JP4417128B2 - Communications system - Google Patents

Description

  The present invention relates to a communication system for protecting a host from a high-load DoS attack.

There are the following two types of high-load DoS (Denial of Services) attacks that are a security problem in IP networks. (Hereinafter, a high-load DoS attack is simply referred to as a DoS attack.)
The first DoS attack is a network high-load DoS attack shown in problem (1) in FIG. The network high-load type DoS attack is intended to cause a state in which regular communication cannot pass through a communication path by transmitting a large amount of packets to a communication path close to the attack target and saturating the communication path with packets. Moreover, even if regular communication can pass, a situation such as a large delay occurs. The second DoS attack is a host high-load DoS attack shown in problem (2) in FIG. The host high-load DoS attack is intended to cause the host to be unable to process regular communication by causing the host, which is the attack target, to receive a large amount of packets and increasing the processing load. Moreover, even if regular communication can be processed, a situation such as a large delay occurs.
That is, the network high-load type DoS attack is intended to cause a reduction in communication speed performance in the IP network. On the other hand, the host high-load DoS attack causes a decrease in processing performance of the server or the like, and as a result, can be said to be an attack aimed at host system down. FIG. 11 shows a table in which DoS attacks that receive a large amount of packets are classified.
Currently, the following two measures are generally adopted for DoS protection. The first countermeasure is packet filtering by a firewall. This countermeasure is a system in which a firewall is installed at a location where the attack target is connected to an external network, for example, the Internet, and a large amount of received packets are filtered, that is, blocked according to the filtering rules set in the firewall. Filtering rules include rules that block protocol violations, block packets that are sent in large quantities from the same source, and block packets that are not violations but are not protocol-complete. An example of a packet that is not completed in terms of protocol is a Syn Flood attack that transmits only TCP Syn. This measure is effective when a DoS attack pattern can be identified.
The second countermeasure is traffic shaping using a bandwidth control device. This measure is to install a bandwidth control device just before the host that is the target of the attack. It is a measure to shape. Shaping is a method in which a packet transmission time interval is increased to cause a delay, or a part of a packet is discarded and thinned out. This measure is effective when the DoS attack pattern cannot be specified.
Apart from the above two methods, there is a countermeasure using the unauthorized intrusion prevention system in Patent Document 1. The present invention detects a DoS attack against a managed server, and when a packet that is performing a DoS attack can be confirmed by a router that relays the DoS attack packet, by routing the corresponding DoS attack packet, the attack is performed. This is a method for preventing the DoS attack packet from arriving at the target. This measure is effective when the router can identify the DoS attack packet.
JP 2002-111727 A

However, there are the following problems even if the measures according to the above-described conventional technique are used. With the first packet filtering countermeasure by the firewall, it is possible to delete a high-load DoS attack packet that reaches the attack target. However, even though the load on the network opposite to the packet filtering side is reduced, the network on the packet filtering side remains highly loaded. There is a problem that there is so far.
With the countermeasure by the second bandwidth control device, it is possible to reduce the packet of the high load DoS attack that reaches the attack target. However, the shaping includes the packet of the regular user, and the communication performance of the regular user is similarly lowered.
According to the countermeasure by the route change by the router in the third patent document 1, it is possible to reduce or eliminate the packet of the high load type DoS attack reaching the attack target. However, it is difficult to specify a packet of a high-load type DoS attack by a router, and it becomes more difficult to specify, particularly when a source address is fake. Although this measure can prevent a packet of a high-load DoS attack from reaching the server, there is a problem that a high-load DoS attack that presses the bandwidth on the router cannot be avoided.

  The present invention has been made in order to solve the above-described problem, and the purpose of the present invention is to improve the attack target even when the source address of the packet of the DoS attack is falsified without degrading the communication performance of the authorized user. An object of the present invention is to provide a communication system that protects a host from a high-load DoS attack.

In order to solve the above-described problem, the invention described in claim 1 includes a terminal device (client terminals 25, 25a, 25b) that transmits and receives packets, a packet transfer device (router 3) that relays packets, and the packet. In a communication system comprising a content server device (external server 4) connected to a transfer device and storing content, etc., and a network (Internet 20) accommodating the terminal device and the packet transfer device, When the packet is received from the terminal device via the packet transfer device and connected to the packet transfer device, the logical address information set in the source logical address of the received packet is set as the destination logical address. Generate connection destination change instruction packet (BindingUpdate packet) Public server apparatus sets the logical address information of a particular of the content server apparatus to the information element of the connection destination change instruction packet, and transmits the connection destination change instruction packet to the network via the packet forwarding device (home agent 1) And the terminal device further receives the connection destination change instruction packet and communicates with a specific logical address of the content server device described in the packet (DoS attack avoidance) System 10).

