WO2006059572A1 - Communication device and communication method - Google Patents

Communication device and communication method Download PDF

Info

Publication number
WO2006059572A1
WO2006059572A1 PCT/JP2005/021807 JP2005021807W WO2006059572A1 WO 2006059572 A1 WO2006059572 A1 WO 2006059572A1 JP 2005021807 W JP2005021807 W JP 2005021807W WO 2006059572 A1 WO2006059572 A1 WO 2006059572A1
Authority
WO
WIPO (PCT)
Prior art keywords
port
communication
message
communication device
opposite device
Prior art date
Application number
PCT/JP2005/021807
Other languages
French (fr)
Japanese (ja)
Inventor
Naoyuki Mochida
Original Assignee
Matsushita Electric Industrial Co., Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Matsushita Electric Industrial Co., Ltd. filed Critical Matsushita Electric Industrial Co., Ltd.
Publication of WO2006059572A1 publication Critical patent/WO2006059572A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates to a communication device and a communication method, and in particular, when a communication device receives a call control message via a network, the reception port is set when a DoS (Denial of Service) attack is received.
  • the present invention relates to a communication device and a communication method to be controlled. Background art
  • Such services that involve real-time data communication generally use call control protocols to exchange call control messages between terminals or between a terminal and a server to control connection and disconnection, as well as voice and video communication. It mediates various parameters used in the process. Since such exchange of call control messages occurs at any time during the operation of the terminal, it is necessary to always open a port for receiving call control messages.
  • a DoS attack is to send a large amount of data to a terminal or server via a network or send illegal data to disable the original operation of the terminal or server. This is often done for public servers such as Web servers and DNS (Domain Name System) servers.
  • DNS Domain Name System
  • terminals such as IP phones that use only public servers are also open ports for receiving call control messages and may be subject to DoS attacks.
  • DoS attacks If unauthorized access such as a DoS attack is received on the port for call control messages, the message processing load of the DoS attack increases and other processing cannot be performed, so the service cannot be continued, and further, This can cause the equipment to stop.
  • IDS Intrusion Detection System
  • Patent Document 1 As a general method for avoiding DoS attacks, there is a method using an IDS (Intrusion Detection System) (Patent Document 1). In this method, unauthorized access is monitored by IDS, and when IDS detects a DoS attack, a firewall is set based on the detection result, and processing such as closing the port that is attacked is performed.
  • Patent Document 2 Japanese Patent Laid-Open No. 2002-252654
  • Patent Document 2 Japanese Patent Laid-Open No. 2003-99339
  • the call control message port is set to Do
  • IDS In the method of detecting unauthorized access using IDS, it is difficult to set which access is regarded as unauthorized access. Furthermore, IDS is generally an expensive device or software, and it is difficult to install it in a low-priced device for general consumers such as a telephone or a home appliance.
  • the present invention has been made in view of the strong points, and prevents the communication failure by reducing the influence of unauthorized access such as a DoS attack, and is a case where such unauthorized access is received.
  • an object of the present invention is to provide a communication device and a communication method capable of continuing the original service.
  • the communication device of the present invention opens a first port for receiving messages from an unspecified number of communication partners and a second port different from the first port for communication with a specific communication partner.
  • a reception unit that receives a message from the specific communication partner at the second port after the second port is established; a notification unit that notifies the specific communication partner through the second port by a message;
  • the communication method of the present invention includes a step of opening a first port for receiving messages from an unspecified number of communication partners, and a first port different from the first port for communication with a specific communication partner. 2 ports are opened, and after the second port is opened, the message of the specific communication partner power is received at the second port, and the second port is notified to the specific communication partner by a message. And filtering received data addressed to the first port.
  • the influence of unauthorized access such as a DoS attack is reduced to prevent communication failure, and even if such unauthorized access is received, the original service is continued. Can do.
  • the reception port for the call control message is dynamically changed, and the original reception port and the new reception port are filtered to open the other device. Even if there is an unauthorized access such as a DoS attack to the receiving port of the call control message that must be kept, Service can be continued.
  • FIG. 1 is a block diagram showing a schematic configuration of a network system including a communication device according to Embodiment 1 of the present invention.
  • FIG. 2 is a sequence diagram showing an example of message exchange between the communication device and the opposite device according to Embodiment 1 of the present invention.
  • FIG. 3 is a sequence diagram showing an example of message exchange between a communication device and a counterpart device according to Embodiment 2 of the present invention.
  • FIG. 4 is a block diagram showing a schematic configuration of a network system including a communication apparatus according to Embodiment 3 of the present invention.
  • FIG. 5 is a flowchart showing the operation of the communication apparatus according to Embodiment 3 of the present invention.
  • FIG. 6 is a block diagram showing a schematic configuration of a network system including a communication apparatus according to Embodiment 4 of the present invention.
  • FIG. 7 is a sequence diagram showing an example of message exchange between a communication device and a counterpart device according to Embodiment 5 of the present invention.
  • FIG. 8 is a diagram showing an example of an SDP part of an “INVITE” message transmitted from the communication device according to Embodiment 5 of the present invention.
  • opposite device refers to a communication device to which the present invention is applied as a communication partner irrespective of the presence or absence of mediation of a server or another server, via a network.
  • broadly means a terminal or server that performs communication.
  • in communication means, in a broad sense, between a communication device and a counter device until the power of the communication device is turned on and turned off. It means a period during which some kind of signal (for example, various control messages and various information (audio, video, data) messages other than control messages) is exchanged.
  • some kind of signal for example, various control messages and various information (audio, video, data) messages other than control messages
  • FIG. 1 is a block diagram showing a schematic configuration of a network system including a communication apparatus according to Embodiment 1 of the present invention.
  • a communication device 100 is connected to a counter device 130 via a network 120.
  • various terminals such as PCs (Personal Computers), general telephones, mobile phones, and network home appliances, server devices for Internet telephones, and server devices for video distribution, respectively.
  • server devices for Internet telephones
  • server devices for video distribution respectively.
  • Various servers are assumed.
  • the communication device 100 has a function of dynamically changing a call control message reception port, and opens a plurality of ports (here, only two ports 102 and 104 are shown for convenience) and ports.
  • the receiving unit 106 that receives the message and the notification unit 108 that notifies the opposite device 130 of the newly opened port by the message.
  • the first port 102 is a port for receiving messages from an unspecified number of terminals or Sanoku.
  • the second port 104 is a port newly established for communication with the opposite device 130 in response to a connection request message from the opposite device 130.
  • a filter unit 110 that filters received data addressed to the first port 102 is provided between the first port 102 and the receiving unit 106.
  • the reception unit 106, the notification unit 108, and the filter unit 110 are provided as functions of the main CPU 112 of the communication device 100, for example.
  • the communication apparatus 100 is an Internet telephone terminal, that is, an IP telephone will be described as an example.
  • Communication terminal (IP telephone) 100 needs to open a port for receiving a call control message in order to receive an incoming call from another terminal or server.
  • IP Sessi on Initiation Protocol
  • the default port “5060” is generally opened. In FIG. 1, this port is shown as the first port 102.
  • the receiving unit 106 opens the first port 102 at the time of startup or the like.
  • the opposite device 130 transmits a connection request call control message to the first port 102 in order to communicate with the communication device 100.
  • the communication device 100 receives the call control message at the first port 102, the communication device 100 opens the second port 104.
  • the receiver 106 is connected to the established second port 10 4 is notified to the notification unit 108.
  • the notification unit 108 notifies the opposite device 130 of the newly opened second port 104 via the network 120. At this time, the notification content from the notification unit 108 to the opposite device 130 is described in the call control message and sent.
  • FIG. 2 is a sequence diagram illustrating an example of message exchange between the communication device 100 and the opposite device 130.
  • Communication apparatus 100 establishes first port 102 at receiving unit 106 at the time of startup or the like (S1000).
  • the opposite device 130 uses SIP as a call control protocol to communicate with the communication device 100
  • the opposite device 130 sends an “INVITE” message to the first port 102 of the communication device 100 as a call control message for the connection request.
  • Send S1100
  • the first port 102 may typically be the default port of the protocol to be used, but the communication device 100 and the opposite device 130 may be used by some means such as a DNS search or mutual agreement. Any port that is agreed upon between the two.
  • the communication device 100 When the communication device 100 receives the “INVITE” message from the opposite device 130 at the first port 102, the communication device 100 needs to return the response message. At this time, the communication device 100 newly opens the second port 104 for communication with the opposite device 130 at the reception unit 106 (S1200), and then notifies the notification unit 108 of the opened second port 104. . Then, the notification unit 108 describes the second port 104 in the response message, and thereafter notifies the opposite device 130 that the second port 104 will receive the call control message (S1300). In the example shown in FIG. 2, when using SIP as the call control protocol, the communication device 100 uses the “Contact” header of the “200 OK” message, and the port for receiving the call control message thereafter is “15060”. The opposite device 130 is notified.
  • the opposite device 130 When the opposite device 130 receives the “200 OK” message from the communication device 100, it transmits an ACK message to the second port 104 of the communication device 100 (S 1400). This ACK message is received by the second port 104 of the communication device 100.
  • the opposite device 130 transmits a call control message for the communication device 100 to the second port 104 of the communication device 100.
  • the call control session between the communication device 100 and the opposite device 130 is continued at the first port 102 while the reception port is Can be switched to 2-port 104.
  • the reception data addressed to the first port 102 is filtered by the filter unit 110.
  • the filter unit 110 For example, when a DoS attack message is received from the malicious user's DoS attack communication device 140 to the first port 102 (S1500), the DoS message is filtered by the filter 110 (S1 600).
  • the filtering rule executed by the filter unit 110 is arbitrary. That is, all data may be allowed to pass without any particular restriction, or conversely, all data may be discarded. Also, pass only a certain amount of data per unit time.
  • the filtering by the filter unit 110 is performed by, for example, a virus check.
  • the filter unit 110 may be configured by dedicated hardware having a filtering function, or the communication device. You may make it comprise using CPU different from 100 main CPU112. In such a configuration, even if there is an unauthorized access to the first port 102, the communication with the opposite device 130 is not affected.
  • a new connection is started from an old port (for example, a default port) that is likely to be illegally accessed while continuing a call control session to the opposite device 130. Because it is possible to change the receiving port to the port assigned to, the session with the opposite device 130 can be continued regardless of whether there is unauthorized access such as a DoS attack on the old port. In addition, since it is possible to perform filtering on the old port, even if unauthorized access such as a DoS attack is received on the old port, processing such as discarding can be performed for each port. The range of influence of the attack can be reduced.
  • a message such as a call control message for a connection request from the opposite device 130 is accepted at a port that is generally open, such as a default port, and then a new port is assigned to the opposite device 130. Open a new port and send it to the opposite device by message And receive subsequent messages on the new port. Therefore, it is possible to change the port that receives the message from the opposite device 130 while continuing the connection such as the call control session. Therefore, even if an unauthorized access such as a DoS attack is received on an old port or a port of another compatible device, the session with the opposite device 130 can be continued and discarded by port by filtering. This makes it possible to reduce the impact range of the attack while continuing the service.
  • the reception port is changed at the timing when the “INVITE” message from opposite device 130 is received, but the timing for changing the reception port is not limited to this.
  • the receiving port can be changed at any point during communication (in a broad sense). This will be described in Embodiment 2.
  • the second embodiment is a case where the reception port is changed at an arbitrary time point during communication (broad sense).
  • the first embodiment an example of changing the reception port at the timing before the start of communication in the IP telephone has been described as an example. Therefore, in this embodiment, the reception port is changed at the timing after the start of communication. Will be described as an example.
  • “after the start of communication” is a concept including communication in a broad sense.
  • FIG. 3 is a sequence diagram showing an example of message exchange between the communication device and the counterpart device according to Embodiment 2 of the present invention.
  • the configuration of the system is the same as that of Embodiment 1 shown in FIG.
  • communication device 100 receives the call control message for the connection request from opposite device 130 at first port 102 and starts communication using first port 102 as it is. At any time during communication, the reception port to be used is switched from the first port 102 to the second port 104 while continuing the call control session with the opposite device 130.
