packet transfer device 400 such as a router. The network control device 300 may be, for example, an SDN (Software-Defined Networking) controller. In addition, the network control device 300 communicates with the DDoS attack information sharing device 100 and transfers packets based on information (target IP address, countermeasure method, countermeasure parameters, etc.) notified from the DDoS attack information sharing device 100. By controlling the device 400, the mitigation device 50 performs control such as bypassing communication addressed to the target and setting filtering for each packet transfer device 400. The case where the mitigation device 50 is used will be described in detail. The network control device 300 uses BGP (Border Gateway Protocol) or OpenFlow or the like, and routing information related to the transfer of the packet addressed to the target held by each packet transfer device 400 Is temporarily rewritten (the transfer destination is changed to the IP address of the mitigation device 50), so that only the packet addressed to the target can be detoured to the mitigation device 50 to be inspected and dealt with.

  The DDoS attack information sharing apparatus 100 communicates with the network control apparatus 300 to notify DDoS attack information including the target IP address, a DDoS attack countermeasure method (for example, countermeasures performed by the mitigation apparatus 50), and the like. Further, the DDoS attack information sharing device 100 communicates with the DDoS attack detection device 200 to acquire the target IP address, traffic information of the packet transfer device 400, the maximum resource amount of the mitigation device 50, the available resource amount, and the like. . In addition, the DDoS attack information sharing apparatus 100 communicates with the DDoS attack information sharing apparatus 100 of the cooperation destination AS, and receives DDoS attack information (target IP address, etc.) and information necessary for coping countermeasures (a countermeasure method, a countermeasure parameter, etc.). Interact. Here, the DDoS attack information is not limited to the target IP address, and may include information such as the traffic addressed to the target, the IP address information of the attack source, etc., depending on the manner of coping with the target. . Since the DDoS attack information exchanged between the DDoS attack information sharing apparatus 100 and the network control apparatus 300 is closed within its own AS, it is possible to use a fine granularity such as how much traffic flows to which router. May be exchanged. On the other hand, regarding DDoS attack information exchanged between the DDoS attack information sharing apparatus 100 and the DDoS attack information sharing apparatus 100 of the cooperation destination AS, it is necessary to disclose the detailed information in the AS to the outside from the viewpoint of privacy and security. Since it is considered unfavorable, information abstracted to some extent, such as the amount of communication flowing through the entire network, may be provided.

  The DDoS attack information sharing apparatus 100 may typically be realized by a server, and is configured by, for example, a drive device, an auxiliary storage device, a memory device, a processor, an interface device, and a communication device that are interconnected via a bus. The Various computer programs including programs for realizing various functions and processing described later in the DDoS attack information sharing apparatus 100 are CD-ROM (Compact Disk-Read Only Memory), DVD (Digital Versatile Disk), recording media such as flash memory. May be provided by. When the recording medium storing the program is set in the drive device, the program is installed from the recording medium to the auxiliary storage device via the drive device. However, it is not always necessary to install the program using a recording medium, and the program may be downloaded from any external device via a network or the like. The auxiliary storage device stores the installed program and also stores necessary files and data. The memory device reads and stores the program and data from the auxiliary storage device when there is an instruction to start the program. The processor executes various functions and processing of the DDoS attack information sharing apparatus 100 as described later according to various data such as a program stored in the memory device and parameters necessary for executing the program. The interface device is used as a communication interface for connecting to a network or an external device. The communication device executes various communication processes for communicating with a network such as the Internet.

  However, the DDoS attack information sharing apparatus 100 is not limited to the hardware configuration described above, and may be realized by any other appropriate hardware configuration. The configuration shown in the present embodiment is an example, and for example, the DDoS attack detection device 200 and the network control device 300 may be incorporated in the DDoS attack information sharing device 100.

  Next, the DDoS attack information sharing apparatus 100 according to an embodiment of the present invention will be described with reference to FIG. FIG. 3 shows a configuration of a DDoS attack information sharing apparatus according to an embodiment of the present invention.

  As illustrated in FIG. 3, the DDoS attack information sharing apparatus 100 includes a processing unit 110, a storage unit 120, and a communication unit 130. In addition, the processing unit 110 includes a traffic information / mitigation device information acquisition unit 111, an attack countermeasure setting unit 112, a cooperation destination AS determination unit 113, a support request / response unit 114, a cooperation countermeasure information request / response unit 115, and a cooperation countermeasure unit 116. And a coping end determination unit 117. In addition, the storage unit 120 includes a cooperation destination AS information table 121, an attack information table 122, a traffic information table 123, and a mitigation device information table 124. The communication unit 130 communicates with the DDoS attack information sharing apparatus 100, the DDoS attack detection apparatus 200, and the network control apparatus 300 of another AS. When information is directly acquired or controlled from the packet transfer device 400 or the mitigation device 50, the communication unit 130 also communicates with these devices.

  The traffic information / mitigation device information acquisition unit 111 communicates directly with the packet transfer device 400, the mitigation device 50, or the like existing in the network via the DDoS attack detection device 200, or the target IP address, Information such as the traffic information being processed by the device and the amount of resources available for the mitigation device 50 is periodically acquired and stored in the attack information table 122 and the traffic information table 123.

  The attack information table 122 is for managing the attack currently being handled by each AS, and has a table format as shown in FIG. In the example shown in FIG. 4, the attack information table 122 includes an ID (“attack ID”) for identifying an attack being dealt with in each AS, and an ID of an AS that has suffered damage from the attack (“damaged AS number”). )), The requesting AS's ID (“requesting AS number”), “target IP address”, own AS (AS2) and other AS (AS3, etc.) for the attack It is composed of handling status information and the like. In the attack information table, one line record is prepared for one attack ID, and there are as many information on other ASs as the number of linked ASs. The primary key may be a combination of “attack ID”, “damaged AS number”, “requesting AS number”, and “target IP address”. The response status information includes the AS ID ("AS number") that is being addressed, the countermeasure that is being implemented ("Correction method"), and the traffic that is being handled ("Traffic to be handled" ”), The resource usage rate (“ resource usage rate ”) of the mitigation device 50, and the handling status (“ handling ”,“ cannot handle ”, etc.). In particular, for the handling status information, for example, when the handling method is a rate limit or the like, a threshold value or the like of how much the limit is applied may be registered, and is not limited to the above-described information. In addition, even if an attack is directed to the same target IP address, for example, if it is desired to manage in detail according to the protocol used for the attack, it is assumed that an item such as a protocol will be added to the column. This information is not limited to the illustrated information.