  The invention according to claim 2 is a terminal device (client terminals 25, 25a, 25b) that transmits and receives packets, a packet transfer device (router 3) that relays packets, and the packet transfer device that receives and receives the packet A proxy server device (BindingUpdate agent 2) that relays packets according to a preset logical address of a relay destination, and a content server device (outbound server 4) that is connected to the proxy server device and stores contents and the like In a communication system including the terminal device and a network (Internet 20) accommodating the packet transfer device, the packet device is connected to the packet transfer device and receives the packet from the terminal device via the packet transfer device. The source logic of the received packet A connection change instruction packet (BindingUpdate packet) is generated with the logical address information set in the address as the destination logical address, and the logical address information of the proxy server device is set in the information element of the connection destination change instruction packet And a public server device (home agent 1) that transmits the connection destination change instruction packet to the network via the packet transfer device, and the proxy server device automatically detects when a predetermined state is detected. The connection destination change instruction packet in which logical address information is changed to another logical address information set in advance, the logical address of the terminal device being relayed is detected, and the logical address is set as a destination logical address And the self-logical address after the change to the information element of the connection destination change instruction packet Set scan information, a communication system, characterized by transmitting to the network the connection destination change instruction packet through the packet transfer apparatus (DoS attack avoidance system 10).

  The invention according to claim 3 is the invention according to claim 2, wherein when the proxy server device changes its own logical address information to another logical address information set in advance, the changed self-logic A logical address change notification including address information (routing information change notification) is notified to the packet transfer device and the public server device, and the packet transfer device receives the logical address change notification when receiving the logical address change notification. The route information is changed according to the changed logical address included in the change, the transfer destination of the logical address information of the proxy server before the change is changed to the public server device, and the public server device receives the logical address change notification The logical address of the public server device is changed according to the changed logical address included in the logical address change notification. And updates the association information of the logical address information of the information with the proxy server device.

  The invention according to claim 4 is the proxy server device according to any one of claims 1 to 3, wherein the terminal device receives the connection destination change instruction packet from the network. The destination logical address of the packet being transmitted to is changed to the logical address information included in the information element of the connection destination change instruction packet.

  The invention according to claim 5 is the invention according to any one of claims 1 to 4, wherein the information element of the connection destination change instruction packet is a source logical address.

The invention according to claim 6 is a terminal device that transmits and receives packets, a packet transfer device that relays packets, a content server device that is connected to the packet transfer device and stores contents, and the terminal device. Received when the packet is received from the terminal device via the packet transfer device to a computer that is included in a communication system including a network that accommodates the packet transfer device. Generating a connection destination change instruction packet using the logical address information set in the source logical address of the packet as the destination logical address, and the content server device specific to the information element of the connection destination change instruction packet setting a logical address information of the terminal device varying the destination To receive the instruction packet communicating the logical address of a particular of the content server apparatus according to the packet, and transmitting the connection destination change instruction packet to the network via the packet forwarding device , Is a computer program for executing .

  According to the present invention, the packet transmitted from the terminal device to the content server device is received by the public server device, that is, the home agent, and the IP of the true content server device is compared with the source IP address of the received packet. It is configured to notify the address. For this reason, a packet containing information on the true IP address does not reach the terminal device that is disguised as the source IP address for the purpose of attack, and the terminal device cannot connect to the content server device. Accordingly, there is an effect that only the terminal device intended for the attack is excluded, and only the packet from the regular terminal device not intended for the attack can be accepted.

  According to the present invention, when the proxy server device detects a predetermined state in a state where the proxy server device relays communication between the terminal device and the content server device, the proxy server device The address is changed, and the changed IP address is notified to the terminal device. For this reason, a packet containing information on the true IP address does not reach the terminal device that is disguised as the source IP address for the purpose of attack, and the terminal device cannot connect to the content server. In addition, when the IP address is changed and notified, it is possible to prevent the terminal device from being connected to the content server device by adopting a configuration that does not notify the terminal device performing the attack. . Accordingly, there is an effect that only the terminal device intended for the attack is excluded, and only the packet from the legitimate terminal device not intended for the attack can be accepted.