  • the communication device 100 opens the first port 102 at the reception unit 106 at the time of start-up (2000)
  • the opposite device 130 transmits an “INVITE” message as a connection request call control message to the first port 102 of the communication device 100 (S2050).
  • the communication device 100 receives the “INVITE” message from the opposite device 130 at the first port 102. If it is received, a “200 OK” message is transmitted as a response message to the opposite device 130 (S2100). When the opposite device 130 receives the “200 OK” message from the communication device 100, the opposite device 130 transmits an ACK message to the first port 102 of the communication device 100 (S2150). When the communication device 100 receives the ACK message from the opposite device 130 at the first port 102, it communicates with the opposite device 130 using the first port 102 as it is, that is, the user of the communication device 100 and the opposite device 130. A call with the user is started (S2200).
  • the communication device 100 newly opens the second port 104 for communication with the opposite device 130 (S2250), and then opens the opened second port 104.
  • Notification unit 108 is notified.
  • the notification unit 108 describes the second port 104 in the response message, and thereafter notifies the opposite device 130 that the second port 104 will receive the call control message (S2300).
  • the communication device 100 transmits an “INVITE” message in which “15060” indicating the new second port 104 is described in the “Contact” header to the opposite device 130. To do.
  • the arbitrary timing after the start of communication is, for example, the timing of transmission / reception of various messages performed between the communication device 100 and the opposite device 130 during a call with the user of the opposite device 130. It may be! /, And may be the timing after a predetermined time has elapsed after the start of communication with the opposite device.
  • the various messages are, for example, a REGISTER message, an OPTIONS message, a BYE message, and the like.
  • the opposite device 130 When the opposite device 130 receives the “INVITE” message from the communication device 100, it transmits a “200 OK” message as a response message to the second port 104 of the communication device 100 (S 2350).
  • the communication device 100 Upon receiving the "200 OK" message from the opposite device 130, the communication device 100 transmits an ACK message to the opposite device 130 (S2400).
  • opposite device 130 Upon receiving the ACK message from communication device 100, opposite device 130 transmits a response or request call control message to second port 104 of communication device 100 thereafter.
  • the received data addressed to 02 is filtered by the filter unit 110.
  • a DoS attack message is received from the malicious user's DoS attack device 140 to the first port 102. If this is the case (S2450), filter this DoS message with filter 110 (S2500
  • the reception port is switched during communication (in a narrow sense), that is, after the IP phone call with the user of the opposite device is started.
  • the receiving port is switched before the IP phone call with the remote user is started.
  • Embodiment 3 is a case where the receiving port is changed by detecting a DoS (denial of service) attack.
  • DoS denial of service
  • FIG. 4 is a block diagram showing a schematic configuration of a network system including a communication apparatus according to Embodiment 3 of the present invention.
  • the communication device 200 has the same basic configuration as that of the communication device 100 shown in FIG. 1, and the same components are denoted by the same reference numerals, and the description thereof is omitted.
  • a feature of the present invention is that it has a detection unit 202 that detects a DoS attack on each port, and when a DoS attack is detected by the detection unit 202, a reception port used for communication with the opposing device 130 is the first. It is to switch from the first port 102 to the second port 104.
  • the detection unit 202 detects a DoS attack addressed to the first port 102, and notifies the reception unit 106 of the detection result when a DoS attack is detected.
  • the presence / absence of a DoS attack can be determined, for example, based on whether the number of packets received per unit time or the amount of data exceeds a preset threshold value.
  • FIG. Figure 5 shows the 10 is a flowchart showing the operation of the communication apparatus according to the third embodiment.
  • communication device 100 is communicating with counter device 130 using first port 102.
  • step S3000 the reception unit 106 receives the message received at the first port 102 via the filter unit 110 and the detection unit 202. At this time, the message received at the first port 102 is transmitted by a plurality of communication devices including the opposite device 130.
  • step S3100 the detection unit 202 determines whether or not the received message includes a DoS attack message.
  • the presence / absence of a DoS attack can be determined by, for example, whether or not the number of packets received per unit time or the amount of data is preliminarily set! If it is determined that there is a DoS attack message (S3100: YES), the process proceeds to step S3200. If it is determined that there is no DoS attack message (S3100: NO), the first It communicates with the opposite device 130 using the port 102 (S3500).
  • step S 3200 detection unit 202 notifies reception unit 106 that the DoS attack message is included in the message received at first port 102.
  • step S 3300 the reception port of communication device 100 used for communication with counter device 130 is switched from first port 102 to second port 104 in response to notification from detection unit 202.
  • the method shown in FIG. 3 Reception port change after starting communication Sagawa S2250 to S2400 can be used.
  • the communication device 200 when detecting a DoS attack on the first port 102, the communication device 200 opens a new second port 104 for communication with the opposite device 130, and then opens the second port 104 that has been opened. Is notified to the notification unit 108. Next, the notification unit 108 describes the second port 104 in the response message, and thereafter notifies the opposing device 130 that the second port 104 will receive the call control message. Specifically, when using SIP as the call control protocol, the communication device 200 transmits an “IN VITE” message in which “15060” indicating the new second port 104 is described in the “Contact” header to the opposite device 130. .
  • the opposite device 130 When the opposite device 130 receives the “INVITE” message from the communication device 200, the opposite device 130 receives the first message of the communication device 200 as a response message. 2 A “200 OK” message is sent to port 104.
  • the communication device 200 receives the “200 ⁇ ” message from the opposite device 130, the communication device 200 transmits an ACK message to the opposite device 130. Upon receiving the ACK message from the communication device 200, the opposite device 130 thereafter transmits a response or request call control message to the second port 104 of the communication device 200.
  • step S 3400 communication is performed with counter device 130 using second port 104.
  • the received data addressed to 02 is filtered by the filter unit 110.
  • the filtering rule executed by the filter unit 110 is arbitrary. In this case, it is particularly effective to discard all data because it is under DoS attack. .
  • the filter unit 110 may be configured by hardware having a filtering function, or the main CPU 112a of the communication device 200. Configuration using different CPUs is also effective in order not to affect the main CPU 112a!
  • the filter unit 110 it is possible to filter the DoS attack data by the filter unit 110.
  • the filter unit 110 is separated as a nodeware, it is originally provided even if a DoS attack is received. It becomes possible to continue the service that had been.
  • the communication device 200 and the opposing device 130 are communicating with each other using the first port 102.
  • the second port 104 is used. Even in the case of communication, the same applies.
  • the second port 10 Just as when 4 is opened, the third port is opened, and the opened third port is notified to the opposite device 130. That is, a new reception port used for communication with the opposite apparatus 130 may be opened, and communication with the opposite apparatus 130 may be performed using the reception port.
  • Embodiment 4 is a case where received data addressed to a plurality of ports is filtered.
  • FIG. 6 is a block diagram showing a schematic configuration of a network system including the communication apparatus according to Embodiment 4 of the present invention.
  • the communication device 300 has the same basic configuration as that of the communication device 100 shown in FIG. 1, and the same components are denoted by the same reference numerals and description thereof is omitted.
  • a feature of the present embodiment is that it has a plurality of filter units.
  • the first filter unit 302 that filters the reception data addressed to the first port 102 has a second filter unit 304 that filters the reception data addressed to the second port 104.
  • the first filter unit 302 corresponds to the filter unit 110 in the first embodiment.
  • the filtering rule executed by the second filter unit 304 is also arbitrary, and all data may be allowed to pass without any particular limitation. Alternatively, only the data from the opposite device 130 may be passed. In particular, if only the data from the opposite device 130 is allowed to pass, the service can be continued even when a DoS attack is directed to the second port 104.
  • the second filter unit 304 may be configured by hardware having a filtering function, or a CPU different from the main CPU 112b of the communication device 300. It is also effective to configure using In such a configuration, even when there is an unauthorized access to the second port 104, it is possible not to affect the communication with the opposite device 130.
  • the fifth embodiment relates to a method for avoiding unauthorized access to a port for receiving a voice or video signal that is not received by a port for receiving a call control message.
  • this embodiment is a case where unauthorized access is avoided by switching the port of the main signal (voice signal) of the IP phone.
  • the configuration of the system is the same as that of Embodiment 1 shown in FIG.
  • FIG. 7 is a sequence diagram showing an example of message exchange between the communication device and the counterpart device according to Embodiment 5 of the present invention.
  • Communication device 100 exchanges a call control protocol and exchanges a port used for IP telephone voice communication. That is, the communication device 100 opens the first port 102 for receiving audio data from the opposite device 130 (S4000).
  • the communication device 100 transmits an “INVITE” message to the opposite device 130 as the call control message for the connection request (S4 050).
  • the ⁇ INVITE '' message transmitted by the communication device 100 includes the port received by itself in the m line of the Session Description Protocol (SDP) part. Since the number can be specified, the first port 102 is specified here and notified to the opposite device 130.
  • SDP Session Description Protocol
  • the opposite device 130 When the opposite device 130 receives the “INVITE” message from the communication device 100, it transmits a “200 OK” message to the first port 102 (S4100). Upon receiving the “200 OK” message from the opposite device 130, the communication device 100 transmits an ACK message to the communication device 130 (S4150).
  • the opposite device 130 When the opposite device 130 receives the ACK message from the communication device 100, the opposite device 130 transmits voice data to the first port 102 (S4200). When the communication device 100 receives the voice data from the opposite device 130, The voice data is transmitted to the opposite device 130 (S4250). [0086] In this manner, a voice data transmission / reception session between the communication device 100 and the opposite device 130 is established, and voice data transmission / reception (call) is started.
  • the communication device 100 When voice communication is started from the opposite device 130, the communication device 100 receives the “riNVI TE” message and transmits a “200 OK” message to the opposite device 130.
  • the port number received by itself can be specified using the m line in the SDP part of the “200 ⁇ ” message, as in the above example.
  • the communication device 100 newly opens the second port 104 at any time during a call (S4300), and thereafter receives a voice message at the second port 104 via the notification unit 108.
  • the communication device 100 can specify the port number received by itself in the m line of the SDP (Session Description Protocol) part of the “INVITE” message.
  • the second port 104 is set here, and the opposite device 130 is notified.
  • opposite device 130 Upon receiving the “INVITE” message from communication device 100, opposite device 130 transmits a “200 OK” message to the call control protocol port of communication device 100 (S440 0).
  • the communication device 100 When receiving the “200 ⁇ ”message from the opposite device 130, the communication device 100 transmits an ACK message to the opposite device 130 (S4450).
  • the opposite device 130 Upon receiving the ACK message from the communication device 100, the opposite device 130 receives the communication device 10
  • Audio data is transmitted to the second port 104 of 0 (S4500). In this way, the rest
  • the communication device 100 and the opposite device 130 use the second port 104 to start transmission / reception of voice data (call).
  • the reception data addressed to the first port 102 is filtered by the filter unit 110.
  • a DoS attack for example, illegal voice data
  • the DoS attack is filtered by the filter 110 (S4600).
  • a port for receiving voice data while continuing a voice call or the like in an IP phone at any time during communication with opposing device 130, a port for receiving voice data while continuing a voice call or the like in an IP phone.
  • the reception port is changed at any time during communication.
  • the present invention is not limited to this, as shown in the third embodiment. It is also possible to change the port when a DoS attack is detected.
  • the received data addressed to the second port 104 is filtered. It is also possible to do.
  • the processing of the first to fourth embodiments for the call control message may be performed simultaneously.
  • different port sets (a set of the first port 102 and the second port 104) are used for the voice data and the call control message.
  • the communication device and the communication method according to the present invention reduce the effects of unauthorized access such as DoS attacks to prevent communication failures, and even if these unauthorized accesses are received, It is useful as a communication device and a communication method that can continue this service.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

There is provided a communication device capable of reducing the affect by an unauthorized access such as DoS attack and preventing a communication trouble, thereby continuing a service even when such an unauthorized access has occurred. In this device, a reception unit (106) establishes a first port (102) for receiving a message from a plenty of terminals or servers. When a connection request message is received from a counter device (130), the reception unit (106) established a second port (104) for communication with the counter device (130). A report unit (108) reports the established second port (104) to the counter device (130) by a message. The reception unit (106) receives the next message and after from the counter device (130) at the second port (104). A filter unit (110) filters reception data destined to the first port (102).