  The traffic information table 123 is for managing the traffic information being processed by the packet transfer device 400 in each AS (mainly another network, an edge router installed at the boundary with the AS, etc.). 5 has a table format as shown in FIG. In the example shown in FIG. 5, the traffic information table 123 is connected to an ID (“packet transfer device ID”) that can uniquely identify the packet transfer device 400 (in the case of an edge router). It consists of information such as ID of adjacent AS (“adjacent AS number”), “destination IP address of packet”, “port number”, “inflow amount” and “outflow amount” of traffic. These pieces of information are periodically collected and updated from the packet transfer apparatus 400 and the like via the DDoS attack detection apparatus 200 and the traffic information / mitigation apparatus information acquisition unit 111. In the traffic information table 123, the primary key may be a composite of “packet transfer device ID”, “adjacent AS number”, “packet destination IP address”, and “port number”.

  As described above, the traffic information table 123 includes information on which port of each packet transfer apparatus 400 is connected to the adjacent AS, and how much communication of the destination IP address in each port number flows in and out. Information. In the illustrated example, for “transfer device 1”, the port connected to AS2 is 1, and the communication addressed to 192.0.2.2 that has flowed in from port 1 (that is, flowed in from AS2) is 2 Gbps, Information that 2 Gbps from port 2 has flowed out to another transfer device 400 in its own AS is managed. In addition, in FIG. 2, the case where the said information is acquired via the DDoS attack detection apparatus 200 is illustrated as an example.

  The attack countermeasure setting unit 112 uses a target IP address, a method used for attack countermeasures (use of the mitigation device 50, use of a rate limit, etc.), and parameters for coping (for example, how much traffic is sent to the mitigation device 50). Information on whether to pull in) is notified to the network control device 300. Here, the method used for attack response and the parameters for response are determined by the linkage response unit 116 and notified to the attack response setting unit 112. As a method used for attack countermeasures, a common method is set in advance between ASs having the DDoS attack information sharing apparatus 100, or an arbitrary method is set in advance by an AS operator who has suffered damage, The coping method may be implemented by notifying other ASs including support requests. On the other hand, the parameters for coping may be the communication amount addressed to the target flowing through the cooperation destination AS, the maximum resource amount of the mitigation device 50, the available resource amount, etc., and calculated by a predetermined calculation formula described later. May be.

  In addition, when the network control device 300 receives information (such as a response status) regarding the countermeasure that is returned when the control of the packet transfer device 400 based on the information is completed, the attack countermeasure setting unit 112 displays the attack information table. The information is stored in 122.

  Based on the traffic information table 123, the cooperation destination AS determination unit 113 determines from which adjacent AS the attack is flowing in, and collates with the cooperation destination AS information table 121 to thereby correspond to the inflow source AS of the attack. Get the destination AS information. For example, the cooperation destination AS information table 121 is for managing the cooperation destination AS information in each AS, and may have the table format shown in FIG. In the embodiment shown in FIG. 6, the cooperation destination AS information table 121 includes an ID (“adjacent AS number”) that can uniquely identify an AS adjacent to an arbitrary AS, and communication addressed to the target flows from the adjacent direction. If it exists, it is composed of “cooperation destination AS information” (AS ID, IP address of the DDoS attack information sharing apparatus 100, etc.) that transmits a countermeasure request or the like. The method of acquiring and setting these information is arbitrary. For example, based on the topology of the Internet, for each neighboring AS of each AS, an AS that has installed the DDoS attack information sharing apparatus 100 in the neighboring AS is selected, and the network It is assumed that the administrator registers in advance. When an attack occurs, the cooperation destination AS determination unit 113 searches, for example, a line in which a value is set for the adjacent AS number in the traffic information table 123, and the destination IP address of the packet matches the target IP address. If the inflow amount is larger than 0, it is determined that the communication addressed to the target is flowing in from the AS direction.

  The support request / response unit 114 notifies the support request / response of each cooperation destination AS acquired by the cooperation destination AS determination unit 113 of a support request for DDoS attack countermeasures. In the support request, the ID that can uniquely identify the first support request source AS (the affected AS), the target IP address, the action method, and the direct support request source AS, if necessary, are unique. IDs that can be identified, parameters used for handling (values of traffic processed by each AS, etc.), and the like. In addition, the support request / response unit 114 on the side receiving the support request refers to the traffic information table 123, and the communication addressed to the target IP address is not directly affected by the support request source AS (this is not necessarily the damage AS It is determined whether it is flowing in the direction that does not match. For example, the determination may be performed by combining the AS cooperation destination AS information table 121 and the traffic information table 123 of the AS that has received the support request. That is, the corresponding adjacent AS number is acquired from the received AS ID of the direct support request source and the AS number of the cooperation destination AS information in the cooperation destination AS information table 121. Next, the traffic information table 123 is searched for a line that matches the acquired adjacent AS number, and further, a line that matches the received target IP address is searched. It is determined that the communication addressed to the address is flowing in the direction of the support request source AS directly from the local AS.

  Further, when it is determined that it is flowing, the support request / response unit 114 notifies the attack countermeasure setting unit 112 of the received information, and controls the packet transfer device 400 and the like via the network control device 300. Apply the requested action. Thereafter, a response for notifying the completion of handling (including the ID of the AS that returns the response, handling status information, etc.) is returned to the requesting support request / response unit 114. That is, the corresponding adjacent AS number is acquired from the received AS ID of the direct support request source and the AS number of the cooperation destination AS information 121. Next, the traffic information table 123 is searched for a line that matches the acquired adjacent AS number, and further, a line that matches the received target IP address is searched. It is determined that the communication addressed to the address is flowing in the direction of the support request source AS directly from the local AS.

  As described above, the attack countermeasure setting unit 112 mediates the support request / response unit 114, the cooperation countermeasure unit 116, and the network control device 300. When the countermeasure method uses the mitigation device 50 and the information of the coping parameter “None” is notified, the administrator or the like uses “up to the resource upper limit of the mitigation device 50 when the mitigation device 50 is used in advance” If the process “Yes” is set, the attack countermeasure setting unit 112 may generate a countermeasure parameter. At the timing of the above-described attack response setting process, the attack response setting unit 112 uses the available resource amount of the mitigation device 50 acquired from the mitigation device information table 124 as shown in FIG. A comparison may be made with the acquired total value of the target communication amount, and if the target target communication amount is larger, the setting may be made so as to draw the target communication to the resource upper limit of the mitigation device 50. The mitigation device information table 124 is for managing the mitigation device information held by each AS, and may have a table format as shown in FIG. In the embodiment shown in FIG. 7, the mitigation device information table 124 includes an ID (“mitigation device ID”) that can uniquely identify the mitigation device 50, the “maximum resource amount”, and “currently available resources” of the mitigation device. It consists of information such as “amount” and “resource usage rate”. These pieces of information are periodically collected and updated from the mitigation device 50 and the like via the DDoS attack detection device 200 and the traffic information / mitigation device information acquisition unit 111. Further, the maximum resource amount may be registered by the administrator when the mitigation device 50 is introduced.