Hereinafter, a high-load DoS attack avoidance system (hereinafter referred to as a DoS attack avoidance system) according to an embodiment of the present invention will be described with reference to the drawings.
FIG. 1 is a diagram showing a connection configuration between a DoS attack avoidance system 10 and a client terminal 25 that performs a DoS attack according to an embodiment of the present invention.
In the figure, the DoS attack avoidance system 10 and the client terminal 25 are connected to the Internet 20. In the DoS attack avoidance system 10, the router 3 receives a packet from the client terminal 25 via the Internet 20, and forwards the packet based on preset routing information. The external server 4 is a server that stores web page contents and the like. The BindingUpdate agent 2 publishes an IP address on the Internet 20 and relays communication as a proxy server of the server 4 for the outside. In addition, when the BindingUpdate agent 2 detects a predetermined state, the BindingUpdate agent 2 changes its own IP address, and sends the BindingUpdate message including the changed IP address to the source IP address of the packet being connected to the server 4 for the outside Send to. The predetermined state is, for example, a state where a certain time has elapsed or a state where a connection request for the purpose of attack is detected. The home agent 1 publishes an IP address on the Internet 20 and first receives a connection request from a terminal connected to the Internet 20. Then, a connection destination change notification including the IP address of the true binding destination BindingUpdate agent 2 is transmitted to the source IP address of the received packet. With this mechanism, when the client terminal 25 transmits a connection request with a false source IP address, the client terminal 25 cannot receive the true connection destination IP address from the home agent 1 and sends the BindingUpdate agent 2 to the client terminal 25. It is not possible to connect to the server 4 for the outside through the Internet. Also, even if the client terminal 25 connects to the BindingUpdate agent 2 by some means and the server 4 is subjected to a DoS attack, the BindingUpdate agent 2 cannot receive the IP address information to be changed in a predetermined state. It is possible to prevent the server 4 from being connected to the outside server 4. Hereinafter, the connection destination change notification is referred to as a BindingUpdate message and a packet including the BindingUpdate message is referred to as a BindingUpdate packet in accordance with the name of the Mobile IP system.

FIG. 2 is a schematic block diagram showing a network configuration that actually uses the DoS attack avoidance system 10 according to an embodiment of the present invention.
In FIG. 1, a DoS attack avoidance system 10 is installed between an in-company network 40 that is a general company in-house network and an ISP (Internet Service Provider) 21 that provides Internet connection as a service.
In the DoS attack avoidance system 10, the firewall 6 transmits only packets according to a certain rule to the home agent 1, and filters and discards packets that do not meet the conditions. The decoy network 7 including the firewall 6 and the home agent 1 is an area where a DoS attack is first received. Further, when the Binding Update agent 2 changes the IP address, it also has a function of receiving and discarding the packet in which the IP address before the change is set. The router 3 forwards the packet according to the routing information that is preset with the received IP address. As shown in the figure, it may be at a position where the ISP 21 is connected, or may be present inside the ISP 21 when a notification of an IP address change from the BindingUpdate agent 2 can be received. The firewall 5 transmits only packets that satisfy a certain rule among packets received via the router 3 to the corporate network 40. The DMZ (DeMilitized Zone) 30 is an area in which a server that publishes a web page or the like is arranged in a terminal device on the Internet, and is constructed by setting a rule that allows connection from the Internet 20 in the firewall 5. . Therefore, the BindingUpdate agent 2 and the external server 4 also belong to the DMZ 30.
Also, in the figure, an IDS 32 (Intrusion Detection System) installed in a general corporate network has a function of detecting an unauthorized connection among the connections received by the devices in the DMZ 30 and notifying a system administrator or the like. Have. Similarly, the IDS 42 has a function of detecting an unauthorized connection from connections received by the corporate network 40 via the router 41 and notifying a system administrator or the like.
The server 31 is not included in the DoS attack avoidance system 10, but is a server arranged in the DMZ 30, and corresponds to a server that does not need to avoid DoS compared to the external server 4.

FIG. 3 shows necessary means in the home agent 1 and the BindingUpdate agent which are main devices in the DoS attack avoidance system 10.
A PIP (PublicIP) address that is a public IP address is set in the home agent 1, and a MIP (Mobile IP) address that is a mobile IP address in the mobile IP system is set in the BindingUpdate agent 2. Details of PIP and MIP will be described later.
In the home agent 1, the BindingUpdate means 1a receives a connection request from the client terminal 25, and transmits a BindingUpdate packet including the MIP address to the source IP address of the received connection request packet. Also, the client terminal 25 that does not support BindingUpdate is determined from the module downloader ID management table 11. If the client terminal 25 does not support BindingUpdating, a unique BindingUpdate packet is transmitted.
The PIP: MIP map management means 1b updates the PIP address / MIP address mapping table 1c in response to the MIP address change notification from the BindingUpdate agent 2. The mobile IPv6 (IPv6) compatible determination unit 1d determines whether the client terminal 25 is compatible with mobile IPv6. When the mobile IPv6 incompatible client module download instruction means 1e determines that the mobile IPv6 compatible availability determination means 1d does not support, the mobile IPv6 incompatible client module 26 transmits to the client terminal 25 incompatible with Mobile IPv6. . The module downloader ID management unit 1f receives the notification of the downloader ID from the module download instruction unit 1e for the client not supporting mobile IPv6, and updates the module downloader ID management table 11. The module downloader ID management table 11 may be managed by the home agent 1 or the BindingUpdate agent 2 or may be managed by another server.
The mobile IPv6 non-compliant client module 26 includes a BindingUpdate receiving unit 26a and a PIP: MIP proxy unit 26b. Specifically, it is provided to the client terminal 25 that does not support Mobile IPv6 with a download applet or an installation module.
In the BindingUpdate agent 2, the server proxy unit 2a for the outside refers to the connection management table 2b, and relays the IP address in the communication between the server 4 for the outside and the client terminal 25. The external server IP address changing means 2d changes the MIP address when a predetermined state is detected. The BindingUpdate means 2c receives a new MIP address from the server IP address changing means 2d for the outside, and sends a BindingUpdate packet to the connected client terminal 25 with reference to the connection management table 2b. Also, the client terminal 25 that does not support BindingUpdate is determined from the module downloader ID management table 11. If the client terminal 25 does not support BindingUpdating, a unique BindingUpdate packet is transmitted. The changed new MIP notification means 2e receives the new MIP address from the server IP address changing means 2d for the outside and notifies the router 3 and the home agent 1 of the changed MIP address.
The routing table rewriting means 3a of the router 3 receives the MIP change notification from the BindingUpdate agent 2 and updates the routing table related to PIP and MIP.