Description

明 細 書  Specification
通信装置および通信方法  Communication apparatus and communication method
技術分野  Technical field
[0001] 本発明は、通信装置および通信方法に関し、特に、通信装置がネットワークを介し て呼制御メッセージを受信する場合において、 DoS (Denial of Service :サービス拒否 )攻撃を受けたときに受信ポートを制御する通信装置および通信方法に関する。 背景技術  TECHNICAL FIELD [0001] The present invention relates to a communication device and a communication method, and in particular, when a communication device receives a call control message via a network, the reception port is set when a DoS (Denial of Service) attack is received. The present invention relates to a communication device and a communication method to be controlled. Background art
[0002] 近年、インターネットが広く普及し、インターネット電話や映像配信などのサービス が広く利用されつつある。こうしたリアルタイムデータの通信を伴うサービスは、一般 的に呼制御プロトコルによって、端末同士または端末とサーバとの間で、呼制御メッ セージをやり取りし、接続や切断を制御したり、音声や映像の通信に利用する各種パ ラメータを調停したりする。こうした呼制御メッセージのやり取りは、端末の動作中の任 意の時点で発生するため、呼制御メッセージの受信用のポートは常に開けておく必 要がある。  In recent years, the Internet has become widespread, and services such as Internet telephone and video distribution are being widely used. Such services that involve real-time data communication generally use call control protocols to exchange call control messages between terminals or between a terminal and a server to control connection and disconnection, as well as voice and video communication. It mediates various parameters used in the process. Since such exchange of call control messages occurs at any time during the operation of the terminal, it is necessary to always open a port for receiving call control messages.
[0003] 一方、インターネットはオープンなネットワークであるため、悪意を持つユーザから のコンピュータウィルスや DoS攻撃などに代表されるセキュリティ上の問題も多発しつ つある。  [0003] On the other hand, since the Internet is an open network, security problems such as computer viruses and DoS attacks from malicious users often occur.
[0004] DoS攻撃は、ネットワークを介して端末やサーバに対して大量のデータを送ったり、 不正なデータを送ったりして、端末やサーバの本来の動作を不能にするものである。 特に Webサーバや DNS (Domain Name System)サーバなど公共のサーバに対して 行われることが多い。  [0004] A DoS attack is to send a large amount of data to a terminal or server via a network or send illegal data to disable the original operation of the terminal or server. This is often done for public servers such as Web servers and DNS (Domain Name System) servers.
[0005] インターネット電話や映像配信などのサービスの場合、いわゆる公共のサーバだけ でなぐ IP電話機などの端末もまた呼制御メッセージを受信するためのポートを開け ており、 DoS攻撃を受ける可能性がある。呼制御メッセージ用のポートに対して DoS 攻撃などの不正アクセスを受けると、 DoS攻撃のメッセージ処理の負荷が高くなり、そ の他の処理ができなくなるため、サービスを継続することができなくなり、さら〖こは機器 が停止してしまうこともあり得る。 [0006] DoS攻撃を回避する一般的な方法としては、 IDS (Intrusion Detection System:侵 入検知システム)を用いる方法がある(特許文献 1)。この方法では、 IDSによって不 正アクセスを監視し、 IDSが DoS攻撃を検出すると、その検出結果をもとにファイアゥ オールを設定し、攻撃されて 、るポートを閉じるなどの処理を行う。 [0005] In the case of services such as Internet telephony and video distribution, terminals such as IP phones that use only public servers are also open ports for receiving call control messages and may be subject to DoS attacks. . If unauthorized access such as a DoS attack is received on the port for call control messages, the message processing load of the DoS attack increases and other processing cannot be performed, so the service cannot be continued, and further, This can cause the equipment to stop. [0006] As a general method for avoiding DoS attacks, there is a method using an IDS (Intrusion Detection System) (Patent Document 1). In this method, unauthorized access is monitored by IDS, and when IDS detects a DoS attack, a firewall is set based on the detection result, and processing such as closing the port that is attacked is performed.
[0007] また、他の方法として、サーバや端末に対するすべてのアクセスを認証する方法も 考えられる。この方法では、アクセスがあつたとき、それが正当なアクセスであるかどう かを認証し、認証に通ったデータのみを処理する。  [0007] As another method, a method of authenticating all accesses to a server or a terminal is also conceivable. In this method, when there is an access, it is authenticated whether it is a legitimate access, and only the data that passes the authentication is processed.
[0008] また、さらに他の方法として、サーバや端末上にファイアウォールを設置し、 DoS攻 撃を受けたときにそのポートを閉じてしまうという方法も考えられる (特許文献 2)。 特許文献 1:特開 2002— 252654号公報  [0008] Furthermore, as another method, a method of installing a firewall on a server or terminal and closing the port when subjected to a DoS attack is conceivable (Patent Document 2). Patent Document 1: Japanese Patent Laid-Open No. 2002-252654
特許文献 2:特開 2003 - 99339号公報  Patent Document 2: Japanese Patent Laid-Open No. 2003-99339
発明の開示  Disclosure of the invention
発明が解決しょうとする課題  Problems to be solved by the invention
[0009] しかしながら、上記従来の通信装置においては、呼制御メッセージ用のポートに Do[0009] However, in the above-described conventional communication apparatus, the call control message port is set to Do
S攻撃を受けてしまうと、インターネット電話や映像配信などのサービスを継続できな いという問題がある。そこで、上記のように、 DoS攻撃を回避する方法がいろいろ考 案されている力 いずれも、それぞれ次のような問題がある。 If an S-attack is received, there is a problem that services such as Internet telephone and video distribution cannot be continued. Therefore, as described above, each of the powers for which various methods for avoiding DoS attacks have been considered have the following problems.
[0010] まず、 IDSを用いて不正アクセスを検出する方法にお!、ては、どのアクセスを不正 アクセスと見なすかの設定が困難である。さらに、 IDSは、一般に高価な装置または ソフトウェアであり、電話機や家電機器などの一般消費者向けの低価格な機器に搭 載することはコストの面から困難である。 [0010] First, in the method of detecting unauthorized access using IDS, it is difficult to set which access is regarded as unauthorized access. Furthermore, IDS is generally an expensive device or software, and it is difficult to install it in a low-priced device for general consumers such as a telephone or a home appliance.
[0011] また、アクセスを認証する方法においては、特に処理能力の低い CPU (Central Pr ocessing Unit)を用いた機器の場合、大量のメッセージの受信そのものや認証手順 の実行自体で処理負荷が高くなつてしま 、、やはり元々のサービスを継続できな!/、と いう問題がある。 [0011] In addition, in the method of authenticating access, particularly in the case of a device using a CPU (Central Processing Unit) having a low processing capacity, the processing load is high due to the reception of a large number of messages and the execution of the authentication procedure itself. However, there is still a problem that the original service cannot be continued!
[0012] また、ファイアウォールを設置し、 DoS攻撃を受けたときにそのポートを閉じてしまう という方法においては、相手端末や相手サーバとの間の正当な呼制御メッセージを 受信することもできなくなる。このため、例えば、通話を保留したり切断したりするなど の操作も行うことができなくなってしまい、元々のサービスが著しく制限されてしまうと いう問題がある。 [0012] In addition, when a firewall is installed and the port is closed when a DoS attack is received, it becomes impossible to receive a legitimate call control message with a partner terminal or a partner server. For this reason, for example, the call is put on hold or disconnected. There is also a problem that the original service cannot be performed, and the original service is severely restricted.
[0013] 本発明は、力かる点に鑑みてなされたものであり、 DoS攻撃などの不正アクセスに よる影響を低減して通信障害を予防するとともに、たとえこれらの不正アクセスを受け た場合であっても、本来のサービスを継続することができる通信装置および通信方法 を提供することを目的とする。  [0013] The present invention has been made in view of the strong points, and prevents the communication failure by reducing the influence of unauthorized access such as a DoS attack, and is a case where such unauthorized access is received. However, an object of the present invention is to provide a communication device and a communication method capable of continuing the original service.
課題を解決するための手段  Means for solving the problem
[0014] 本発明の通信装置は、不特定多数の通信相手からのメッセージを受信するための 第 1ポートと、特定の通信相手との通信用に前記第 1ポートと異なる第 2ポートを開設 し、前記第 2ポート開設後は前記特定の通信相手からのメッセージを前記第 2ポート で受信する受信部と、前記第 2ポートをメッセージによって前記特定の通信相手に通 知する通知部と、 [0014] The communication device of the present invention opens a first port for receiving messages from an unspecified number of communication partners and a second port different from the first port for communication with a specific communication partner. A reception unit that receives a message from the specific communication partner at the second port after the second port is established; a notification unit that notifies the specific communication partner through the second port by a message;
前記第 1ポート宛ての受信データをフィルタリングするフィルタ部と、を有する構成を 採る。  And a filter unit that filters received data addressed to the first port.
[0015] 本発明の通信方法は、不特定多数の通信相手からのメッセージを受信するための 第 1ポートを開設するステップと、特定の通信相手との通信用に前記第 1ポートと異な る第 2ポートを開設し、前記第 2ポート開設後は前記特定の通信相手力 のメッセ一 ジを前記第 2ポートで受信するステップと、前記第 2ポートをメッセージによって前記 特定の通信相手に通知するステップと、前記第 1ポート宛ての受信データをフィルタ リングするステップと、を有するようにした。  [0015] The communication method of the present invention includes a step of opening a first port for receiving messages from an unspecified number of communication partners, and a first port different from the first port for communication with a specific communication partner. 2 ports are opened, and after the second port is opened, the message of the specific communication partner power is received at the second port, and the second port is notified to the specific communication partner by a message. And filtering received data addressed to the first port.
発明の効果  The invention's effect
[0016] 本発明によれば、 DoS攻撃などの不正アクセスによる影響を低減して通信障害を 予防するとともに、たとえこれらの不正アクセスを受けた場合であっても、本来のサー ビスを継続することができる。  [0016] According to the present invention, the influence of unauthorized access such as a DoS attack is reduced to prevent communication failure, and even if such unauthorized access is received, the original service is continued. Can do.
[0017] すなわち、本発明によれば、呼制御メッセージに対する受信ポートを動的に変更し 、また、元の受信ポートや新しい受信ポートに対してフィルタリングを行うことによって 、他の装置に対して開けておかなくてはならない呼制御メッセージの受信ポートに対 して、 DoS攻撃などの不正アクセスがあった場合であっても、その影響範囲を小さく し、サービスの継続が可能である。 That is, according to the present invention, the reception port for the call control message is dynamically changed, and the original reception port and the new reception port are filtered to open the other device. Even if there is an unauthorized access such as a DoS attack to the receiving port of the call control message that must be kept, Service can be continued.
図面の簡単な説明  Brief Description of Drawings
[0018] [図 1]本発明の実施の形態 1に係る通信装置を含むネットワークシステムの概略構成 を示すブロック図  FIG. 1 is a block diagram showing a schematic configuration of a network system including a communication device according to Embodiment 1 of the present invention.
[図 2]本発明の実施の形態 1に係る通信装置と対向装置の間のメッセージのやりとり の一例を示すシーケンス図  FIG. 2 is a sequence diagram showing an example of message exchange between the communication device and the opposite device according to Embodiment 1 of the present invention.
[図 3]本発明の実施の形態 2に係る通信装置と対向装置の間のメッセージのやりとり の一例を示すシーケンス図  FIG. 3 is a sequence diagram showing an example of message exchange between a communication device and a counterpart device according to Embodiment 2 of the present invention.
[図 4]本発明の実施の形態 3に係る通信装置を含むネットワークシステムの概略構成 を示すブロック図  FIG. 4 is a block diagram showing a schematic configuration of a network system including a communication apparatus according to Embodiment 3 of the present invention.
[図 5]本発明の実施の形態 3に係る通信装置の動作を示すフローチャート  FIG. 5 is a flowchart showing the operation of the communication apparatus according to Embodiment 3 of the present invention.
[図 6]本発明の実施の形態 4に係る通信装置を含むネットワークシステムの概略構成 を示すブロック図  FIG. 6 is a block diagram showing a schematic configuration of a network system including a communication apparatus according to Embodiment 4 of the present invention.