  When the response from the arbitrary support request / response unit 114 is received, the attack countermeasure setting unit 112 registers the countermeasure status in the AS in the attack information table 122. If it is determined that it does not flow, a response including the ID of the AS that returns the response and response status information indicating that the response is not possible is returned. Further, when this response is received, the attack countermeasure setting unit 112 registers the received information in the attack information table 122. That is, the attack information table 122 is appropriately updated by the attack countermeasure setting unit 112 and the cooperation countermeasure information request / response unit 115.

  At the timing of the above-described attack countermeasure setting process, the attack countermeasure setting unit 112 determines the available resource amount of the mitigation device 50 acquired from the mitigation device information table 124 and the target communication amount acquired from the traffic information table 123. When the total communication value is compared with the target communication amount, the setting can be made so that the target communication is drawn up to the resource upper limit of the mitigation device 50. Although this implementation method is arbitrary, for example, in the packet transfer apparatus 400, routing information for performing the pull-in to the mitigation apparatus 50, and routing information for not performing the pull-in to the mitigation apparatus 50 (for transferring as it is) Is prepared, and routing information to be referred to at the time of transferring each packet or the like is stochastically switched, so that a method can be envisaged in which the amount of communication is drawn into the mitigation device 50 to cope with it.

  The cooperation handling information request / response unit 115 is information necessary for cooperating and implementing DDoS attack handling for the cooperation handling information request / response unit 115 of each cooperation destination AS acquired by the cooperation destination AS determination unit 113. (For example, the target communication amount flowing in the cooperation destination AS, the maximum resource amount of the mitigation device 50, the available resource amount, etc.) are requested. The request includes an ID that can uniquely identify the first linked countermeasure information request source AS (AS that matches the damage), the target IP address, a countermeasure method, and the like. Based on the notified information and the traffic information table 123, the communication response request / response unit 115 on the receiving side transmits the communication addressed to the target IP address directly from the own AS to the link response information request source AS (this is not necessarily It is determined whether it is flowing in the direction that does not match the damage AS. That is, the corresponding neighboring AS number is acquired from the received AS ID of the direct support request source and the AS number of the cooperation destination AS information. Next, the traffic information table 123 is searched for a line that matches the acquired adjacent AS number, and further, a line that matches the received target IP address is searched. It is determined that the communication addressed to the address is flowing in the direction of the support request source AS directly from the local AS. When it is determined that the information is flowing, the cooperation handling information request / response unit 115 acquires the requested information and sends it to the requesting cooperation handling information request / response unit 115 together with an ID for identifying itself. Send back as a response. In addition, when responses are received from all the cooperation destination ASs that have transmitted the cooperation handling information requests, the cooperation handling information request / response unit 115 notifies the cooperation handling unit 116 described later of the received information. When it is determined that the information does not flow, the cooperation handling information request / response unit 115 returns a response including an AS ID that returns a response and handling status information indicating that handling is not possible. When this response is received, the cooperation handling information request / response unit 115 registers the received information in the attack information table 122.

  The cooperation handling unit 116 obtains the information of the cooperation destination AS acquired through the cooperation handling information request / response unit 115 (the communication amount addressed to the target flowing through the cooperation destination AS, the maximum resource amount of the mitigation device 50, the available resource amount, etc.). Used to calculate and adjust the coping parameters such as the traffic volume handled by each linked AS and the rate limit threshold used by each AS. As an example, a method for adjusting the amount of communication handled by each AS will be described later so that the usage rate of each AS's mitigation device 50 is as uniform as possible when each AS uses the mitigation device 50. However, the parameters for adjusting according to the present invention and the policy (objective function) for adjustment are not limited to the above. Further, it is assumed that the information that needs to be shared with the cooperation-destination AS differs depending on the parameter to be adjusted, and the information shared between each AS also includes the AS ID, the maximum resource amount of the mitigation device 50, The amount of available resources is not limited to the total value of communication to the target flowing from each AS in the direction of the damaged AS.

  When the traffic information / mitigation device information acquisition unit 111 updates the traffic information table 123, the response end determination unit 117 monitors a change in the communication amount addressed to the target IP address of each attack registered in the attack information table 122. For example, if an amount less than the set threshold value continues for a set period, it is determined that the attack has ended, and the downstream AS that has transmitted a support request to itself (the requesting AS ID of the attack information table 122) Response determination request) is transmitted. This request includes its own AS ID and attack information (for example, requesting AS number and target IP address) for ending the countermeasure. Further, when a response termination request is received, the DDoS attack information sharing apparatus 100 of the downstream AS becomes a target by searching the attack information table 122 for a line in which the ID of the request source AS and the target IP address match. Searches the attack line, initializes the description related to the AS that sent the response end request, changes the response status to end, and returns a response to the upstream AS that is the source of the response end request. Further, when this response is received, the countermeasure end determination unit 117 terminates the ongoing countermeasure via the network control device 300 or the like, and deletes the row for the target attack in the attack information table 122.

  When the processing unit 110 receives a support request including the target address of the DDoS attack from another system using each component described above, the processing unit 110 determines whether attack communication flowing into the target address is flowing in from the upstream network. To do. Here, the processing unit 110 may perform countermeasures against the attack communication by adjusting a countermeasure parameter indicating a resource allocated to deal with the attack communication in each mitigation device 50 in the cooperation destination AS.

  As an example, the processing unit 110 compares the amount of available resources held in the mitigation device information 124 with the amount of attack traffic held in the traffic information table 123, and the amount of attack communication traffic is the amount of available resources. If it is larger, countermeasures against the attack communication may be executed by assigning the amount of attack communication corresponding to the available resource amount to the mitigation device 50. As another example, the processing unit 110 may perform countermeasures against attack communication by setting countermeasure parameters so that the usage rate of each mitigation device 50 in the cooperation destination AS is uniform.

  In the above-described embodiment, the DDoS attack is dealt with using the mitigation device 50. However, the present invention is not limited to this. For example, the processing unit 110 filters or band-limits attack communication with the network control device 300. By executing the above, countermeasures against attack communication may be executed.

  Next, with reference to FIG. 8, an operation procedure between the DDoS attack information sharing apparatus 100 according to an embodiment of the present invention will be described. 8A and 8B are sequence diagrams showing an operation procedure between DDoS attack information sharing apparatuses according to an embodiment of the present invention.