FIG. 4 is a diagram illustrating processing of the home agent 1 in the DoS attack avoidance system 10. A feature of the DoS attack avoidance system 10 is that an attack is avoided by applying a method of changing an IP address corresponding to movement of a connection destination used in the mobile IP method. In the figure, a connection destination IP address change process will be described among the features. The connection destination IP address change process is a process for notifying the connection source of the IP address of the connection destination, causing the terminal device to change the connection destination, and preventing unauthorized connection from connecting to the true connection destination. .
In the figure, a decoy network 7 is a network that is a decoy of a true connection destination as the name indicates, and is a network for receiving a connection from the Internet 20 first. Therefore, the IP address set in the home agent 1 is a public IP address, that is, a PIP address. The PIP address corresponds to the home address in the mobile IP system. By associating this PIP address with the URL (Universal Resource Locator) of the outward server 4 in the DNS (Domain Name System), the PIP address becomes an IP address disclosed on the Internet of the external server 4. A true IP address is set in the external server 4 separately from the PIP address. The true IP address corresponds to a mobile IP address that is a care-of address in the mobile IP system, that is, a MIP address. Both the PIP address and the MIP address are global IP addresses that can be connected on the Internet 20.
First, the DoS attacker terminal 25b and the authorized user terminal 25a connected to the Internet 20 connect to the URL of a publicly disclosed website. The true device in which the content exists is the external server 4. As described above, the IP address first associated with the URL by the DNS is the PIP address of the home agent 1. Therefore, the home agent 1 receives connection request packets from the attacker terminal 25b and the authorized user terminal 25a (step S4-1). The home agent 1 that has received the packet generates a packet including a BindingUpdate message defined in the mobile IP system (hereinafter referred to as a BindingUpdate packet), and sets the MIP address, which is the IP address of the server 4 for the outside, as the BindingUpdate packet. To do. Then, the source IP address (source IP address in the figure) of the packet received from the terminal is set as the destination IP address of the BindingUpdate packet and transmitted to the Internet. In the case of a packet received from the regular user terminal 25a, since the source IP address is also an existing IP address, the packet reaches the regular user terminal 25a (step S4-2). On the other hand, if the received packet is a packet intended for an attack from the DoS attacker terminal 25b and the source IP address is forged, the BindingUpdate packet does not reach the DoS attacker 25b. Discarded during transfer. (Step S4-3). As a result, the DoS attacker terminal 25b cannot know the MIP address of the server 4 for the outside, and cannot connect to the server 4 for the outside. On the other hand, the legitimate user terminal 25a receives the BindingUpdate packet and updates the Binding cache that associates the PIP address with the MIP address. Then, the communication packet for the PIP address is changed for the MIP address (step S4-4). By this process, the server 4 for the outside can receive only the connection from the authorized user terminal 25a, and can avoid an attack.
In step S4-3, when a BindingUpdate packet is transmitted to the DoS attack terminal, if it can be determined that the connection is already a DoS attack, the BindingUpdate packet itself may not be transmitted. By doing so, a DoS attack can be avoided more reliably.
Since a BindingUpdate packet can be received only by a device that supports Mobile IP, in the case of a device that does not support it, a notification including information equivalent to a unique BindingUpdate packet is sent, and the original user terminal 25a also has the unique It is necessary to install in advance a module or the like that receives the BindingUpdate packet and switches the connection.