[図 7]本発明の実施の形態 5に係る通信装置と対向装置の間のメッセージのやりとり の一例を示すシーケンス図  FIG. 7 is a sequence diagram showing an example of message exchange between a communication device and a counterpart device according to Embodiment 5 of the present invention.
[図 8]本発明の実施の形態 5に係る通信装置カゝら送信される「INVITE」メッセージの SDP部の一例を示す図  FIG. 8 is a diagram showing an example of an SDP part of an “INVITE” message transmitted from the communication device according to Embodiment 5 of the present invention.
発明を実施するための最良の形態  BEST MODE FOR CARRYING OUT THE INVENTION
[0019] 以下、本発明の実施の形態について、図面を参照して詳細に説明する。 Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
[0020] ここで、本明細書にぉ 、て、「対向装置」とは、サーバまたは他のサーバの仲介の 有無にかかわりなぐ通信相手として、本発明を適用した通信装置と、ネットワークを 介して通信を行う端末またはサーバを広く意味する。 [0020] Here, for the purposes of this specification, "opposite device" refers to a communication device to which the present invention is applied as a communication partner irrespective of the presence or absence of mediation of a server or another server, via a network. Broadly means a terminal or server that performs communication.
[0021] また、本明細書において、「通信中」とは、広義では、通信装置の電源がオン状態 になって力 オフ状態になるまでの間において、当該通信装置と対向装置との間で 何らかの信号 (例えば、各種の制御用メッセージや、制御用メッセージ以外の各種の 情報 (音声、映像、データ)メッセージなど)のやりとりがある期間を意味し、狭義では[0021] In this specification, "in communication" means, in a broad sense, between a communication device and a counter device until the power of the communication device is turned on and turned off. It means a period during which some kind of signal (for example, various control messages and various information (audio, video, data) messages other than control messages) is exchanged.
、当該通信装置と対向装置との間で情報 (音声、映像、データ)のやりとり(例えば、 I P電話による通話やチャットなど)を行っている期間を意味する。 [0022] (実施の形態 1) It means a period during which information (voice, video, data) is exchanged (for example, IP phone call or chat) between the communication device and the opposite device. [0022] (Embodiment 1)
図 1は、本発明の実施の形態 1に係る通信装置を含むネットワークシステムの概略 構成を示すブロック図である。  FIG. 1 is a block diagram showing a schematic configuration of a network system including a communication apparatus according to Embodiment 1 of the present invention.
[0023] 図 1において、通信装置 100はネットワーク 120を介して対向装置 130と接続され ている。通信装置 100および対向装置 130としては、それぞれ、例えば、 PC (Person al Computer)や一般電話機、携帯電話、ネット家電機器などの各種の端末、ならび に、インターネット電話のサーバ装置や映像配信のサーバ装置など各種のサーバが 想定される。  In FIG. 1, a communication device 100 is connected to a counter device 130 via a network 120. As the communication device 100 and the counter device 130, for example, various terminals such as PCs (Personal Computers), general telephones, mobile phones, and network home appliances, server devices for Internet telephones, and server devices for video distribution, respectively. Various servers are assumed.
[0024] 通信装置 100は、呼制御メッセージの受信ポートを動的に変更する機能を有し、複 数のポート(ここでは、便宜上、二つのポート 102、 104のみを示す)と、ポートを開設 してメッセージを受信する受信部 106と、新たに開設されたポートをメッセージによつ て対向装置 130に通知する通知部 108とを有する。ここで、例えば、第 1のポート 10 2は、不特定多数の端末またはサーノくからのメッセージを受信するためのポートであ る。第 2のポート 104は、対向装置 130からの接続要求のメッセージに応答して、対 向装置 130との通信用に新たに開設されるポートである。第 1ポート 102と受信部 10 6との間には、第 1ポート 102宛ての受信データをフィルタリングするフィルタ部 110が 設けられている。受信部 106、通知部 108、およびフィルタ部 110は、例えば、通信 装置 100のメイン CPU 112の各機能としてそれぞれ提供されて 、る。  [0024] The communication device 100 has a function of dynamically changing a call control message reception port, and opens a plurality of ports (here, only two ports 102 and 104 are shown for convenience) and ports. The receiving unit 106 that receives the message and the notification unit 108 that notifies the opposite device 130 of the newly opened port by the message. Here, for example, the first port 102 is a port for receiving messages from an unspecified number of terminals or Sanoku. The second port 104 is a port newly established for communication with the opposite device 130 in response to a connection request message from the opposite device 130. Between the first port 102 and the receiving unit 106, a filter unit 110 that filters received data addressed to the first port 102 is provided. The reception unit 106, the notification unit 108, and the filter unit 110 are provided as functions of the main CPU 112 of the communication device 100, for example.
[0025] 以下では、例えば、通信装置 100がインターネット電話の端末、つまり、 IP電話機 である場合を例にとって説明する。  [0025] In the following, for example, a case where the communication apparatus 100 is an Internet telephone terminal, that is, an IP telephone will be described as an example.
[0026] 通信端末 (IP電話機) 100は、他の端末またはサーバから着信を受けるために、呼 制御メッセージを受信するためのポートを開けておく必要がある。例えば、 SIP (Sessi on Initiation Protocol)を用いる場合は、一般的にはデフォルトポートである「5060」 を開けておく。図 1では、このポートが第 1ポート 102として示されている。受信部 106 は、起動時などに第 1ポート 102を開設する。  [0026] Communication terminal (IP telephone) 100 needs to open a port for receiving a call control message in order to receive an incoming call from another terminal or server. For example, when using SIP (Sessi on Initiation Protocol), the default port “5060” is generally opened. In FIG. 1, this port is shown as the first port 102. The receiving unit 106 opens the first port 102 at the time of startup or the like.
[0027] 対向装置 130は、通信装置 100と通信するために、接続要求の呼制御メッセージ を第 1ポート 102宛てに送信する。通信装置 100は、第 1ポート 102で、呼制御メッセ ージを受け取ると、第 2ポート 104を開設する。受信部 106は、開設した第 2ポート 10 4を通知部 108に通知する。通知部 108は、ネットワーク 120を介して、その新たに開 設された第 2ポート 104を対向装置 130に通知する。このとき、通知部 108から対向 装置 130への通知内容は、呼制御メッセージに記載されて送られる。 The opposite device 130 transmits a connection request call control message to the first port 102 in order to communicate with the communication device 100. When the communication device 100 receives the call control message at the first port 102, the communication device 100 opens the second port 104. The receiver 106 is connected to the established second port 10 4 is notified to the notification unit 108. The notification unit 108 notifies the opposite device 130 of the newly opened second port 104 via the network 120. At this time, the notification content from the notification unit 108 to the opposite device 130 is described in the call control message and sent.
[0028] 図 2は、通信装置 100と対向装置 130の間のメッセージのやりとりの一例を示すシ 一ケンス図である。 FIG. 2 is a sequence diagram illustrating an example of message exchange between the communication device 100 and the opposite device 130.
[0029] 通信装置 100は、受信部 106で、起動時などに第 1ポート 102を開設する(S1000 [0029] Communication apparatus 100 establishes first port 102 at receiving unit 106 at the time of startup or the like (S1000).
) o ) o
[0030] 対向装置 130は、通信装置 100と通信するために呼制御プロトコルとして SIPを用 V、る場合、接続要求の呼制御メッセージとして「INVITE」メッセージを通信装置 100 の第 1ポート 102宛てに送信する(S1100)。ここで、第 1ポート 102は、典型的には 使用するプロトコルのデフォルトポートを用いればよいが、 DNSによる検索やあらかじ め双方で合意が取れているなど何らかの手段により通信装置 100と対向装置 130の 間で合意されて 、るポートであればどのようなポートであってもよ 、。  When the opposite device 130 uses SIP as a call control protocol to communicate with the communication device 100, the opposite device 130 sends an “INVITE” message to the first port 102 of the communication device 100 as a call control message for the connection request. Send (S1100). Here, the first port 102 may typically be the default port of the protocol to be used, but the communication device 100 and the opposite device 130 may be used by some means such as a DNS search or mutual agreement. Any port that is agreed upon between the two.
[0031] 通信装置 100は、第 1ポート 102で対向装置 130からの「INVITE」メッセージを受 信すると、その応答メッセージを返す必要がある。このとき、通信装置 100は、受信部 106で、対向装置 130との通信用に新たに第 2ポート 104を開設し(S1200)、その 後、開設した第 2ポート 104を通知部 108に通知する。そして、通知部 108で、応答メ ッセージに第 2ポート 104を記載して、以降は第 2ポート 104で呼制御メッセージを受 信することを対向装置 130に通知する(S1300)。図 2に示す例では、呼制御プロトコ ルとして SIPを用いる場合、通信装置 100は、「200 OK」メッセージの「Contact」へ ッダを用いて、以降呼制御メッセージを受信するポートが「15060」であることを対向 装置 130に通知する。  When the communication device 100 receives the “INVITE” message from the opposite device 130 at the first port 102, the communication device 100 needs to return the response message. At this time, the communication device 100 newly opens the second port 104 for communication with the opposite device 130 at the reception unit 106 (S1200), and then notifies the notification unit 108 of the opened second port 104. . Then, the notification unit 108 describes the second port 104 in the response message, and thereafter notifies the opposite device 130 that the second port 104 will receive the call control message (S1300). In the example shown in FIG. 2, when using SIP as the call control protocol, the communication device 100 uses the “Contact” header of the “200 OK” message, and the port for receiving the call control message thereafter is “15060”. The opposite device 130 is notified.
[0032] 対向装置 130は、通信装置 100からの「200 OK」メッセージを受信すると、通信装 置 100の第 2ポート 104宛てに ACKメッセージを送信する(S1400)。この ACKメッ セージは、通信装置 100の第 2ポート 104で受信される。  When the opposite device 130 receives the “200 OK” message from the communication device 100, it transmits an ACK message to the second port 104 of the communication device 100 (S 1400). This ACK message is received by the second port 104 of the communication device 100.
[0033] 上記手順により、対向装置 130は、通信装置 100に対する呼制御メッセージを通信 装置 100の第 2ポート 104宛てに送信することになる。これにより、通信装置 100と対 向装置 130の間の呼制御セッションを第 1ポート 102で «続しつつ、受信ポートを第 2ポート 104に切り替えることができる。 With the above procedure, the opposite device 130 transmits a call control message for the communication device 100 to the second port 104 of the communication device 100. As a result, the call control session between the communication device 100 and the opposite device 130 is continued at the first port 102 while the reception port is Can be switched to 2-port 104.
[0034] 対向装置 130に対する受信ポートを第 2ポート 104に切り替えた後は、第 1ポート 1 02宛ての受信データをフィルタ部 110によってフィルタリングする。例えば、悪意を持 つユーザの DoS攻撃通信装置 140から DoS攻撃のメッセージを第 1ポート 102宛て に受けた場合(S1500)、この DoSメッセージをフィルタ 110でフィルタリングする(S1 600)。 After the reception port for the opposite device 130 is switched to the second port 104, the reception data addressed to the first port 102 is filtered by the filter unit 110. For example, when a DoS attack message is received from the malicious user's DoS attack communication device 140 to the first port 102 (S1500), the DoS message is filtered by the filter 110 (S1 600).
[0035] このとき、フィルタ部 110が実行するフィルタリングのルールは任意である。すなわち 、特に制限を設けずにすべてのデータを通過させるようにしてもよいし、逆に、すべて のデータを廃棄するようにしてもよい。また、単位時間当たり一定量のデータだけを 通過させるようにしてちょい。  At this time, the filtering rule executed by the filter unit 110 is arbitrary. That is, all data may be allowed to pass without any particular restriction, or conversely, all data may be discarded. Also, pass only a certain amount of data per unit time.
[0036] また、通信装置 100への攻撃がコンピュータウィルスによるものであれば、フィルタ 部 110によるフィルタリングは、例えば、ウィルスチェックにより行われる。  [0036] If the attack on the communication device 100 is caused by a computer virus, the filtering by the filter unit 110 is performed by, for example, a virus check.
[0037] また、フィルタ部 110の構成方法としては、上記のようにメイン CPU112を用いて構 成する以外に、フィルタリング機能を持つ専用のハードウェアで構成するようにしても ょ 、し、通信装置 100のメイン CPU112とは異なる CPUを用いて構成するようにして もよい。このような構成の場合、第 1ポート 102に対して不正アクセスがあった場合で あっても対向装置 130との間の通信に影響を与えることがなくなる。  [0037] Further, as a configuration method of the filter unit 110, in addition to the configuration using the main CPU 112 as described above, the filter unit 110 may be configured by dedicated hardware having a filtering function, or the communication device. You may make it comprise using CPU different from 100 main CPU112. In such a configuration, even if there is an unauthorized access to the first port 102, the communication with the opposite device 130 is not affected.