  This operation procedure describes the operation procedure when propagating a support request from the AS1 that is suffering from the DDoS attack to the entire Internet via the directly linked AS2 and AS5.

  As shown in the figure, in step S101, the DDoS attack information sharing apparatus 100 of AS1 uses the cooperation destination AS determination unit 113, and based on the traffic information table 123 and the cooperation destination AS information table 121, inflow of communication addressed to the target AS2 and AS5 are acquired as linked AS information corresponding to the neighboring AS. Here, it is assumed that the cooperation destination AS information in each AS is preset. The target IP address is notified from the DDoS attack detection device 200 to the DDoS attack information sharing device 100 when an attack occurs, for example.

  In step S102, the DDoS attack information sharing apparatus 100 of AS1 transmits a support request including the ID of AS1, the target IP address, the countermeasure method, etc. to the acquired DDoS attack information sharing apparatus 100 of AS2 and AS5.

  In step S103, each DDoS attack information sharing apparatus 100 of AS2 and AS5 of the cooperation destination directly communicates with the target IP address from its own AS based on the information notified in the support request and the traffic information table 123. Judgment is made in the direction of the support requester AS (AS1). Specifically, search for a row where the value is set in AS1 as an adjacent AS, and further search for a row where the destination IP address of the packet matches the target IP address, and if the inflow amount is greater than 0 May determine that target-targeted communication is flowing in the AS1 direction.

  When the communication addressed to the target is flowing, in step S104, each DDoS attack information sharing apparatus 100 of AS2 and AS5 has received the support request and the direct support request source AS is not adjacent (that is, intermediate) For example, when the communication addressed to the target is transferred from its own AS to each neighboring AS based on the Internet topology or BGP (Border Gateway Protocol) route information between ASs. It is determined whether there is an adjacent AS that forwards communication to the AS. Thereafter, the DDoS attack information sharing apparatus 100 determines whether or not the communication addressed to the target is flowing in the adjacent AS direction according to the traffic information table 123. If it is flowing, the DDoS attack information sharing apparatus 100 performs an arbitrary countermeasure based on the notified information, and based on the information notified from the support request source AS and the performed countermeasure, the attack ID table 122 stores an attack ID, Register information about the damaged AS number, requesting AS number, target IP address, and own AS. As specific examples of countermeasures to be implemented, it is assumed that target addressed communication is drawn into the mitigation device 50 to handle inspection / attack communication, or the target addressed communication is rate-limited by a transfer device 400 such as a router.

  On the other hand, when the communication addressed to the target does not flow, the DDoS attack information sharing apparatus 100 returns the self-AS ID and status information indicating that the action cannot be taken to the support request source AS (AS1), and the DDoS attack information of AS1. The shared apparatus 100 registers the AS number and status items of information related to other ASs (corresponding to the AS that has transmitted the response) in the attack information table 122.

  In step S105, each of the DDoS attack information sharing apparatuses 100 of AS2 and AS5 transmits the cooperation destination AS ID and countermeasure status information indicating that a countermeasure is being performed to the DDoS attack information sharing apparatus 100 of the support request source AS (AS1). Will be returned.

  In step S <b> 106, the DDoS attack information sharing apparatus 100 of AS <b> 1 registers the AS number and status items of information related to other ASs (corresponding to the AS that sent the response) in the attack information table 122.

  In step S107, each DDoS attack information sharing apparatus 100 of AS2 and AS5 further determines whether or not the communication addressed to the target is flowing from the upstream AS, and if so, refer to the cooperation destination AS information table 121. Acquire linked AS information. In this embodiment, since communication addressed to the target further flows from the upstream side of AS2, the DDoS attack information sharing apparatus 100 of AS2 refers to the cooperation destination AS information table 121, and AS3, AS5, Get AS8. Further, since AS5 does not receive any communication addressed to the target from the upstream side, the DDoS attack information sharing apparatus 100 of AS5 does not perform the subsequent processing.

  In step S108, the DDoS attack information sharing apparatus 100 of AS2 sends the AS1 ID, AS2 ID, target IP address, countermeasure method, etc. to the acquired DDoS attack information sharing apparatus 100 of the cooperation destination AS3, AS5, AS8. Send included assistance request.

  In step S109, each DDoS attack information sharing apparatus 100 of AS3, AS5, and AS8, based on the traffic information table 123, communication addressed to the target IP address flows from its own AS in the direction of the support request source AS (AS2). It is determined whether or not.

  If it is flowing (AS3, AS8), in step S110, the DDoS attack information sharing apparatus 100 performs a countermeasure based on the information notified in the support request, and registers a countermeasure status or the like in the attack information table 122. On the other hand, when it is not flowing (AS5), the DDoS attack information sharing apparatus 100 does not perform the countermeasure.

  In step S111, each DDoS attack information sharing apparatus 100 of AS3, AS5, and AS8 returns a response including the ID of each AS and countermeasure status information to the DDoS attack information sharing apparatus 100 of AS2 that has transmitted the support request. .

  In step S112, the AS2 DDoS attack information sharing apparatus 100 registers the handling status information and the like included in the response in the attack information table 122. That is, in the attack information table 122 of each AS, only the response status of the own AS and the upstream AS is managed for a certain attack, and the response status of the downstream AS is not managed. In this way, the coping status of each AS is not centrally managed, but only communicates directly with neighboring ASes, and manages only status information of neighboring ASs, thereby achieving an effect on scalability.

  In step S113, in each of the ASs that have received the support request, as described above, it is further determined whether the communication addressed to the target is flowing from the upstream AS, and if so, the support request is sent to the upstream cooperation destination AS. Is repeatedly transmitted. As a result, support requests can be sequentially propagated to the AS closest to the attack source in the entire Internet.

  In addition, the process at the time of complete | finishing a countermeasure is implemented in the following procedure, for example. An AS that is currently addressing an attack addressed to a target, and an AS that is further upstream (closer to the attacking source) than itself and that is not performing an attack addressed to that target (determined from the response status information in the attack information table 122) The DDoS attack information sharing apparatus 100 monitors the traffic to the IP address that is the target of each attack registered in the attack information table 122 when acquiring periodic traffic information. When the time below the set threshold continues for a certain period (arbitrary time is preset), it is determined that the attack has ended, and the downstream AS that has transmitted a support request to itself (determined from the attack information table 122) Then, a response end request is transmitted. This request includes its own AS ID and attack information for ending the countermeasure (damaged AS ID, requesting AS ID, target IP address, etc.).