FIG. 5 is a diagram illustrating processing of the BindingUpdate agent 2 and the home agent 1 in the DoS attack avoidance system 10. This figure shows the own IP address changing process of the BindingUpdate agent 2, which is another feature of the DoS attack avoidance system 10. The own IP address changing process means that, even if a DoS attacking terminal can connect to the true external server 4, the Binding Update agent 2 changes its IP address in a predetermined state, and the Binding Update packet is This is a process for avoiding a DoS attack by transmitting only to the terminal.
In the figure, the MIP address that is the mobile IP address is not set in the server 4 for the outside, but the MIP address is set in the BindingUpdate agent 2. The BindingUpdate agent 2 has a function as a proxy server of the server 4 for the outside, and when there is a connection to the MIP address, the BindingUpdate agent 2 once relays the connection. In other words, the connection destination IP addresses of the regular user terminal 25a and the DoS attacker terminal 25b are MIP addresses, and the IP address of the external server 4 is not disclosed directly to the Internet 20, but the MIP address is disclosed. Therefore, when the server 4 for the outside does not directly receive a connection from the outside, a private IP address may be set.
As a premise, it is assumed that the authorized user terminal 25 a and the DoS attacker terminal 25 b are already connected to the server 4 for the outside via the BindingUpdate agent 2. That is, it is assumed that the DoS attacker terminal 25b obtains and connects with the MIP address by some means (steps S5-1 and S5-2). Next, the BindingUpdate agent 2 selects one IP address from the preset IP addresses, and changes the MIP address to the selected IP address (step S5-3). The BindingUpdate agent 2 that has changed the MIP address generates a BindingUpdate packet that includes a BindingUpdate message. Then, a BindingUpdate packet including the information of the MIP address is transmitted for all the transmission source IP addresses of the connected communication (step S5-4). A Binding Update packet arrives at the authorized user terminal 25a that does not pretend the source IP address, and the connection can be switched to a new MIP address. On the other hand, the Binding Update packet does not arrive at the DoS attacker terminal 25b that pretends the source IP address, is discarded in the middle, and cannot receive the changed MIP address. If the connection from the DoS attacker terminal 25b can already be determined as an attack when sending the BindingUpdate packet, the BindingUpdate packet may not be sent.
In addition, the BindingUpdate agent 2 notifies the router 3 and the home agent 1 of the routing information change notification whose MIP address has been changed. In accordance with the routing information change notification, the routing table for route control is changed, and the router 3 is set so as to be transferred to the decoy network 7 when the connection to the previous MIP address is received. The home agent 1 receives the routing information change notification and updates the association between the PIP address and the MIP address (step S5-5). The DoS attacker terminal 25b that could not receive the Binding Update packet from the MIP due to the change in the routing table of the router 3 transmits the packet with the previous MIP address. However, since the routing table is changed, the packet is transferred to the decoy network 7 and discarded (step S5-6).
On the other hand, the legitimate user terminal 25a receives the BindingUpdate packet, changes the connection to the new MIP address (step S5-7), and the BindingUpdate agent 2 relays and downloads the web page and the like from the server 4 for the outside. It becomes possible.
Thereby, even when the connection of the DoS attacker terminal 25b is accepted, the IP address can be changed in the middle of the connection, so the DoS attacker can maintain the connection of the other regular user terminal 25a. Only the terminal 25b can be excluded from the connection to the outward server 4.

FIG. 6 shows a connection destination IP address change process when the client terminal 25 is compatible with Mobile IPv6. In the figure, a client terminal 25 is a terminal on the Internet, and has already received the public IP address of the server 4 for the outside, that is, the PIP address by DNS. In addition, since the client terminal 25 is compatible with Mobile IPv6, the client can receive the BindingUpdate packet as a standard, and there is no need to newly install software.
First, the client terminal 25 transmits a packet addressed to the PIP address. At this time, a CIP (Client IP) address is set for the source IP address (Src: in the figure) of the packet, and a PIP address is set for the destination IP address (Dst: in the figure) for transmission. To do. Here, the packet to be transmitted includes TCP Syn transmitted at the beginning of TCP (Transmission Control Protocol) setting (step S6-1). The home agent 1 that has received the packet addressed to the PIP address generates a packet including the BindingUpdate packet (step S6-2). Then, the CIP address is set as the destination IP address of the packet, and the MIP address that is the IP address of the BindingUpdate agent 2 is set as the source IP address. A PIP address is set in the home address option header, and BindingUpdate is set in the mobility header. In IPv6, an IPsec authentication header provided as a standard is set as necessary and transmitted to the Internet. At this time, if the client terminal 25 is deceiving a CIP address for an attack, the packet does not reach the client terminal 25, and the client terminal 25 cannot receive the information on the MIP address (step S6). -3). The client terminal 25 that has received the packet authenticates whether the packet is from the home agent 1 when IPsec is set in the packet. Next, the binding cache that is a table associating the PIP address with the MIP address is updated, and all transmission packets for the PIP address thereafter are converted to the MIP address. Since this conversion process is performed in the software of the protocol stack of Mobile IP, it appears to the upper application of the client terminal 25 that it is communicating with the PIP address (step S6-4). The client terminal 25 sets the MIP address as the destination IP address, sets the CIP as the source IP address, sets the PIP address as the home address, and transmits the packet to the Internet (step S6-5). The BindingUpdate agent 2 that has received the packet starts normal processing as a packet addressed to the MIP address, and relays communication between the server 4 for the outside and the client terminal 25 as a proxy server (step S6-6). When communication from the client terminal 25 to the external server 4 is received, the IP address of the external server 4 is set as the destination IP address, and the MIP address is set as the source IP address. To send to. On the other hand, when a packet from the external server 4 to the client terminal 25 is received, the CIP address is set as the destination IP address, the MIP address is set as the source IP address, the PIP address is set as the home address, and the data is externally set. The data received from the destination server 4 is set and transmitted to the Internet (step S6-7). For example, in the case of a web page, the client terminal 25 displays the content of a predetermined web page in the external server 4 on the screen.
In the figure, the difference between the normal mobile IP system and the DoS attack avoidance system of this embodiment is the following two points. The first point is that the home agent 1 forwards the packet addressed to the public IP address to the MIP address in the mobile IP system, but does not forward it in the DoS attack avoidance system. The second point is that the home agent 1 does not transmit the Binding Update packet to the client terminal 25 in the mobile IP system, but transmits it in the DoS attack avoidance system.
That is, the operation required for the packet on the network and the client terminal 25 remains the function of Mobile IPv6, but the BindingUpdate agent 2 has a function specific to the DoS attack avoidance system.

FIG. 7 shows a connection destination IP address change process when the client terminal 25 does not support Mobile IPv6. In the figure, a client terminal 25 is a terminal on the Internet, and has already received the public IP address of the server 4 for the outside, that is, the PIP address by DNS. Further, since the client terminal 25 does not support Mobile IPv6, that is, it is implemented in an IPv4 environment, a unique BindingUpdate reception module and a PIP address / MIP address conversion module are required. As a method for installing the module, in addition to a method using a recording medium such as a CD-ROM, a method for automatically downloading from the home agent 1 using a download applet or the like can be considered.
First, the client terminal 25 transmits a packet addressed to the PIP address. At this time, the CIP address is set as the source IP address of the packet, and the PIP address is set as the destination IP address for transmission. Here, the packet to be transmitted includes TCP Syn transmitted at the beginning of the TCP setting (step S7-1). The home agent 1 that has received the packet addressed to the PIP address generates a unique BindingUpdate packet (step S7-2). A CIP address is set as the destination IP address, and a PIP address is set as the source IP address. When the client terminal 25 authenticates whether the packet is from the home agent 1 when it is compatible with IPsec, an authentication header is also set. Then, the instruction information for changing the binding information of the PIP address of the client terminal 25 to the MIP address is set in the option header or the like, and the packet is transmitted to the Internet. At this time, if the client terminal 25 is deceiving a CIP address for an attack, the packet does not reach the client terminal 25, and the client terminal 25 cannot receive the information on the MIP address (step S7). -3). The client terminal 25 that has received the packet authenticates whether the packet is from the home agent 1 when IPsec is set in the packet. All subsequent packets for the PIP address are converted for the MIP address. During the conversion process, it appears to the upper application of the client terminal 25 that it is communicating with the PIP address (step S7-4). The client terminal 25 sets the MIP address as the destination IP address, sets the CIP as the source IP address, sets the PIP address as the home address, and transmits the packet to the Internet (step S7-5). The Binding Update agent 2 that has received the packet starts normal processing as a packet addressed to the MIP address, and relays between the server 4 and the client terminal 25 as a proxy server (step S7-6). When communication from the client terminal 25 to the external server 4 is received, the IP address of the external server 4 is set as the destination IP address, and the MIP address is set as the source IP address. Send to. On the other hand, when a packet from the external server 4 to the client terminal 25 is received, the CIP address is set as the destination IP address, the MIP address is set as the source IP address, the PIP address is set as the home address, and the data is externally set. The data received from the destination server 4 is set and transmitted to the Internet (step S7-7). For example, in the case of a web page, the client terminal 25 displays the content of a predetermined web page in the external server 4 on the screen.