[0038] 以上のように、本実施の形態によれば、新しく接続してきた対向装置 130に対して、 呼制御セッションを継続しつつ、不正アクセスされやすい古いポート(例えば、デフォ ルトポート)から、新たに割り当てたポートへ受信ポートを変更することが可能であるた め、古いポートに対する DoS攻撃などの不正アクセスの有無にかかわらず、対向装 置 130とのセッションを継続することができる。また、古いポートでは、フィルタリングを 行うことが可能であるため、仮に古いポートに対して DoS攻撃などの不正アクセスを 受けた場合であっても、ポート単位で廃棄などの処理を行うことができ、攻撃の影響 範囲を小さくすることができる。  [0038] As described above, according to the present embodiment, a new connection is started from an old port (for example, a default port) that is likely to be illegally accessed while continuing a call control session to the opposite device 130. Because it is possible to change the receiving port to the port assigned to, the session with the opposite device 130 can be continued regardless of whether there is unauthorized access such as a DoS attack on the old port. In addition, since it is possible to perform filtering on the old port, even if unauthorized access such as a DoS attack is received on the old port, processing such as discarding can be performed for each port. The range of influence of the attack can be reduced.
[0039] すなわち、最初はデフォルトポートなどの一般的に開放しているポートで対向装置 1 30からの接続要求の呼制御メッセージなどのメッセージを受け付け、その後、対向装 置 130用に新たなポートを開設し、新たなポートをメッセージによって対向装置に通 知し、新たなポートで以降のメッセージを受信する。このため、呼制御セッションなど の接続を «続しつつ、対向装置 130からのメッセージを受信するポートを変更するこ とが可能である。従って、仮に古いポートや他の対応装置のポートに対して DoS攻撃 などの不正アクセスを受けた場合であっても、上記対向装置 130とのセッションを継 続できるとともに、フィルタリングによってポート単位で廃棄などの処理を行うことがで き、サービスを継続しつつ攻撃の影響範囲を小さくすることが可能になる。 That is, at first, a message such as a call control message for a connection request from the opposite device 130 is accepted at a port that is generally open, such as a default port, and then a new port is assigned to the opposite device 130. Open a new port and send it to the opposite device by message And receive subsequent messages on the new port. Therefore, it is possible to change the port that receives the message from the opposite device 130 while continuing the connection such as the call control session. Therefore, even if an unauthorized access such as a DoS attack is received on an old port or a port of another compatible device, the session with the opposite device 130 can be continued and discarded by port by filtering. This makes it possible to reduce the impact range of the attack while continuing the service.
[0040] なお、本実施の形態では、対向装置 130からの「INVITE」メッセージを受信したタ イミングで受信ポートを変更するようにしているが、受信ポートを変更するタイミングは これに限定されない。受信ポートは、通信中(広義)の任意の時点において変更する ことが可能である。これを実施の形態 2において説明する。  In the present embodiment, the reception port is changed at the timing when the “INVITE” message from opposite device 130 is received, but the timing for changing the reception port is not limited to this. The receiving port can be changed at any point during communication (in a broad sense). This will be described in Embodiment 2.
[0041] (実施の形態 2)  [0041] (Embodiment 2)
実施の形態 2は、通信中(広義)の任意の時点において受信ポートを変更する場合 である。なお、実施の形態 1では、 IP電話において、通信開始前のタイミングで受信 ポートを変更する場合の一例をとつて説明したため、本実施の形態では、通信開始 後のタイミングで受信ポートを変更する場合を例にとって説明する。ここで、「通信開 始後」とは、広義の通信中を含む概念である。  The second embodiment is a case where the reception port is changed at an arbitrary time point during communication (broad sense). In the first embodiment, an example of changing the reception port at the timing before the start of communication in the IP telephone has been described as an example. Therefore, in this embodiment, the reception port is changed at the timing after the start of communication. Will be described as an example. Here, “after the start of communication” is a concept including communication in a broad sense.
[0042] 図 3は、本発明の実施の形態 2に係る通信装置と対向装置の間のメッセージのやり とりの一例を示すシーケンス図である。なお、システムの構成は、図 1に示す実施の 形態 1の場合と同様であるため、その説明を省略する。  FIG. 3 is a sequence diagram showing an example of message exchange between the communication device and the counterpart device according to Embodiment 2 of the present invention. The configuration of the system is the same as that of Embodiment 1 shown in FIG.
[0043] 本実施の形態において、通信装置 100は、対向装置 130からの接続要求の呼制 御メッセージを第 1ポート 102で受信して、そのまま第 1ポート 102を用いて通信を開 始する。そして、通信中の任意の時点で、対向装置 130との呼制御セッションを継続 しつつ、使用する受信ポートを第 1ポート 102から第 2ポート 104に切り替える。  In the present embodiment, communication device 100 receives the call control message for the connection request from opposite device 130 at first port 102 and starts communication using first port 102 as it is. At any time during communication, the reception port to be used is switched from the first port 102 to the second port 104 while continuing the call control session with the opposite device 130.
[0044] 通信装置 100は、受信部 106で、起動時などに第 1ポート 102を開設する(2000)  [0044] The communication device 100 opens the first port 102 at the reception unit 106 at the time of start-up (2000)
[0045] 対向装置 130は、接続要求の呼制御メッセージとして「INVITE」メッセージを通信 装置 100の第 1ポート 102宛てに送信する(S2050)。 The opposite device 130 transmits an “INVITE” message as a connection request call control message to the first port 102 of the communication device 100 (S2050).
[0046] 通信装置 100は、第 1ポート 102で対向装置 130からの「INVITE」メッセージを受 信すると、その応答メッセージとして「200 OK」メッセージを対向装置 130に送信す る(S2100)。対向装置 130は、通信装置 100からの「200 OK」メッセージを受信す ると、通信装置 100の第 1ポート 102宛てに ACKメッセージを送信する(S2150)。通 信装置 100は、対向装置 130からの ACKメッセージを第 1ポート 102で受信すると、 そのまま第 1ポート 102を用いて対向装置 130との間で通信、つまり、通信装置 100 のユーザと対向装置 130のユーザとの通話を開始する(S2200)。 The communication device 100 receives the “INVITE” message from the opposite device 130 at the first port 102. If it is received, a “200 OK” message is transmitted as a response message to the opposite device 130 (S2100). When the opposite device 130 receives the “200 OK” message from the communication device 100, the opposite device 130 transmits an ACK message to the first port 102 of the communication device 100 (S2150). When the communication device 100 receives the ACK message from the opposite device 130 at the first port 102, it communicates with the opposite device 130 using the first port 102 as it is, that is, the user of the communication device 100 and the opposite device 130. A call with the user is started (S2200).
[0047] そして、通話開始後の任意のタイミングにおいて、通信装置 100は、対向装置 130 との通信用に新たに第 2ポート 104を開設し (S2250)、その後、開設した第 2ポート 1 04を通知部 108に通知する。そして、通知部 108で、応答メッセージに第 2ポート 10 4を記載して、以降は第 2ポート 104で呼制御メッセージを受信することを対向装置 1 30に通知する(S2300)。図 3に示す例では、呼制御プロトコルとして SIPを用いる場 合、通信装置 100は、「Contact」ヘッダに新しい第 2ポート 104を示す「15060」を 記載した「INVITE」メッセージを対向装置 130に送信する。  [0047] Then, at an arbitrary timing after the start of the call, the communication device 100 newly opens the second port 104 for communication with the opposite device 130 (S2250), and then opens the opened second port 104. Notification unit 108 is notified. Then, the notification unit 108 describes the second port 104 in the response message, and thereafter notifies the opposite device 130 that the second port 104 will receive the call control message (S2300). In the example shown in FIG. 3, when using SIP as the call control protocol, the communication device 100 transmits an “INVITE” message in which “15060” indicating the new second port 104 is described in the “Contact” header to the opposite device 130. To do.
[0048] ここで、上記通信開始後の任意のタイミングは、例えば、対向装置 130のユーザと の通話中に、通信装置 100と対向装置 130との間で行われる各種メッセージの送受 信のタイミングであってもよ!/、し、対向装置との通信開始後の所定の時間経過後のタ イミングであってもよい。ここで、上記各種メッセージとは、例えば、 REGISTERメッセ ージゃ OPTIONSメッセージ、 BYEメッセージなどである。  Here, the arbitrary timing after the start of communication is, for example, the timing of transmission / reception of various messages performed between the communication device 100 and the opposite device 130 during a call with the user of the opposite device 130. It may be! /, And may be the timing after a predetermined time has elapsed after the start of communication with the opposite device. Here, the various messages are, for example, a REGISTER message, an OPTIONS message, a BYE message, and the like.
[0049] 対向装置 130は、通信装置 100からの「INVITE」メッセージを受信すると、その応 答メッセージとして、「200 OK」メッセージを通信装置 100の第 2ポート 104宛てに送 信する(S2350)。  When the opposite device 130 receives the “INVITE” message from the communication device 100, it transmits a “200 OK” message as a response message to the second port 104 of the communication device 100 (S 2350).
[0050] 通信装置 100は、対向装置 130からの「200 OK」メッセージを受信すると、対向装 置 130に ACKメッセージを送信する(S2400)。  [0050] Upon receiving the "200 OK" message from the opposite device 130, the communication device 100 transmits an ACK message to the opposite device 130 (S2400).
[0051] 対向装置 130は、通信装置 100からの ACKメッセージを受信すると、以降は通信 装置 100の第 2ポート 104に対して応答や要求の呼制御メッセージを送信する。 [0051] Upon receiving the ACK message from communication device 100, opposite device 130 transmits a response or request call control message to second port 104 of communication device 100 thereafter.
[0052] 対向装置 130に対する受信ポートを第 2ポート 104に切り替えた後は、第 1ポート 1[0052] After the reception port for the opposite device 130 is switched to the second port 104, the first port 1
02宛ての受信データをフィルタ部 110によってフィルタリングする。例えば、悪意を持 つユーザの DoS攻撃装置 140から DoS攻撃のメッセージを第 1ポート 102宛てに受 けた場合(S2450)、この DoSメッセージをフィルタ 110でフィルタリングする(S2500The received data addressed to 02 is filtered by the filter unit 110. For example, a DoS attack message is received from the malicious user's DoS attack device 140 to the first port 102. If this is the case (S2450), filter this DoS message with filter 110 (S2500
) o ) o
[0053] 以上のように、本実施の形態によれば、対向装置 130と通信中の任意の時点にお V、て、呼制御セッションなどの接続を «続しつつポートを変更することが可能であるた め、通信中に DoS攻撃などの不正アクセスを受けたときなどに、 DoS攻撃などの不 正アクセスを受けて 、るポートから新し 、ポートへ受信ポートを変更することが可能で あり、 DoS攻撃などの不正アクセスの影響を小さくすることができる。  [0053] As described above, according to the present embodiment, it is possible to change the port while continuing the connection of the call control session or the like at any time during communication with the opposite device 130. Therefore, when an unauthorized access such as a DoS attack is received during communication, it is possible to change the receiving port to a new port after receiving an unauthorized access such as a DoS attack. The impact of unauthorized access such as DoS attacks can be reduced.
[0054] また、上記のように、本実施の形態では、通信中(狭義)、つまり、対向装置のユー ザとの IP電話による通話開始後に受信ポートを切り替え、実施の形態 1では、対向装 置のユーザとの IP電話による通話の開始前に受信ポートを切り替えるようにしている [0054] Also, as described above, in this embodiment, the reception port is switched during communication (in a narrow sense), that is, after the IP phone call with the user of the opposite device is started. The receiving port is switched before the IP phone call with the remote user is started.
。従って、広義の通信中、つまり、通信装置の電源がオン状態になって力 オフ状態 になるまでの間において通信装置と対向装置との間で何らかの信号のやりとりがある 期間において、本発明の効果を得ることができる。 . Therefore, during the communication in a broad sense, that is, during a period in which there is some signal exchange between the communication device and the opposite device until the communication device is turned on and turned off. Can be obtained.