  The DDoS attack information sharing apparatus 100 of the downstream AS that has received the countermeasure end request searches the attack information table 122 for the target attack line, initializes the description regarding the AS that has transmitted the countermeasure end request, and deals with the countermeasure status. To end. Specifically, the DDoS attack information sharing apparatus 100 refers to the received damaged AS number, requesting AS number, and target IP address, searches for a corresponding attack line, and then AS of information on other ASs. Initialize the description whose number matches the AS that sent the response termination request. Thereafter, the DDoS attack information sharing apparatus 100 returns a response to the upstream AS that is the transmission source of the countermeasure end request.

  The DDoS attack information sharing apparatus 100 of the upstream AS that has received the response terminates the ongoing action via the network control apparatus 300 or the like, and deletes the row for the target attack in the attack information table 122.

  In the above procedure, in the DDoS attack information sharing apparatus 100 of the downstream AS that has received the response end request, all the response statuses of information related to other ASs in the attack information table 122 have ended or do not exist, and traffic If the traffic to the target IP address of the attack in the information table 123 falls below the threshold for a certain period during periodic acquisition / update, the DDoS attack information sharing apparatus 100 determines that the attack has ended and A response end request is transmitted to the downstream AS that has transmitted the response request.

  The above process is started from the upstream node that is dealing with the attack closest to the attack source, and is performed as needed in the direction of the downstream node that is suffering the damage. The response to the attack can be terminated in all ASs that have been addressed.

  Next, with reference to FIG. 9, an operation procedure between the DDoS attack information sharing apparatus 100 according to an embodiment of the present invention will be described. FIG. 9 is a sequence diagram showing an operation procedure between DDoS attack information sharing apparatuses according to an embodiment of the present invention.

  In this operation procedure, in addition to sharing information for cooperating between AS1 and the direct cooperation destination AS2 and AS5 to deal with a DDoS attack, an operation procedure for adjusting a countermeasure parameter will be described.

  As shown in the figure, in step S201, the DDoS attack information sharing apparatus 100 of AS1 is based on the traffic information table 123 and the cooperation destination AS information table 121, and the cooperation destination AS information corresponding to the adjacent AS into which the communication addressed to the target flows. To get.

  In step S202, the DDoS attack information sharing apparatus 100 of AS1 transmits a cooperation countermeasure information request to the cooperation destination AS. The cooperation countermeasure information request includes AS1 ID, target IP address, countermeasure method, and the like. It is assumed that the type of information to be requested is shared in advance between all ASs that have the DDoS attack information sharing apparatus 100, and information to be acquired is described in the request message.

  In step S203, the DDoS attack information sharing apparatus 100 of each AS that has received the cooperation handling information request, based on the traffic information table 123, the communication addressed to the target IP address is directly directed to the support request source AS (AS1) from its own AS. Determine whether it is flowing.

  In step S204, if communication is flowing, the DDoS attack information sharing apparatus 100 of each AS acquires the requested information, and together with the ID of its own AS, the DDoS attack information sharing apparatus 100 of the cooperation countermeasure information request source AS1. Respond to.

  In step S205, the DDoS attack information sharing apparatus 100 of AS1 receives responses from the DDoS attack information sharing apparatus 100 of all the cooperation destination ASs that have transmitted the cooperation countermeasure information requests, and then performs countermeasure parameters (for example, Calculate the attack amount to be processed by each AS. For example, the usage rate of the mitigation device 50 of each AS is made as uniform as possible as the objective function (policy) (that is, the maximum mitigation device among the usage rates of the mitigation device 50 held by each AS. It is conceivable to calculate the amount of communication handled by each AS as a linear programming problem. Information required at this time includes the maximum resource amount of the mitigation device 50 of each AS, the current available resource amount, the target communication amount flowing from each AS in the AS1 direction, and the target communication amount flowing into AS1. .

  In step S206, the DDoS attack information sharing apparatus 100 of AS1 transmits a support request including the ID of AS1, the target IP address, the countermeasure method, the calculated parameters, etc. to the DDoS attack information sharing apparatus 100 of the cooperation destination AS. To do.

  In step S207, the DDoS attack information sharing apparatus 100 of each AS that has received the support request performs countermeasures based on the notified information, and performs attack ID, damage AS number, requesting AS number, target IP address, self-AS Information related to AS (AS number, handling method, handling traffic, resource usage rate, status) is registered in the attack information table 122.

  In step S208, the DDoS attack information sharing device 100 of each AS that has received the support request returns a response including the ID of the self AS and the countermeasure status to the DDoS attack information sharing device 100 of AS1 that is the support request source.

  In step S209, the DDoS attack information sharing apparatus 100 of AS1 registers the handling status information and the like included in the response in the attack information table 122.

  In step S210, the AS2 and AS5 DDoS attack information sharing apparatus 100 that has received the support request further determines whether or not the communication addressed to the target is flowing in from the upstream AS. Referring to, acquire the cooperation destination AS information, and adjust the coping parameters between the cooperation destination AS. Specifically, after adjusting the traffic addressed to the target addressed between AS1, AS2, and AS5 (for example, 10 Gbps for each AS), the target address traffic addressed by AS2 notified from AS1 (10Gbps ) Based on information such as target traffic volume flowing through AS3 and AS8, capacity of mitigation device 50 (usage information is the same as step S205), AS2, AS3 and AS8 deal with 3Gbps, 4Gbps and 3Gbps respectively. In addition, the sharing of the communication amount to be dealt with in the higher direction is implemented. In addition, the AS2 DDoS attack information sharing apparatus 100 can further cope with AS3, AS8, and AS2, AS5, and AS8, which are communication destinations of AS3, AS5, and AS8. Adjust coping parameters between AS8.

  Thereafter, each DDoS attack information sharing device 100 of the AS that has received the support request further determines whether or not the communication addressed to the target is flowing from the upstream AS, and if so, adjusts the parameter with the upstream cooperation destination AS By repeating this, it becomes possible to deal with the entire Internet.

  Next, with reference to FIGS. 10-11, the operation | movement procedure between the DDoS attack information sharing apparatuses 100 by other embodiment of this invention is demonstrated. In the present embodiment, when each AS has the mitigation device 50, two countermeasure logics when cooperating between a plurality of ASs will be described with reference to FIGS. 10 and 11, respectively.

  FIG. 10 is a sequence diagram showing an operation procedure between DDoS attack information sharing apparatuses according to another embodiment of the present invention. In the first countermeasure logic shown in the figure, the support request is transmitted from the AS damaged by the attack to the upstream AS direction in which the communication addressed to the target flows, and the target is occasionally transmitted to the mitigation device 50 from the AS that has received the support request. Take in the addressed communication and take action. In addition, by transmitting attack information and support requests to the upstream ASs of ASs that have received support requests as needed, it is possible to realize cooperative responses throughout the Internet. Thereafter, on the assumption that the downstream AS can distinguish between the inspected packet and the uninspected packet in the upstream AS's mitigation device 50, in each AS, only the unaddressed packet addressed to the target is sent to the mitigation device 50. Pull in and deal with it. By such processing, it becomes possible to deal with the attack preferentially by the AS mitigation device 50 of the AS closest to the attack among the ASs holding the DDoS attack information sharing device 100, and the network bandwidth due to the DDoS attack Consumption can be reduced.