FIG. 8 shows the own IP address changing process of the BindingUpdate agent 2 when the client terminal 25 is compatible with Mobile IPv6.
In the figure, the client terminal 25 has already acquired the MIP address from the home agent 1 described above. Then, communication is started with the outward server 4 using the BindingUpdate agent 2 as a proxy server (step S8-1). The BindingUpdate agent 2 changes the MIP address (step S8-2). The BindingUpdate agent notifies the home agent 1 of the new MIP address. The notification method may be a method using a BindingUpdate packet or another notification method, for example, the above-described routing information change notification (step S8-3). The home agent 1 that has received the MIP address change notification updates the PIP address / MIP address correspondence table to a new MIP address (step S8-4). Similarly, the BindingUpdate agent 2 notifies the router 3 of the new MIP address. The notification may be a method using a BindingUpdate packet or another notification method, for example, the above-described routing information change notification (step S8-5). The router 3 that has received the MIP address change notification updates the routing table of the old MIP address and the new MIP address (step S8-6). Next, the BiddingUpdate agent 2 generates a BindingUpdate packet to notify the client terminal 25 of the new MIP address. A CIP address is set as the destination of the packet, a MIP address is set as the source IP address, PIP is set as the home address, and BindingUpdate is set as the mobility header. In IPv6, an IPsec authentication header provided as a standard is set as necessary, and the packet is transmitted to the Internet. At this time, if the client terminal 25 is deceiving a CIP address for an attack, the packet does not reach the client terminal 25, and the client terminal 25 cannot receive the new MIP address after the change ( Step S8-7). The client terminal 25 that has received the packet authenticates whether the packet is from the home agent 1 if the packet is set to IPsec. Then, all packets to the PIP address are converted into packets for the MIP address. Since this conversion processing is performed in the software of the protocol stack of Mobile IP, it appears to the upper application of the client terminal 25 that it is communicating with the PIP address (step S8-8). The client terminal 25 sets the MIP address as the destination IP address, sets the CIP as the source IP address, sets the PIP address as the home address, and transmits the packet to the Internet (step S8-9). The Binding Update agent 2 that has received the packet performs normal processing as a packet addressed to the MIP address (step S8-10). Then, the BindingUpdate agent 2 relays the server 4 to the outside as a proxy server and the client terminal 25 (step S8-11). When communication from the client terminal 25 to the external server 4 is received, the IP address of the external server 4 is set as the destination IP address, and the MIP address is set as the source IP address. Send to. On the other hand, when a packet from the external server 4 to the client terminal 25 is received, the CIP address is set as the destination IP address, the MIP address is set as the source IP address, the PIP address is set as the home address, and the data is externally set. The data received from the destination server 4 is set and transmitted to the Internet (step S8-12). For example, in the case of a web page, the client terminal 25 displays the content of a predetermined web page in the external server 4 on the screen.

FIG. 9 shows the own IP address changing process when the client terminal 25 does not support Mobile IPv6.
In the figure, the client terminal 25 has already acquired the MIP address from the home agent 1 described above. Then, communication is started with the outward server 4 using the BindingUpdate agent 2 as a proxy server (step S9-1). The BindingUpdate agent 2 changes the MIP address (step S9-2). The BindingUpdate agent notifies the home agent 1 of the new MIP address. The notification method may be a method using a BindingUpdate packet or another notification method, for example, the above-described routing information change notification (step S9-3). Upon receiving the MIP address change notification, the home agent 1 updates the PIP address / MIP address correspondence table to a new MIP address (step S9-4). Similarly, the BindingUpdate agent 2 notifies the router 3 of the new MIP address. This notification may be a method using a BindingUpdate packet or another notification method, for example, the above-described routing information change notification (step S9-5). The router 3 that has received the MIP address change notification updates the routing table of the old MIP address and the new MIP address (step S9-6). Next, the BiddingUpdate agent 2 generates a unique BindingUpdate packet to notify the client terminal 25 of the new MIP address. A CIP address is set as the destination of the packet, and an MIP address is set as the source IP address. When the client terminal 25 authenticates whether the packet is from the home agent 1 when it is compatible with IPsec, an authentication header is also set. Then, the instruction information for changing the binding information of the PIP address of the client terminal 25 to the MIP address is set in the option header or the like, and the packet is transmitted to the Internet. At this time, if the client terminal 25 is deceiving a CIP address for an attack, the packet does not reach the client terminal 25, and the client terminal 25 cannot receive the new MIP address after the change ( Step S9-7). The client terminal 25 that has received the packet authenticates whether the packet is from the home agent 1 when IPsec is set in the packet. Then, all packets to the PIP address are converted into packets for the MIP address. During the conversion process, it appears that the upper application of the client terminal 25 is communicating with the PIP address (step S9-8). The client terminal 25 sets the MIP address as the destination IP address, sets the CIP as the source IP address, sets the PIP address as the home address, and transmits the packet to the Internet (step S9-9). The BindingUpdate agent 2 that has received the packet performs normal processing as a packet addressed to the MIP address (step S9-10). Then, the BindingUpdate agent 2 relays the server 4 to the outside as a proxy server and the client terminal 25 (Step S9-11). When communication from the client terminal 25 to the external server 4 is received, the IP address of the external server 4 is set as the destination IP address, and the MIP address is set as the source IP address. Send to. On the other hand, when a packet from the external server 4 to the client terminal 25 is received, the CIP address is set as the destination IP address, the MIP address is set as the source IP address, the PIP address is set as the home address, and the data is externally set. The data received from the destination server 4 is set and transmitted to the Internet (step S9-12). For example, in the case of a web page, the client terminal 25 displays the content of a predetermined web page in the external server 4 on the screen.

  In the DoS attack avoidance system of the present invention, separate routers may be provided for the home agent 1 and the binding update agent 2. With such a configuration, it is possible to reduce the load on the router.

  The DoS attack avoidance system described above has a computer system inside. The above-described process of changing the connection destination IP address and the self IP address is stored in a computer-readable recording medium in a program format, and the above process is performed by the computer reading and executing this program. Is called. Here, the computer-readable recording medium means a magnetic disk, a magneto-optical disk, a CD-ROM, a DVD-ROM, a semiconductor memory, or the like. Alternatively, the computer program may be distributed to the computer via a communication line, and the computer that has received the distribution may execute the program.

It is the block diagram (the 1) which showed the structure of the DoS attack avoidance system and its connection apparatus in one Embodiment of this invention. It is the block diagram (the 2) which showed the structure of the DoS attack avoidance system in the same embodiment, and its connection apparatus. It is a block diagram of the DoS attack avoidance system in the same embodiment. It is the figure which showed the connection destination IP address change process of the DoS attack avoidance system in the embodiment. It is the figure which showed the own IP address change process of the DoS attack avoidance system in the embodiment. It is the figure which showed the connection destination IP address change process in the case of the IPv6 corresponding | compatible apparatus in the same embodiment. It is the figure which showed the connection destination IP address change process in the case of the IPv6 incompatible apparatus in the same embodiment. It is the figure which showed the own IP address change process in the case of the IPv6 corresponding apparatus in the embodiment. It is the figure which showed the own IP address change process in the case of the IPv6 incompatible apparatus in the same embodiment. It is the figure which showed the kind of conventional DoS attack. It is the figure which showed the pattern of the conventional DoS attack.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Home agent 2 BindingUpdate agent 3 Router 4 Outbound server 10 DoS attack avoidance system 20 Internet 25 Client terminal

Claims (6)

A terminal device that transmits and receives packets; a packet transfer device that relays packets; a content server device that is connected to the packet transfer device and stores content; a network that houses the terminal device and the packet transfer device; In a communication system comprising
When the packet is received from the terminal device via the packet transfer device and connected to the packet transfer device, the logical address information set in the source logical address of the received packet is the destination logical address. A connection destination change instruction packet is generated, logical address information of the specific content server device is set in an information element of the connection destination change instruction packet, and the connection destination change instruction packet is transmitted to the network via the packet transfer device. includes a public server apparatus transmitting to,
The terminal device further receives the connection destination change instruction packet, and communicates with a specific logical address of the content server device described in the packet . A terminal device that transmits and receives a packet; a packet transfer device that relays a packet; a proxy server device that is connected to the packet transfer device and relays the received packet according to a preset logical address of the relay destination; and the proxy In a communication system comprising a content server device connected to a server device and storing content etc., and a network accommodating the terminal device and the packet transfer device,
When the packet is received from the terminal device via the packet transfer device and connected to the packet transfer device, the logical address information set in the source logical address of the received packet is the destination logical address. A connection destination change instruction packet to be generated, the logical address information of the proxy server device is set in an information element of the connection destination change instruction packet, and the connection destination change instruction packet is transmitted to the network via the packet transfer device. A public server device for transmission,
The proxy server device
When a predetermined state is detected, the local logical address information is changed to another logical address information set in advance, the logical address of the terminal device being relayed is detected, and the logical address is received The connection destination change instruction packet set to the destination logical address is generated, the changed own logical address information is set in the information element of the connection destination change instruction packet, and the connection destination change instruction packet is passed through the packet transfer apparatus. And transmitting to the network. The proxy server device
When changing the own logical address information to another logical address information set in advance, notify the packet transfer device and the public server device of a logical address change notification including the changed own logical address information,
The packet transfer device includes:
When the logical address change notification is received, the routing information is changed according to the changed logical address included in the logical address change notification, and the transfer destination of the logical address information of the proxy server before the change is transferred to the public server device. change,
The public server device
When the logical address change notification is received, the correspondence information between the logical address information of the public server device and the logical address information of the proxy server device is updated according to the logical address after the change included in the logical address change notification. The communication system according to claim 2. The terminal device
When the connection destination change instruction packet is received from the network, the destination logical address of the packet transmitted to the proxy server device is included in the logical address included in the information element of the connection destination change instruction packet The communication system according to claim 1, wherein the communication system is changed to information.   5. The communication system according to claim 1, wherein the information element of the connection destination change instruction packet is a source logical address. A terminal device that transmits and receives packets; a packet transfer device that relays packets; a content server device that is connected to the packet transfer device and stores content; a network that houses the terminal device and the packet transfer device; to be included in the communication system, connected to the packet transfer device computer with a,
When the packet is received from the terminal device via the packet transfer device, a connection destination change instruction packet is generated with the logical address information set in the source logical address of the received packet as the destination logical address And steps to
Setting a logical address information of a particular of the content server apparatus to the information element of the connection destination change instruction packet,
In order for the terminal device to receive the connection destination change instruction packet and communicate with the logical address of the specific content server device described in the packet, the terminal device changes the packet via the packet transfer device. transmitting to said network Te,
A computer program for running .

Images