[0055] (実施の形態 3) [Embodiment 3]
実施の形態 3は、 DoS (サービス拒否)攻撃を検出することにより受信ポートを変更 する場合である。  Embodiment 3 is a case where the receiving port is changed by detecting a DoS (denial of service) attack.
[0056] 図 4は、本発明の実施の形態 3に係る通信装置を含むネットワークシステムの概略 構成を示すブロック図である。なお、この通信装置 200は、図 1に示す通信装置 100 と同様の基本的構成を有しており、同一の構成要素には同一の符号を付し、その説 明を省略する。  FIG. 4 is a block diagram showing a schematic configuration of a network system including a communication apparatus according to Embodiment 3 of the present invention. The communication device 200 has the same basic configuration as that of the communication device 100 shown in FIG. 1, and the same components are denoted by the same reference numerals, and the description thereof is omitted.
[0057] 本発明の特徴は、各ポートに対する DoS攻撃を検出する検出部 202を有し、検出 部 202により DoS攻撃が検出された場合に、対向装置 130との通信に使用する受信 ポートを第 1ポート 102から第 2ポート 104に切り替えることである。  A feature of the present invention is that it has a detection unit 202 that detects a DoS attack on each port, and when a DoS attack is detected by the detection unit 202, a reception port used for communication with the opposing device 130 is the first. It is to switch from the first port 102 to the second port 104.
[0058] 検出部 202は、第 1ポート 102宛ての DoS攻撃を検出し、 DoS攻撃を検出した場 合には、検出結果を受信部 106に通知する。 DoS攻撃の有無は、例えば、単位時間 あたりに受信したパケット数やデータ量があら力じめ設定されたしき!/、値を超えるか否 かによつて判定することができる。  [0058] The detection unit 202 detects a DoS attack addressed to the first port 102, and notifies the reception unit 106 of the detection result when a DoS attack is detected. The presence / absence of a DoS attack can be determined, for example, based on whether the number of packets received per unit time or the amount of data exceeds a preset threshold value.
[0059] 次に、図 4の通信装置 200の動作について、図 5を用いて説明する。図 5は、本発 明の実施の形態 3に係る通信装置の動作を示すフローチャートである。なお、図 5に おいて、通信装置 100は、第 1ポート 102を用いて対向装置 130と通信しているもの とする。 Next, the operation of communication apparatus 200 in FIG. 4 will be described using FIG. Figure 5 shows the 10 is a flowchart showing the operation of the communication apparatus according to the third embodiment. In FIG. 5, it is assumed that communication device 100 is communicating with counter device 130 using first port 102.
[0060] まず、ステップ S3000では、受信部 106で、第 1ポート 102で受信したメッセージを 、フィルタ部 110および検出部 202を経由して受信する。このとき、第 1ポート 102で 受信するメッセージは、対向装置 130を含む複数の通信装置力 送信されるもので ある。  First, in step S3000, the reception unit 106 receives the message received at the first port 102 via the filter unit 110 and the detection unit 202. At this time, the message received at the first port 102 is transmitted by a plurality of communication devices including the opposite device 130.
[0061] そして、ステップ S3100では、検出部 202で、受信したメッセージの中に、 DoS攻 撃メッセージがある力否かを判断する。上記のように、 DoS攻撃の有無は、例えば、 単位時間あたりに受信したパケット数やデータ量があら力じめ設定されたしき!/、値を 超える力否かによって判定することができる。その判断の結果、 DoS攻撃メッセージ があると判断されたときは(S3100 :YES)、ステップ S3200に進み、 DoS攻撃メッセ ージがないと判断されたときは(S3100 :NO)、引き続き、第 1ポート 102を用いて対 向装置 130と通信する(S3500)。  [0061] Then, in step S3100, the detection unit 202 determines whether or not the received message includes a DoS attack message. As described above, the presence / absence of a DoS attack can be determined by, for example, whether or not the number of packets received per unit time or the amount of data is preliminarily set! If it is determined that there is a DoS attack message (S3100: YES), the process proceeds to step S3200. If it is determined that there is no DoS attack message (S3100: NO), the first It communicates with the opposite device 130 using the port 102 (S3500).
[0062] そして、ステップ S3200では、検出部 202で、第 1ポート 102で受信したメッセージ 中に DoS攻撃メッセージが含まれて 、ることを受信部 106に通知する。  In step S 3200, detection unit 202 notifies reception unit 106 that the DoS attack message is included in the message received at first port 102.
[0063] そして、ステップ S3300では、検出部 202からの通知を受けて、対向装置 130との 通信に用いる通信装置 100の受信ポートを、第 1ポート 102から第 2ポート 104に切り 替える。具体的な手順としては、例えば、図 3に示す方法 (通信開始後の受信ポート 変更手川頁 S2250〜S2400)を用 ヽることができる。  In step S 3300, the reception port of communication device 100 used for communication with counter device 130 is switched from first port 102 to second port 104 in response to notification from detection unit 202. As a specific procedure, for example, the method shown in FIG. 3 (Reception port change after starting communication Sagawa S2250 to S2400) can be used.
[0064] すなわち、まず、通信装置 200は、第 1ポート 102に対する DoS攻撃を検出すると、 対向装置 130との通信用に新しい第 2ポート 104を開設し、その後、開設した第 2ポ ート 104を通知部 108に通知する。次に、通知部 108で、応答メッセージに第 2ポー ト 104を記載して、以降は第 2ポート 104で呼制御メッセージを受信することを対向装 置 130に通知する。具体的には、呼制御プロトコルとして SIPを用いる場合、通信装 置 200は、「Contact」ヘッダに新しい第 2ポート 104を示す「15060」を記載した「IN VITE」メッセージを対向装置 130に送信する。対向装置 130は、通信装置 200から の「INVITE」メッセージを受信すると、その応答メッセージとして、通信装置 200の第 2ポート 104宛てに「200 OK」メッセージを送信する。通信装置 200は、対向装置 13 0力らの「200 ΟΚ」メッセージを受信すると、対向装置 130に ACKメッセージを送信 する。対向装置 130は、通信装置 200からの ACKメッセージを受信すると、以降は 通信装置 200の第 2ポート 104に対して応答や要求の呼制御メッセージを送信する。 That is, first, when detecting a DoS attack on the first port 102, the communication device 200 opens a new second port 104 for communication with the opposite device 130, and then opens the second port 104 that has been opened. Is notified to the notification unit 108. Next, the notification unit 108 describes the second port 104 in the response message, and thereafter notifies the opposing device 130 that the second port 104 will receive the call control message. Specifically, when using SIP as the call control protocol, the communication device 200 transmits an “IN VITE” message in which “15060” indicating the new second port 104 is described in the “Contact” header to the opposite device 130. . When the opposite device 130 receives the “INVITE” message from the communication device 200, the opposite device 130 receives the first message of the communication device 200 as a response message. 2 A “200 OK” message is sent to port 104. When the communication device 200 receives the “200 ΟΚ” message from the opposite device 130, the communication device 200 transmits an ACK message to the opposite device 130. Upon receiving the ACK message from the communication device 200, the opposite device 130 thereafter transmits a response or request call control message to the second port 104 of the communication device 200.
[0065] そして、ステップ S3400では、第 2ポート 104を用いて対向装置 130と通信する。 In step S 3400, communication is performed with counter device 130 using second port 104.
[0066] 対向装置 130に対する受信ポートを第 2ポート 104に切り替えた後は、第 1ポート 1[0066] After the reception port for the opposite device 130 is switched to the second port 104, the first port 1
02宛ての受信データをフィルタ部 110によってフィルタリングする。 The received data addressed to 02 is filtered by the filter unit 110.
[0067] なお、上記のように、フィルタ部 110が実行するフィルタリングのルールは任意であ る力 この場合は、特に DoS攻撃を受けているため、すべてのデータを廃棄すること が効果的である。 [0067] Note that, as described above, the filtering rule executed by the filter unit 110 is arbitrary. In this case, it is particularly effective to discard all data because it is under DoS attack. .
[0068] また、フィルタ部 110でのフィルタリング中に、フィルタリング対象となったパケットの 数を測定することにより、単位時間あたりのフィルタリング対象パケット数力 予め定め た閾値よりも小さくなつたら、 DoS攻撃がなくなつたと判断し、フィルタリングを停止す るようにしてちょい。  [0068] In addition, if the number of packets to be filtered is measured during filtering by the filter unit 110, and the number of packets to be filtered per unit time becomes smaller than a predetermined threshold, a DoS attack is performed. Judge that it is gone and stop filtering.
[0069] また、フィルタ部 110の構成方法としては、実施の形態 1および実施の形態 2の場 合と同様に、フィルタリング機能を持つハードウェアで構成したり、通信装置 200のメ イン CPU112aとは異なる CPUを用いて構成したりすることも、 DoS攻撃の影響をメ イン CPU112aに及ぼさな!/、ために有効である。  [0069] In addition, as a configuration method of the filter unit 110, as in the case of the first embodiment and the second embodiment, the filter unit 110 may be configured by hardware having a filtering function, or the main CPU 112a of the communication device 200. Configuration using different CPUs is also effective in order not to affect the main CPU 112a!
[0070] 以上のように、本実施の形態によれば、 DoS攻撃を検出することが可能であるため 、 DoS攻撃を受けたタイミングで、呼制御セッションはそのまま «I続しつつ対向装置 1 30との受信ポートを切り替えることが可能であり、 DoS攻撃の影響を小さくすることが できる。  [0070] As described above, according to the present embodiment, it is possible to detect a DoS attack. Therefore, at the timing of receiving the DoS attack, the call control session continues as it is and the opposite device 1 30 continues. It is possible to switch the receiving port of the DoS attack and reduce the impact of DoS attacks.
[0071] また、フィルタ部 110によって、 DoS攻撃のデータをフィルタリングすることが可能で あり、特にフィルタ部 110をノヽードウエアとして切り離したものを使用すれば、 DoS攻 撃を受けたとしても本来提供していたサービスを継続することが可能になる。  [0071] In addition, it is possible to filter the DoS attack data by the filter unit 110. In particular, if the filter unit 110 is separated as a nodeware, it is originally provided even if a DoS attack is received. It becomes possible to continue the service that had been.
[0072] なお、本実施の形態では、 DoS攻撃を検出したときに通信装置 200と対向装置 13 0とが第 1ポート 102を用いて通信している場合について説明した力 第 2ポート 104 を用いて通信している場合であっても同様に適用可能である。例えば、第 2ポート 10 4を開設した場合と同様に第 3ポートを開設し、開設した第 3ポートを対向装置 130に 通知するようにすればよい。すなわち、対向装置 130との通信のために使用する新た な受信ポートを開設して、その受信ポートを用いて対向装置 130と通信するようにす ればよい。 [0072] In the present embodiment, when the DoS attack is detected, the communication device 200 and the opposing device 130 are communicating with each other using the first port 102. The second port 104 is used. Even in the case of communication, the same applies. For example, the second port 10 Just as when 4 is opened, the third port is opened, and the opened third port is notified to the opposite device 130. That is, a new reception port used for communication with the opposite apparatus 130 may be opened, and communication with the opposite apparatus 130 may be performed using the reception port.
[0073] この場合、各受信ポートで受信したデータをフィルタリングする別のフィルタ部を追 加することも可能である。  In this case, it is possible to add another filter unit that filters data received at each receiving port.
[0074] (実施の形態 4) [0074] (Embodiment 4)
実施の形態 4は、複数のポート宛ての受信データをフィルタリングする場合である。  Embodiment 4 is a case where received data addressed to a plurality of ports is filtered.
[0075] 図 6は、本発明の実施の形態 4に係る通信装置を含むネットワークシステムの概略 構成を示すブロック図である。なお、この通信装置 300は、図 1に示す通信装置 100 と同様の基本的構成を有しており、同一の構成要素には同一の符号を付し、その説 明を省略する。 FIG. 6 is a block diagram showing a schematic configuration of a network system including the communication apparatus according to Embodiment 4 of the present invention. The communication device 300 has the same basic configuration as that of the communication device 100 shown in FIG. 1, and the same components are denoted by the same reference numerals and description thereof is omitted.
[0076] 本実施の形態の特徴は、複数のフィルタ部を有することである。具体的には、図 6で は、第 1ポート 102宛ての受信データをフィルタリングする第 1フィルタ部 302にカロえ て、第 2ポート 104宛ての受信データをフィルタリングする第 2フィルタ部 304を有する 。なお、第 1フィルタ部 302は、実施の形態 1におけるフィルタ部 110に対応している  A feature of the present embodiment is that it has a plurality of filter units. Specifically, in FIG. 6, the first filter unit 302 that filters the reception data addressed to the first port 102 has a second filter unit 304 that filters the reception data addressed to the second port 104. The first filter unit 302 corresponds to the filter unit 110 in the first embodiment.