  As a method for making it possible to distinguish between an inspected packet and an uninspected packet, for example, using OpenFlow or the like, in the upstream AS, the destination IP address of the target destination packet that has been inspected by the mitigation device 50 is Damage can be done by rewriting to an arbitrary IP address that is not used normally in the damaged AS, returning to the original IP address after reaching the damaged AS, or using tunneling technology such as GRE (Generic Routing Encapsulation). A method of encapsulating and transferring to an arbitrary router of the AS is conceivable (in either method, when the upstream AS mitigation device 50 has already inspected, the intermediate AS has a packet with a destination IP address different from the target) Thus, double pulling into the mitigation device 50 can be avoided). In this case, between the DDoS attack information sharing apparatus 100 of the damaged AS and the DDoS attack information sharing apparatus 100 of the AS that performs the countermeasure, the IP address information used for rewriting, the IP address of the node that is the start point and end point of the tunnel, For example, it is conceivable to share at the time of a support request in step S307 described later. Hereinafter, an operation procedure when the countermeasure is automatically performed by the mitigation device 50 using the detection of the attack by the DDoS attack detection device 200 as a trigger will be described.

  In step S301, the DDoS attack detection device 200 of the victim AS (AS1) analyzes the traffic information and flow information collected periodically from the transfer device 400 and the like to detect the occurrence of a DDoS attack against a specific destination IP address. Detect and notify the DDoS attack information sharing apparatus 100 of the target IP address and traffic information. As a trigger for starting the operation of the DDoS attack information sharing apparatus 100, as in this embodiment, in addition to automatic start in cooperation with the DDoS attack detection apparatus 200, the administrator / operator of the network etc. It is also envisaged to start with.

  In step S302, the AS1 DDoS attack information sharing apparatus 100 notifies the network control apparatus 300 of the attack countermeasure parameters including the target IP address and the countermeasure method (using the mitigation apparatus 50, etc.).

  In step S <b> 303, the network control device 300 controls the transfer device 400 based on the notified information (for example, rewrites the routing information), so that the communication addressed to the target is drawn into the mitigation device 50 to deal with it.

  In step S304, the network control apparatus 300 notifies the DDoS attack information sharing apparatus 100 of information on the implemented countermeasure (status information indicating that the countermeasure is being performed).

  In step S305, the DDoS attack information sharing apparatus 100 registers attack information and implemented countermeasure information in the attack information table 122 based on the received information. Specifically, the DDoS attack information sharing apparatus 100 registers the attack ID, the damage AS number, the requesting AS number, the target IP address, and information about the self AS in the attack information table 122.

  In step S306, the DDoS attack information sharing apparatus 100 determines from which adjacent AS the attack flows based on the traffic information table 123. Further, the DDoS attack information sharing apparatus 100 refers to the cooperation destination AS information table 121 and acquires the cooperation destination AS corresponding to the attack inflow source AS.

  In step S307, the DDoS attack information sharing apparatus 100 transmits a support request including the ID of AS1, the target IP address, the handling method, and the like to the cooperation destination AS.

  In step S308, the DDoS attack information sharing apparatus 100 of the cooperation destination AS (AS2, AS5), based on the traffic information table 123, the communication addressed to the target IP address is directed directly from the own AS to the support request source AS (AS1). Determine if it is flowing.

  In step S309, the DDoS attack information sharing device 100 of the cooperation destination AS controls the transfer device 400 and the like via the network control device 300 and the like based on the notified information, and performs the countermeasure by the mitigation device 50, Register in the attack information table 122. (This procedure is the same as steps S302 to S304). At this time, the DDoS attack information sharing device 100 acquires the available resource amount of the mitigation device 50 based on the mitigation device information table 124, and if the target target communication amount is larger, the DDoS attack information sharing device 100 is set to draw up to the resource upper limit. Also good. In step S308, if the communication addressed to the target does not flow in the direction of the support request source AS, the DDoS attack information sharing apparatus 100 returns an AS ID and status information indicating that the response is not possible to the support request source AS.

  In step S <b> 310, the DDoS attack information sharing apparatus 100 of the cooperation destination AS returns a response to the support request (AS ID and status information indicating that the response is in progress).

  In step S <b> 311, the DDoS attack information sharing apparatus 100 of the AS (AS1) that is the support request source registers countermeasure status information and the like in the attack information table 122.

  In step S312, the DDoS attack information sharing apparatus 100 of the cooperation destination AS determines whether or not the communication addressed to the target further flows from the upstream AS based on the traffic information table 123. The cooperation destination AS information is acquired with reference to the table 121.

  In step S313, the DDoS attack information sharing apparatus 100 of the cooperation destination AS transmits the AS1 ID, the ID of the direct support request source AS (AS2), and the target IP to the AS DDoS attack information sharing apparatus 100 acquired in step S312. Send a support request including address, coping method, etc.

  In step S314, the AS DDoS attack information sharing apparatus 100 that has received the support request performs the same processing as in steps S308 to S313.

  Thereafter, in each AS (AS5, AS8) that has received the support request, the countermeasure by the mitigation device 50 is applied at any time, and when the upstream AS is also capable of handling, the support request is repeatedly transmitted to the upstream cooperative AS. Thus, the support request is propagated to the AS closest to the attacking source on the entire Internet, and the countermeasure by the AS mitigation device 50 closest to the attacking source is executed (among the ASs having sufficient resources of the mitigation device 50). Can do.

  11A and 11B are sequence diagrams illustrating an operation procedure between the DDoS attack information sharing device 100 according to another embodiment of the present invention. In the second countermeasure logic shown in the figure, each mitigation device 50 is made as uniform as possible so that the usage rate of each AS device 50 is as uniform as possible so that it becomes impossible to deal with even when a plurality of locations are attacked simultaneously. Take action while adjusting the amount of communication processed in. As in the embodiment of FIG. 10, assuming that the downstream AS can distinguish between the packet that has been inspected by the upstream AS mitigation device 50 and the packet that has not been inspected, For only the packet, the specified communication amount is drawn into the mitigation device 50 to deal with it. Hereinafter, an operation procedure when the countermeasure is automatically performed by the mitigation device 50 using the detection of the attack by the DDoS attack detection device 200 as a trigger will be described.

  In step S401, the DDoS attack detection device 200 of the victim AS (AS1) analyzes the traffic information and flow information periodically collected from the transfer device 400 and the like to detect the occurrence of a DDoS attack against a specific destination IP address. Detect and notify the DDoS attack information sharing apparatus 100 of the target IP address and traffic information.

  In step S402, the DDoS attack information sharing apparatus 100 of AS1 notifies the network control apparatus 300 of the attack countermeasure parameters including the target IP address and the countermeasure method (using the mitigation apparatus 50, etc.).

  In step S <b> 403, the network control device 300 controls the packet transfer device 400 based on the notified information (for example, rewrites the routing information), thereby attracting the communication addressed to the target to the mitigation device 50.

  In step S <b> 404, the network control device 300 notifies the DDoS attack information sharing device 100 of information on the countermeasure that has been taken (status information indicating that the countermeasure is being performed).

  In step S405, the DDoS attack information sharing apparatus 100 registers the attack information and the implemented countermeasure information in the attack information table 122 based on the received information.

  In step S406, the DDoS attack information sharing device determines from which adjacent AS the attack flows based on the traffic information table, refers to the cooperation destination AS information table, and corresponds to the inflow source AS of the attack. Acquire the first AS (here, AS2 and AS5).

  In step S407, the DDoS attack information sharing apparatus 100 transmits a cooperation countermeasure information request including the AS1 ID, target IP address, countermeasure method, and the like to the cooperation destination AS (AS2, AS5).

  In step S408, the DDoS attack information sharing apparatus 100 of the cooperation destination AS (hereinafter referred to as “AS2”) makes the communication addressed to the target IP address based on the traffic information table 123 directly from the own AS. Determine whether it is flowing in the (AS1) direction. Although not described in this procedure, in order to deal with the DDoS attack as quickly as possible, in the same way as in FIG. 10, at this timing, in each cooperation destination AS, the unaddressed target-addressed communication is drawn into the mitigation device 50. Settings may be provisionally applied.

  In step S409, the DDoS attack information sharing apparatus 100 of the cooperation destination AS (AS2) returns a response to the cooperation countermeasure information request to the DDoS attack information sharing apparatus 100 of AS1. The response includes the ID of the cooperation destination AS, the target communication amount flowing in the AS1 direction acquired from the traffic information table 123, the maximum resource amount of the mitigation device 50 acquired from the mitigation device information table 124, and the current available resource amount. May be included. In step S408, if the communication addressed to the target does not flow in the direction of the cooperation handling request source AS (AS1), the DDoS attack information sharing apparatus 100 indicates the status of the cooperation destination AS (AS2) ID and handling impossible to AS1. Will be returned. Further, the DDoS attack information sharing apparatus 100 of AS1 registers the handling status information included in the response in the attack information table 122.

  In step S410, after receiving responses from all cooperation destination ASs (AS2, AS5) that have transmitted the cooperation countermeasure information requests, the DDoS attack information sharing apparatus 100 solves the following optimization problem, thereby solving each AS (AS1 , AS2, AS5) to calculate the traffic addressed to the target. In generalized terms, the optimization problem can be:

AS1、AS2、AS5で調整する場合には、以下の最適化問題を解くことになる。

When adjusting with AS1, AS2, and AS5, the following optimization problem is solved.

ステップＳ４１１において、AS1のDDoS攻撃情報共有装置１００は、AS1のネットワーク制御装置３００に対して、攻撃対処パラメータ（標的のIPアドレス、対処方式、ステップＳ４１０で算出したAS1で対処する通信量）を通知する。

In step S411, the AS1 DDoS attack information sharing apparatus 100 notifies the AS1 network control apparatus 300 of the attack countermeasure parameters (target IP address, countermeasure method, traffic handled by AS1 calculated in step S410). To do.

  In step S412, the AS1 network control device 300 controls the transfer device 400 based on the notified information, thereby implementing the DDoS attack countermeasure. Here, among the uninspected target-addressed packets, the setting for handling the amount of communication calculated in step S410 in the mitigation device 50 is applied. As for the control for drawing in the mitigation device 50 up to the notified communication amount, for example, switching of a routing table to be referred to on a rate basis is assumed.

  In step S <b> 413, the DDoS attack information sharing apparatus 100 of AS <b> 1 receives countermeasure information implemented from the network control apparatus 300, and then registers countermeasure status information and the like in the attack information table 122.

  In step S414, the DDoS attack information sharing apparatus 100 of AS1 transmits a support request to the cooperation destination AS (AS2, AS5). The support request includes the ID of the first requesting source (damage) AS, the target IP address, the handling method, and the target-addressed communication amount handled by the cooperation destination AS calculated in step S410.

  In step S415, the DDoS attack information sharing apparatus 100 of the cooperation destination AS (hereinafter referred to as AS2) performs a countermeasure based on the notified information and registers it in the attack information table 122 (the countermeasure implementation procedure is a step). Same as S411 to S413).

  In step S416, the DDoS attack information sharing apparatus 100 of the cooperation destination AS (AS2) returns a response to the support request to AS1. The response includes the ID of the cooperation destination AS (AS2) and status information indicating that a response is being made.

  In step S417, the DDoS attack information sharing apparatus 100 of AS1 registers countermeasure status information included in the response in the attack information table 122.

  In step S418, the DDoS attack information sharing apparatus 100 of the cooperation destination AS (AS2) that has received the support request, based on the traffic information table 123 (see from AS2), checks whether communication addressed to the target further flows from the upstream AS. If it is determined and inflowing, reference is made to the cooperation destination AS information table 121 to obtain cooperation destination AS information (here, AS3, AS5, and AS8).

  In step S419, the DDoS attack information sharing device 100 of the cooperation destination AS (AS2) sends the AS1 ID, AS2 ID, and the DDoS attack information sharing device 100 held by the upstream cooperation destination AS (AS3, AS5, AS8) Send a linked response information request that includes the target IP address and response method.

In step S420, processing similar to that in steps S408 to S419 (sharing of information necessary for coping parameter adjustment, calculation of parameters in the most downstream AS (AS2), and sharing of parameters to the upstream cooperation AS) is performed on AS2 and its upstream. Will be implemented with AS3, AS5, and AS8, which are partner ASs. The amount of communication processed by AS2 calculated as a result of step S410 is given as an input for the optimization problem, and the amount of communication handled by the mitigation device 50 of AS2, AS3, and AS8 is calculated. Note that AS5 does not communicate with AS2 because no communication flows from AS5 to AS2. (Since it does not meet the condition at the step corresponding to step S408, the process when the following condition is met is not performed)
As a result of parameter adjustment among AS2, AS3, and AS8 in step S421, if the resource usage rate of the AS2 mitigation device 50 is improved compared to the usage rate using the value calculated in step S410, AS2 The DDoS attack information sharing apparatus 100 of the AS1 has an AS2 ID, the maximum resource amount of the mitigation apparatus 50, the current available resource amount, and an untested target flowing from the AS2 to the AS1 direction. Notify the addressed traffic. Here, for example, it may be possible to prevent the parameter adjustment from being performed infinitely by setting and controlling an arbitrary threshold value such as notifying AS1 only when the improvement is 10% or more.

In step S422, when the DDoS attack information sharing apparatus 100 of AS1 receives the change information to be notified when the usage rate is improved, the input value is updated, and the optimization problem is solved again. Recalculate the target traffic to be addressed. Here, the value of the objective function obtained as a result of step S422 is compared with the value of the objective function obtained as a result of step S410 (for example, the value of the maximum resource usage rate of the mitigation device of each AS). However, if it does not improve over the preset threshold value (10%, etc.), it will prevent the parameter adjustment from being performed infinitely by performing control such as not applying to the network or not notifying the linked AS. In step S423, for example, when the usage rate is improved by more than a preset threshold value, the DDoS attack information sharing apparatus 100 executes processing corresponding to steps S411 to S413 of its own AS (AS1). Then, notify the linked AS (AS2, AS5) of the traffic to be handled by each recalculated AS. In other words, the DDoS attack information sharing apparatus 100 notifies the network control apparatus 300 of the target IP address, the countermeasure method, and the newly calculated communication traffic. The network control device 300 performs the DDoS attack countermeasure by controlling the transfer device 400 and, as a result, transmits the countermeasure status information to the DDoS attack information sharing device 100 as a response. The DDoS attack information sharing apparatus 100 registers the countermeasure status in the attack information table 122.

  In step S424, the DDoS attack information sharing apparatus 100 of the cooperation destination AS (AS2, AS5) performs a countermeasure based on the notified information, and registers it in the attack information table 122 (the countermeasure procedure is the same as in steps S410 to S412). .

  In step S425, the DDoS attack information sharing apparatus 100 of the cooperation destination AS (AS2, AS5) returns a response to the support request (the ID of the cooperation destination AS and status information indicating that it is being handled).

  In step S <b> 426, the AS1 DDoS attack information sharing apparatus 100 registers countermeasure status information and the like in the attack information table 122.

  Thereafter, in the cooperation destination AS of AS1 (for example, AS2), when there is a cooperation destination AS in the upstream node, parameter adjustment is performed with the upstream nodes (AS3, AS8). At this time, in order to prevent infinite parameter adjustment, the value of the objective function when calculating the optimization problem (between AS2, AS3, and AS5) with the updated parameter value as input is It is compared with the value of the objective function when the optimization problem is calculated using the previous parameter values as input. If there is no improvement over a preset threshold value, parameter adjustment need not be performed.

  In the embodiment of FIG. 10, in order to reduce the bandwidth consumption due to the DDoS attack, the mitigation device 50 as close as possible to the attack source deals with priority. Since there is no parameter adjustment, control is simple, and in the case of an attack on a small number of locations, the bandwidth consumption of the entire Internet due to the DDoS attack can be minimized. On the other hand, when an attack to a certain target occurs, the attack device 50 can be dealt with as the number of attack points increases, so that the attack can be dealt with by utilizing the resources of the mitigation device 50 that can be used as a whole on the Internet. May occur. For example, in Fig. 1, when an attack from AS8 to AS7 to AS3 occurs, if the resources of the AS3 and AS8 mitigation devices 50 are used up at the time of attack against AS1, the attack may not be handled. There is sex.

  On the other hand, in the embodiment of FIG. 11, the usage rates of the mitigation devices 50 of the respective ASs are leveled as much as possible so as not to be unable to cope even when a plurality of locations are attacked simultaneously. The bandwidth consumption of the entire Internet due to the DDoS attack may increase as compared to FIG. 10, but avoid the situation where only the resources of the AS mitigation device 50 are exhausted first and the attack cannot be dealt with. Can do. Actually, rather than using only one of the logics, it may be used in accordance with the operator's policy, attack pattern, or the like.

  As mentioned above, although the Example of this invention was explained in full detail, this invention is not limited to the specific embodiment mentioned above, In the range of the summary of this invention described in the claim, various deformation | transformation・ Change is possible.

10 network 50 mitigation device 100 DDoS attack information sharing device 110 processing unit 120 storage unit 130 communication unit 200 DDoS attack detection device 300 network control device 400 packet transfer device

Claims (8)

A DDoS attack information sharing device provided in the system,
A storage unit for storing link destination information related to a link system capable of dealing with DDoS attacks;
When receiving a support request including the target address of the DDoS attack from another system, a processing unit that determines whether attack communication flowing into the target address flows from an upstream network,
When it is determined that the attack communication flows from an upstream network, a communication unit that transmits a support request including a target address of the DDoS attack to the cooperation system in the cooperation destination information;
DDoS attack information sharing device.   The DDoS attack information sharing apparatus according to claim 1, wherein the processing unit adjusts a handling parameter indicating a resource allocated to deal with the attack communication in each mitigation apparatus in the cooperation system. The storage unit further stores mitigation device information indicating an available resource amount of each mitigation device in the cooperation system,
The processing unit compares the amount of available resources and the amount of attack communication, and if the amount of attack communication is larger than the amount of available resource, the amount of the attack communication corresponding to the amount of available resource The DDoS attack information sharing device according to claim 2, wherein a communication amount is allocated to the mitigation device. The storage unit further stores mitigation device information indicating an available resource amount of each mitigation device in the cooperation system,
The DDoS attack information sharing apparatus according to claim 2, wherein the processing unit sets the countermeasure parameter so that a usage rate of each mitigation apparatus in the cooperation system is uniform.   The DDoS attack information sharing device according to claim 1, wherein the processing unit causes a network control device to perform filtering or band limitation on the attack communication. The storage unit further stores attack information indicating the target address, information on countermeasures in the own system and information on countermeasures in the cooperation system,
The DDoS attack information sharing apparatus according to any one of claims 1 to 5, wherein the processing unit updates the attack information according to a countermeasure implemented for the attack communication. An operation method of the DDoS attack information sharing device,
Receiving a support request including a target address of a DDoS attack from another system;
Determining whether attack traffic flowing into the target address flows from an upstream network;
When it is determined that the attack communication is flowing from an upstream network, a support request including a target address of the DDoS attack is transmitted to a cooperation system in cooperation destination information;
An operating method.   A program for causing a computer to execute the operation method according to claim 7.

Images