[0077] このとき、第 1フィルタ部 302と同様に、第 2フィルタ部 304が実行するフィルタリング のルールも任意であって、特に制限を設けずにすべてのデータを通過させるようにし てもよいし、対向装置 130からのデータだけを通過させるようにしてもよい。特に、対 向装置 130からのデータのみを通過させるようにした場合、第 2ポート 104宛てに Do S攻撃を受けた場合であってもサービスを継続することが可能になる。 At this time, similarly to the first filter unit 302, the filtering rule executed by the second filter unit 304 is also arbitrary, and all data may be allowed to pass without any particular limitation. Alternatively, only the data from the opposite device 130 may be passed. In particular, if only the data from the opposite device 130 is allowed to pass, the service can be continued even when a DoS attack is directed to the second port 104.
[0078] また、第 2フィルタ部 304の構成方法としては、実施の形態 1の場合と同様に、フィ ルタリング機能を持つハードウェアで構成することも、通信装置 300のメイン CPU11 2bとは異なる CPUを用いて構成することも有効である。このような構成の場合、第 2 ポート 104に対して不正アクセスがあった場合であっても対向装置 130との間の通信 に影響を与えないことが可能になる。  Further, as the configuration method of the second filter unit 304, as in the case of the first embodiment, the second filter unit 304 may be configured by hardware having a filtering function, or a CPU different from the main CPU 112b of the communication device 300. It is also effective to configure using In such a configuration, even when there is an unauthorized access to the second port 104, it is possible not to affect the communication with the opposite device 130.
[0079] 以上のように、本実施の形態によれば、新たに開設したポートにおいて受信するデ ータを、当該対向装置 130からのデータのみにすることが可能であり、従って、新し いポートに対して DoS攻撃などの不正アクセスを受けた場合でも、フィルタリングによ つて不正アクセスのデータを廃棄するなどの処理が可能であり、不正アクセスの影響 を/ J、さくすることができる。 [0079] As described above, according to the present embodiment, data received at a newly opened port is received. Therefore, even if an unauthorized access such as a DoS attack is received on a new port, the unauthorized access data is filtered. Disposal and other processing are possible, and the effects of unauthorized access can be reduced.
[0080] (実施の形態 5)  [0080] (Embodiment 5)
実施の形態 5は、呼制御メッセージを受信するためのポートではなぐ音声や映像 信号を受信するためのポートに対する不正アクセスを受けたときの回避方法に関する 。すなわち、本実施の形態は、 IP電話の主信号 (音声信号)のポートについて、これ を切り替えることによって不正アクセスを回避する場合である。なお、システムの構成 は、図 1に示す実施の形態 1の場合と同様であるため、その説明を省略する。  The fifth embodiment relates to a method for avoiding unauthorized access to a port for receiving a voice or video signal that is not received by a port for receiving a call control message. In other words, this embodiment is a case where unauthorized access is avoided by switching the port of the main signal (voice signal) of the IP phone. The configuration of the system is the same as that of Embodiment 1 shown in FIG.
[0081] 図 7は、本発明の実施の形態 5に係る通信装置と対向装置の間のメッセージのやり とりの一例を示すシーケンス図である。  FIG. 7 is a sequence diagram showing an example of message exchange between the communication device and the counterpart device according to Embodiment 5 of the present invention.
[0082] 通信装置 100は、呼制御プロトコルを交換し、 IP電話の音声通信に使用するポート を交換する。すなわち、通信装置 100は、対向装置 130からの音声データを受信す るための第 1ポート 102を開設する(S4000)。  Communication device 100 exchanges a call control protocol and exchanges a port used for IP telephone voice communication. That is, the communication device 100 opens the first port 102 for receiving audio data from the opposite device 130 (S4000).
[0083] 通信装置 100は、接続要求の呼制御メッセージとして SIPを用いる場合、接続要求 の呼制御メッセージとして「INVITE」メッセージを対向装置 130宛てに送信する(S4 050)。ここで、図 8に示すように、呼制御プロトコルとして SIPを用いる場合、通信装 置 100が送信する「INVITE」メッセージには、 SDP (Session Description Protocol) 部の m行に、自身が受信するポート番号を指定可能であるため、ここに第 1ポート 10 2を指定して対向装置 130に通知する。  When SIP is used as the call control message for the connection request, the communication device 100 transmits an “INVITE” message to the opposite device 130 as the call control message for the connection request (S4 050). Here, as shown in FIG. 8, when SIP is used as the call control protocol, the `` INVITE '' message transmitted by the communication device 100 includes the port received by itself in the m line of the Session Description Protocol (SDP) part. Since the number can be specified, the first port 102 is specified here and notified to the opposite device 130.
[0084] 対向装置 130は、通信装置 100からの「INVITE」メッセージを受信すると、「200 OK」メッセージを第 1ポート 102宛てに送信する(S4100)。通信装置 100は、対向 装置 130からの「200 OK」メッセージを受信すると、通信装置 130宛てに ACKメッ セージを送信する(S4150)。  When the opposite device 130 receives the “INVITE” message from the communication device 100, it transmits a “200 OK” message to the first port 102 (S4100). Upon receiving the “200 OK” message from the opposite device 130, the communication device 100 transmits an ACK message to the communication device 130 (S4150).
[0085] 対向装置 130は、通信装置 100からの ACKメッセージを受信すると、第 1ポート 10 2宛てに音声データを送信し (S4200)、通信装置 100は、対向装置 130からの音声 データを受信すると、対向装置 130宛てに音声データを送信する(S4250)。 [0086] このようにして、通信装置 100と対向装置 130との音声データの送受信のセッション を確立して、音声データの送受信 (通話)を開始する。 When the opposite device 130 receives the ACK message from the communication device 100, the opposite device 130 transmits voice data to the first port 102 (S4200). When the communication device 100 receives the voice data from the opposite device 130, The voice data is transmitted to the opposite device 130 (S4250). [0086] In this manner, a voice data transmission / reception session between the communication device 100 and the opposite device 130 is established, and voice data transmission / reception (call) is started.
[0087] なお、対向装置 130から音声通信を開始する場合には、通信装置 100で、 riNVI TE」メッセージを受信し、対向装置 130に「200 OK」メッセージを送信する。この場 合においても、上記の例と同様に、「200 ΟΚ」メッセージの SDP部の m行を用いて、 自身が受信するポート番号を指定可能である。  When voice communication is started from the opposite device 130, the communication device 100 receives the “riNVI TE” message and transmits a “200 OK” message to the opposite device 130. In this case as well, the port number received by itself can be specified using the m line in the SDP part of the “200 ΟΚ” message, as in the above example.
[0088] 通信装置 100は、通話中の任意の時点において、新たに第 2ポート 104を開設し( S4300)、通知部 108を介して、以降は第 2ポート 104で音声メッセージを受信するこ とを対向装置 130に通知する(S4350)。具体的には、呼制御プロトコルとして SIPを 用いる場合、通信装置 100は、「INVITE」メッセージの SDP (Session Description Pr otocol)部の m行に、自身が受信するポート番号を指定可能であるため、ここに第 2ポ ート 104を設定し、対向装置 130に通知する。  [0088] The communication device 100 newly opens the second port 104 at any time during a call (S4300), and thereafter receives a voice message at the second port 104 via the notification unit 108. To the opposite device 130 (S4350). Specifically, when using SIP as the call control protocol, the communication device 100 can specify the port number received by itself in the m line of the SDP (Session Description Protocol) part of the “INVITE” message. The second port 104 is set here, and the opposite device 130 is notified.
[0089] 対向装置 130は、通信装置 100からの「INVITE」メッセージを受信すると、通信装 置 100の呼制御プロトコル用のポート宛てに「200 OK」メッセージを送信する(S440 0)。  Upon receiving the “INVITE” message from communication device 100, opposite device 130 transmits a “200 OK” message to the call control protocol port of communication device 100 (S440 0).
[0090] 通信装置 100は、対向装置 130からの「200 ΟΚ」メッセージを受信すると、対向装 置 130宛てに ACKメッセージを送信する(S4450)。  When receiving the “200「 ”message from the opposite device 130, the communication device 100 transmits an ACK message to the opposite device 130 (S4450).
[0091] 対向装置 130は、通信装置 100からの ACKメッセージを受信すると、通信装置 10[0091] Upon receiving the ACK message from the communication device 100, the opposite device 130 receives the communication device 10
0の第 2ポート 104に対して音声データを送信する(S4500)。このようにして、以降はAudio data is transmitted to the second port 104 of 0 (S4500). In this way, the rest
、通信装置 100と対向装置 130とは、第 2ポート 104を用いて音声データの送受信( 通話)を開始する。 The communication device 100 and the opposite device 130 use the second port 104 to start transmission / reception of voice data (call).
[0092] 対向装置 130に対する音声データの受信ポートを第 2ポート 104に切り替えた後は 、第 1ポート 102宛ての受信データをフィルタ部 110によってフィルタリングする。例え ば、悪意を持つユーザの DoS攻撃装置 140から DoS攻撃(例えば、不正な音声デ ータ)を第 1ポート 102に受けた場合(S4550)、この DoS攻撃をフィルタ 110でフィル タリングする(S4600)。  After the voice data reception port for the opposite device 130 is switched to the second port 104, the reception data addressed to the first port 102 is filtered by the filter unit 110. For example, when a DoS attack (for example, illegal voice data) is received on the first port 102 from the DoS attack device 140 of a malicious user (S4550), the DoS attack is filtered by the filter 110 (S4600). ).
[0093] 以上のように、本実施の形態によれば、対向装置 130との通信中の任意の時点に お!、て、 IP電話における音声通話などを «続しつつ音声データを受信するポートを 変更することが可能であるため、通信中に DoS攻撃などの不正アクセスを受けたとき などに、 DoS攻撃などの不正アクセスを受けているポートから新しいポートへ受信ポ ートを変更することが可能であり、 DoS攻撃などの不正アクセスの影響を小さくするこ とがでさる。 [0093] As described above, according to the present embodiment, at any time during communication with opposing device 130, a port for receiving voice data while continuing a voice call or the like in an IP phone. The Because it is possible to change the port, it is possible to change the receiving port from the port that received unauthorized access such as DoS attack to a new port when receiving unauthorized access such as DoS attack during communication. Therefore, the impact of unauthorized access such as DoS attacks can be reduced.
[0094] なお、本実施の形態では、通信中の任意の時点にぉ 、て受信ポートを変更するよ うにしているが、これに限定されるわけではなぐ実施の形態 3に示すように、 DoS攻 撃を検出することを契機として、ポート変更を行うことも可能である。  [0094] In the present embodiment, the reception port is changed at any time during communication. However, the present invention is not limited to this, as shown in the third embodiment. It is also possible to change the port when a DoS attack is detected.
[0095] また、ポート変更後に第 1ポート 102宛ての受信データをフィルタリングする場合の みならず、実施の形態 4に示すように、第 2ポート 104宛の受信データをフィルタリン グするように構成することも可能である。  [0095] In addition to filtering received data addressed to the first port 102 after the port change, as shown in the fourth embodiment, the received data addressed to the second port 104 is filtered. It is also possible to do.
[0096] また、音声データに関する実施の形態 5の処理と同時に、呼制御メッセージに対す る実施の形態 1から実施の形態 4の処理を同時に行ってもよい。この場合、音声デー タと呼制御メッセージとでそれぞれ異なるポート組 (第 1ポート 102と第 2ポート 104の 組)を使用する。  [0096] In addition, simultaneously with the processing of the fifth embodiment regarding voice data, the processing of the first to fourth embodiments for the call control message may be performed simultaneously. In this case, different port sets (a set of the first port 102 and the second port 104) are used for the voice data and the call control message.
[0097] 本明細書は、 2004年 12月 2日出願の特願 2004— 349776に基づく。この内容は すべてここに含めておく。  [0097] This specification is based on Japanese Patent Application No. 2004-349776 filed on Dec. 2, 2004. All this content is included here.
産業上の利用可能性  Industrial applicability
[0098] 本発明に係る通信装置および通信方法は、 DoS攻撃などの不正アクセスによる影 響を低減して通信障害を予防するとともに、たとえこれらの不正アクセスを受けた場 合であっても、本来のサービスを継続することができる通信装置および通信方法とし て有用である。 [0098] The communication device and the communication method according to the present invention reduce the effects of unauthorized access such as DoS attacks to prevent communication failures, and even if these unauthorized accesses are received, It is useful as a communication device and a communication method that can continue this service.

Claims

請求の範囲 The scope of the claims
[1] 不特定多数の通信相手からのメッセージを受信するための第 1ポートと、  [1] A first port for receiving messages from an unspecified number of communication partners;
特定の通信相手との通信用に前記第 1ポートと異なる第 2ポートを開設し、前記第 2 ポート開設後は前記特定の通信相手力 のメッセージを前記第 2ポートで受信する 受信部と、  A receiving unit that opens a second port different from the first port for communication with a specific communication partner, and receives the message of the specific communication partner power at the second port after the second port is opened;
前記第 2ポートをメッセージによって前記特定の通信相手に通知する通知部と、 前記第 1ポート宛ての受信データをフィルタリングするフィルタ部と、  A notification unit for notifying the specific communication partner of the second port by a message; a filter unit for filtering received data addressed to the first port;
を有する通信装置。  A communication device.
[2] 前記受信部は、 [2] The receiving unit includes:
前記特定の通信相手力 接続要求のメッセージを前記第 1ポートで受信した場合 に、前記第 2ポートを開設する、  The second port is opened when the specific communication partner power connection request message is received at the first port;
請求項 1記載の通信装置。  The communication device according to claim 1.
[3] 前記受信部は、 [3] The receiving unit includes:
前記第 1ポートを用いて前記特定の通信相手と通信して 、る最中に、前記第 2ポー トを開設する、  The second port is opened while communicating with the specific communication partner using the first port.
請求項 1記載の通信装置。  The communication device according to claim 1.
[4] 不正アクセスを検出する検出部、をさらに有し、 [4] a detection unit for detecting unauthorized access;
前記受信部は、  The receiver is
不正アクセスが検出された場合に、前記第 2ポートを開設する、  Opens the second port when unauthorized access is detected,
請求項 3記載の通信装置。  The communication device according to claim 3.
[5] 前記第 2ポート宛ての受信データをフィルタリングする第 2フィルタ部、 [5] a second filter unit for filtering received data addressed to the second port;
をさらに有する請求項 1記載の通信装置。  The communication device according to claim 1, further comprising:
[6] 不特定多数の通信相手からのメッセージを受信するための第 1ポートを開設するス テツプと、 [6] a step of opening a first port for receiving messages from an unspecified number of communication partners;
特定の通信相手との通信用に前記第 1ポートと異なる第 2ポートを開設し、前記第 2 ポート開設後は前記特定の通信相手力 のメッセージを前記第 2ポートで受信するス テツプと、  A step of opening a second port different from the first port for communication with a specific communication partner, and receiving the message of the specific communication partner power at the second port after the opening of the second port;
前記第 2ポートをメッセージによって前記特定の通信相手に通知するステップと、 前記第 1ポート宛ての受信データをフィルタリングするステップと、 を有する通信方法。 Notifying the specific communication partner of the second port by a message; Filtering the received data addressed to the first port.
PCT/JP2005/021807 2004-12-02 2005-11-28 Communication device and communication method WO2006059572A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2004349776 2004-12-02
JP2004-349776 2004-12-02

Publications (1)

Publication Number Publication Date
WO2006059572A1 true WO2006059572A1 (en) 2006-06-08

Family

ID=36565005

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2005/021807 WO2006059572A1 (en) 2004-12-02 2005-11-28 Communication device and communication method

Country Status (1)

Country Link
WO (1) WO2006059572A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7924850B2 (en) 2006-10-04 2011-04-12 International Business Machines Corporation System and method for managing and controlling communications performed by a computer terminal connected to a network

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002073433A (en) * 2000-08-28 2002-03-12 Mitsubishi Electric Corp Break-in detecting device and illegal break-in measures management system and break-in detecting method
JP2004032523A (en) * 2002-06-27 2004-01-29 Fujitsu Ltd Network security method and apparatus

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002073433A (en) * 2000-08-28 2002-03-12 Mitsubishi Electric Corp Break-in detecting device and illegal break-in measures management system and break-in detecting method
JP2004032523A (en) * 2002-06-27 2004-01-29 Fujitsu Ltd Network security method and apparatus

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
RIKITAKE KENJI ET AL: "Defending Servers by Randomizing Listening Port Numbers.", INFORMATION PROCESSING SOCIETY OF JAPAN KANKYU HOKOKU., 21 December 2001 (2001-12-21), pages 7 - 12, XP002996319 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7924850B2 (en) 2006-10-04 2011-04-12 International Business Machines Corporation System and method for managing and controlling communications performed by a computer terminal connected to a network

Similar Documents

Publication Publication Date Title
US7950053B2 (en) Firewall system and firewall control method
US7908480B2 (en) Authenticating an endpoint using a STUN server
US7773532B2 (en) Method for enabling communication between two network nodes via a network address translation device (NAT)
US8670316B2 (en) Method and apparatus to control application messages between client and a server having a private network address
US20070140275A1 (en) Method of preventing denial of service attacks in a cellular network
WO2007116605A1 (en) Communication terminal, rule distribution apparatus and program
US8514845B2 (en) Usage of physical layer information in combination with signaling and media parameters
WO2007144802A2 (en) Authentication in a multiple-access environment
Patrick Voice over IP security
Dwivedi Hacking VoIP: protocols, attacks, and countermeasures
CN103166962A (en) Method for safely calling session initiation protocol (SIP) terminal based on bound number authentication mechanism
EP2353098A1 (en) Network security server suitable for unified communications network
Shan et al. Research on security mechanisms of SIP-based VoIP system
KR101011221B1 (en) Detection and block system for hacking attack of internet telephone using the SIP-based and method thereof
WO2006059572A1 (en) Communication device and communication method
JPWO2006035928A1 (en) IP telephone terminal apparatus, call control server, vaccine server, maintenance apparatus, IP telephone system, control method and program thereof
WO2008050651A1 (en) Communication device, communication method, and program
Cisco Configuring Context-Based Access Control
EP2109284A1 (en) Protection mechanism against denial-of-service attacks via traffic redirection
JP2002262371A (en) Remote control system
KR100924310B1 (en) Apparatus, multi-media communication terminal and router that can drop attacking packets
Jama et al. Review of SIP based DoS attacks
JP2004350090A (en) Interface device
Reid et al. Denial of service issues in voice over ip networks
Reynolds Enabling secure ip telephony in enterprise networks

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KR KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05809554

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP