CN1910878A - Repeater, repeating method, repeating program, and network attack defending system - Google Patents

Abstract

On receiving a signature from an adjacent repeater, a repeater (10) judges whether or not the number of packets exceeds a predetermined threshold in a unit time satisfying the condition of the received signature. If the number is judged to exceed the threshold, the repeater (10) judges whether or not the number of consecutive excesses over the threshold exceeds a predetermined threshold. If the number of consecutive excesses exceeds the predetermined value, the repeater (10) sends the signature received from the adjacent repeater to the adjacent repeater other than the adjacent repeater which has sent the signature.

Description

Relay, trunking method, trunking application and network attack defending system

Technical field

The present invention relates to receive and be used for signature that the control data bag passes through and the signature that this received is sent to other relays in abutting connection with relay, trunking method and trunking application and network attack defending system from the adjacency relay.

Background technology

In the past, on the network of computer that is connected with as the defence object, have a plurality of relays and to be subjected to DoS (Denial of Service: denial of service) attack or DDoS (DistributedDenial of Service: distributed denial of service) network attack defending system that is on the defensive of the computer of Gong Jiing is known.For example, in patent documentation 1 (TOHKEMY 2003-283554 communique) and the disclosed network attack defending system of patent documentation 2 (TOHKEMY 2003-283572 communique), in relay, check whether message volume is consistent with the testing conditions of the attack suspicion packet that is predetermined.Then, under the situation that detects consistent traffic carrying capacity, relay generates the signature of the transmission band limits value of the detected attack suspicion packet of expression, and send in abutting connection with relay (relay) with syntople, and after, limit the processing of the transmission band of the attack suspicion packet of being discerned by signature.

On the other hand, in receiving the relay of signature (in abutting connection with relay), the transmission band of the packet that passes through is constrained to transmission band limits value by signature expression, and signature further send to the upstream in abutting connection with relay.Promptly, each relay that receives signature repeats to send signature, all relays on the network come handle packet according to identical signature thus, thereby the transmission band of the packet by each relay is constrained to transmission band limits value by the signature expression.In addition, the relay in upstream or downstream is in abutting connection with relay, and is the relay in the direction of the suspicion of attack packet inflow.

And, behind the process certain hour, the relay that detects attack receives the average input transfer frequency band values of attack suspicion packet from each in abutting connection with relay, calculate transmission band restriction adjusted value according to the ratio of each average input transfer frequency band in the relay, and the transmission band restriction adjusted value of being calculated is sent in abutting connection with relay.Then, the relay that receives this transmission band restriction adjusted value when adjusting the transmission band restriction according to the transmission band restriction adjusted value that is received, transmission band restriction adjusted value further send to the upstream in abutting connection with relay.Promptly, each relay that receives transmission band restriction adjusted value repeats to send transmission band restriction adjusted value, all relays on the network receive identical transmission band restriction adjusted value thus, and adjust the transmission band restriction according to the transmission band restriction adjusted value that is received.

Patent documentation 1: TOHKEMY 2003-283554 communique

Patent documentation 2: TOHKEMY 2003-283572 communique

Yet, above-mentioned prior art detects under the situation of being accused of attacking at the given trunk device on the network, owing to signature is sent to all relays that constitute network attack defending system, thereby signing even also sending to the not relay on the communication path of the suspicion of attack packet, the result has following problem, that is: the processing load that each relay is applied that detects when being accused of attacking etc. increases.

Summary of the invention

Therefore, the present invention makes for the problem that solves above-mentioned prior art, and its purpose is to provide a kind of processing load of each relay on network, relay, trunking method, trunking application and network attack defending system that also can carry out the processing relevant with the restriction of packet efficiently of reducing.

In order to solve above-mentioned problem, and achieve the goal, the invention of claim 1 is a kind of relay, be used for the signature that the control data bag passes through from the reception of adjacency relay, and the signature that this received sent to other in abutting connection with relay, it is characterized in that, according to judging whether should send to other to this signature in abutting connection with relay in abutting connection with the signature that relay received from aforementioned, and be judged to be should send to aforementioned other under the situation of relay, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And the invention of claim 2 is characterised in that to have: attack has or not identifying unit, and it monitors the packet that satisfies the condition in abutting connection with the signature that relay received from aforementioned, judges that this packet has or not attack; And the signature transmitting element, it is being had or not identifying unit to be judged to be under the situation of attack by aforementioned attack, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And, the invention of claim 3 is characterised in that, in foregoing invention, aforementioned attack has or not identifying unit to have: the data packet number identifying unit, and it judges whether the data packet number in the unit interval of satisfying the condition in abutting connection with the signature that relay received from aforementioned has surpassed defined threshold; Aforementioned signature transmitting element has surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity identifying unit, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And, the invention of claim 4 is characterised in that, in foregoing invention, aforementioned attack has or not identifying unit also to have: surpass the number of times identifying unit continuously, it has surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity identifying unit, judges whether the number of times that has surpassed this defined threshold has continuously surpassed setting; Aforementioned signature transmitting element is being judged to be under the situation that has surpassed setting by the aforementioned number of times identifying unit that surpasses continuously, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And the invention of claim 5 is characterised in that, in foregoing invention, aforementioned signature transmitting element aforementioned signature send in all of its neighbor relay except in abutting connection with the relay other that sent aforementioned signature in abutting connection with relay.

And the invention of claim 6 is characterised in that in foregoing invention, to have: memory cell, the aforementioned signature that its storage is received; Signature registration identifying unit, whether it judges from aforementioned registered in aforementioned signature memory cell in abutting connection with the signature that relay received; And the signature communication unit, it is being judged to be under the also unregistered situation by aforementioned identification information identifying unit, being registered in the aforementioned signature memory cell in abutting connection with the signature that relay received from aforementioned, and this signature is sent to other in abutting connection with relay.

And the invention of claim 7 is characterised in that in foregoing invention, aforementioned signature memory cell is stored each signature and the generation identifying information that is used for the generation of the aforementioned signature of unique identification accordingly; Aforementioned signature registration identifying unit judges whether the generation identifying information in abutting connection with the signature that relay received is registered in aforementioned signature memory cell from aforementioned; Aforementioned signature communication unit is being judged to be under the also unregistered situation in aforementioned signature memory cell of aforementioned generation identifying information by aforementioned signature registration identifying unit, from aforementioned in abutting connection with signature that relay received with generate identifying information and be registered in the aforementioned signature memory cell, and this signature with generate identifying information and send to other in abutting connection with relay.

And the invention of claim 8 is characterised in that in foregoing invention, to have: the signature generation unit, and its detection according to the suspicion of attack packet generates signature, and generates the generation identifying information of this signature; This signature generation unit sends to aforementioned signature and generation identifying information in abutting connection with relay, and being used to specify being registered in accordingly in the aforementioned signature memory cell in abutting connection with the relay purposes ground information of relay, aforementioned generation identifying information and signature as this relay purposes ground.

And, the invention of claim 9 is characterised in that, in foregoing invention, aforementioned signature communication unit is being judged to be under the also unregistered situation in aforementioned signature memory cell of aforementioned generation identifying information by aforementioned signature registration identifying unit, from aforementioned in abutting connection with signature that relay received with generate identifying information and send to other, and being used to specify as the trunk source information in abutting connection with relay of the trunk source before this signature just in abutting connection with relay, be used to specify the just relay purposes ground information in abutting connection with relay on the ground of the relay purposes behind this signature of conduct, aforementioned generation identifying information and suspicion signature are registered in the aforementioned signature memory cell accordingly; Aforementioned signature registration identifying unit judges also under the registered situation in aforementioned signature memory cell of aforementioned generation identifying information in abutting connection with the signature that relay received whether the trunk source information of registering accordingly with this generation identifying information is identical with the trunk source information of the aforementioned signature that receives; Aforementioned signature communication unit is in that be judged to be aforementioned generation identifying information by aforementioned signature registration identifying unit registered in aforementioned signature memory cell, and under the identical situation of aforementioned trunk source information, being registered in the aforementioned signature memory cell from aforementioned the rewriting in abutting connection with signature that relay received, and this signature send to by be registered in relay purposes ground information representation in the aforementioned signature memory cell other in abutting connection with relay.

And, the invention of claim 10 is characterised in that, in foregoing invention, aforementioned signature communication unit is being judged to be under the aforementioned trunk source information situation inequality by aforementioned signature registration identifying unit, this registered registered notice of signing of expression be returned to as the trunk source of aforementioned signature in abutting connection with relay, and receiving in abutting connection with relay under the situation of this registered notice from other, relay purposes in the being stored in aforementioned signature memory cell ground information deletion with this in abutting connection with the corresponding relay purposes of relay information.

And, the invention of claim 11 is a kind of network attack defending systems, comprise a plurality of relays, these a plurality of relays receive from the adjacency relay and are used for the signature that the control data bag passes through, and the signature that this received sent to other in abutting connection with relay, it is characterized in that aforementioned relay has: attack and have or not identifying unit, it monitors the packet that satisfies the condition in abutting connection with the signature that relay received from aforementioned, judges that this packet has or not attack; And the signature transmitting element, it is being had or not identifying unit to be judged to be under the situation of attack by aforementioned attack, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And, the invention of claim 12 is a kind of network attack defending systems, comprise a plurality of relays, these a plurality of relays receive from the adjacency relay and are used for the signature that the control data bag passes through, the signature that this received is registered in signature comes the control data bag to pass through in the memory cell, and this signature sent to other in abutting connection with relay, it is characterized in that, aforementioned relay has: signature registration identifying unit, and whether it judges from aforementioned registered in aforementioned signature memory cell in abutting connection with the signature that relay received; And the signature communication unit, it is being judged to be under the also unregistered situation by aforementioned identification information identifying unit, being registered in the aforementioned signature memory cell in abutting connection with the signature that relay received from aforementioned, and this signature is sent to other in abutting connection with relay.

And, the invention of claim 13 is the trunking methods in a kind of relay, this relay receives from the adjacency relay and is used for the signature that the control data bag passes through, and the signature that this received sent to other in abutting connection with relay, it is characterized in that, this trunking method comprises: attack has or not determination step, and the packet that satisfies the condition in abutting connection with the signature that relay received from aforementioned is monitored, judges that this packet has or not attack; And the signature forwarding step, having or not determination step to be judged to be under the situation of attack by aforementioned attack, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And, the invention of claim 14 is characterised in that, in foregoing invention, aforementioned attack has or not determination step to comprise: the data packet number determination step, judge whether the data packet number in the unit interval of satisfying the condition in abutting connection with the signature that relay received from aforementioned has surpassed defined threshold; Aforementioned signature forwarding step has surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity determination step, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And, the invention of claim 15 is characterised in that, in foregoing invention, aforementioned attack has or not determination step also to comprise: surpass the number of times determination step continuously, surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity determination step, judged whether the number of times that has surpassed this defined threshold has continuously surpassed setting; Aforementioned signature forwarding step is being judged to be under the situation that has surpassed setting by the aforementioned number of times determination step that surpasses continuously, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And the invention of claim 16 is characterised in that, in foregoing invention, aforementioned signature forwarding step aforementioned signature send in all of its neighbor relay except in abutting connection with the relay other that sent aforementioned signature in abutting connection with relay.

And, the invention of claim 17 is a kind of trunking methods, be used for the signature that the control data bag passes through from the reception of adjacency relay, the signature that this received is registered in signature comes the control data bag to pass through in the memory cell, and this signature sent to other in abutting connection with relay, it is characterized in that this trunking method comprises: signature registration determination step, judge from aforementioned whether registered in aforementioned signature memory cell in abutting connection with the signature that relay received; And the signature communication steps, be judged to be under the also unregistered situation by aforementioned identification information determination step, being registered in the aforementioned signature memory cell in abutting connection with the signature that relay received, and this signature is sent to other in abutting connection with relay from aforementioned.

And the invention of claim 18 is characterised in that in foregoing invention, aforementioned signature memory cell is stored each signature and the generation identifying information that is used for the generation of the aforementioned signature of unique identification accordingly; Aforementioned signature registration determination step judges whether the generation identifying information in abutting connection with the signature that relay received is registered in aforementioned signature memory cell from aforementioned; Aforementioned signature communication steps is being judged to be under the also unregistered situation in aforementioned signature memory cell of aforementioned generation identifying information by aforementioned signature registration determination step, from aforementioned in abutting connection with signature that relay received with generate identifying information and be registered in the aforementioned signature memory cell, and this signature with generate identifying information and send to other in abutting connection with relay.

And the invention of claim 19 is characterised in that, in foregoing invention, comprises: signature generates step, generates signature according to the detection of the suspicion of attack packet, and generates the generation identifying information of this signature; This signature generates step aforementioned signature and generation identifying information is sent in abutting connection with relay, and being used to specify being registered in accordingly in the aforementioned signature memory cell in abutting connection with the relay purposes ground information of relay, aforementioned generation identifying information and signature as this relay purposes ground.

And, the invention of claim 20 is a kind of trunking applications, make as the computer of relay and carry out, this relay receives from the adjacency relay and is used for the signature that the control data bag passes through, and the signature that this received sent to other in abutting connection with relay, it is characterized in that this trunking application is carried out computer: attack and have or not decision process, the packet that satisfies the condition in abutting connection with the signature that relay received from aforementioned is monitored, judge that this packet has or not attack; And the signature process of transmitting, having or not decision process to be judged to be under the situation of attack by aforementioned attack, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And, the invention of claim 21 is characterised in that, in foregoing invention, aforementioned attack has or not decision process that computer is carried out: the data packet number decision process, judge whether the data packet number in the unit interval of satisfying the condition in abutting connection with the signature that relay received from aforementioned has surpassed defined threshold; Aforementioned signature process of transmitting has surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity decision process, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And, the invention of claim 22 is characterised in that, in foregoing invention, aforementioned attack has or not decision process that computer is carried out: surpass the number of times decision process continuously, surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity decision process, judged whether the number of times that has surpassed this defined threshold has continuously surpassed setting; Aforementioned signature process of transmitting is being judged to be under the situation that has surpassed setting by the aforementioned number of times decision process that surpasses continuously, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

And the invention of claim 23 is characterised in that, in foregoing invention, aforementioned signature process of transmitting aforementioned signature send in all of its neighbor relay except in abutting connection with the relay other that sent aforementioned signature in abutting connection with relay.

And, the invention of claim 24 is a kind of trunking applications, make as the computer of relay and carry out, this relay receives from the adjacency relay and is used for the signature that the control data bag passes through, the signature that this received is registered in signature comes the control data bag to pass through in the memory cell, and this signature sent to other in abutting connection with relay, it is characterized in that, this trunking application is carried out computer: signature registration decision process, judge from aforementioned whether registered in aforementioned signature memory cell in abutting connection with the signature that relay received; And the signature communication process, be judged to be under the also unregistered situation by aforementioned identification information decision process, being registered in the aforementioned signature memory cell in abutting connection with the signature that relay received, and this signature is sent to other in abutting connection with relay from aforementioned.

And the invention of claim 25 is characterised in that in foregoing invention, aforementioned signature memory cell is stored each signature and the generation identifying information that is used for the generation of the aforementioned signature of unique identification accordingly; Aforementioned signature registration decision process judges whether the generation identifying information in abutting connection with the signature that relay received is registered in aforementioned signature memory cell from aforementioned; Aforementioned signature communication process is being judged to be under the also unregistered situation in aforementioned signature memory cell of aforementioned generation identifying information by aforementioned signature registration decision process, from aforementioned in abutting connection with signature that relay received with generate identifying information and be registered in the aforementioned signature memory cell, and this signature with generate identifying information and send to other in abutting connection with relay.

And the invention of claim 26 is characterised in that, in foregoing invention, computer carried out: the signature generative process generates signature according to the detection of the suspicion of attack packet, and generates the generation identifying information of this signature; This signature generative process sends to aforementioned signature and generation identifying information in abutting connection with relay, and being used to specify being registered in accordingly in the aforementioned signature memory cell in abutting connection with the relay purposes ground information of relay, aforementioned generation identifying information and signature as this relay purposes ground.

Invention according to claim 1, owing to judge whether should send to other to the signature that is received in abutting connection with relay according to the signature that is received from the adjacency relay, and should send to other under the situation of relay being judged to be, the signature that is received from the adjacency relay is sent to other in abutting connection with relay, thereby signature can not take place repeated to send by each relay, perhaps signature is sent to the situation of all relays on the network, the processing load of each relay on the network can be reduced, and the processing relevant can be carried out efficiently with the restriction of packet.

According to claim 2,11,13 or 20 invention, owing to the packet of the condition that satisfies the signature that is received from the adjacency relay monitored judges and have or not attack, only be judged to be under the situation of attack, just signature is sent in abutting connection with relay, thereby can generation suspicion signature be sent to the situation of all relays on the network, the processing load of each relay on the network can be reduced, and the processing relevant can be carried out efficiently with the restriction of packet.

And, according to claim 3,14 or 21 invention, be judged to be attack because the data packet number in the unit interval of the condition that satisfies the signature received from the adjacency relay has surpassed under the situation of defined threshold, thus can be objective and reliably judgement have or not attack.

And, according to claim 4,15 or 22 invention, because the data packet number in the unit interval of the condition that satisfies signature has surpassed under the situation of defined threshold, be not judged to be attack immediately, and only surpassed under the situation of setting at the number of times that has surpassed defined threshold continuously, just be judged to be attack, thereby can have judged more reliably and have or not attack.

And, according to claim 5,16 or 23 invention, since signature send to except signature in abutting connection with the relay other of own transmission in abutting connection with relay, thereby prevent from signature is sent to the relay that has carried out packet restriction relevant treatment, can reduce the processing load of each relay on the network, but and efficient carry out packet restriction relevant treatment well.

And, according to claim 6,12,17 or 24 invention, because whether judgement is registered from the signature that the adjacency relay is received, only unregistered signature also is registered in the signature memory cell (signature list), and send in abutting connection with relay, thereby avoid signing repeat registration or repeat send, can carry out packet control effectively based on signature.

And, according to claim 7,18 or 25 invention, since make each signature be used for the generation identifying information that unique identification signature generates (by be used for unique identification as the identifier of the relay in the source of generation and be used for the generation identifying information that unique respectively identifier that is identified in a plurality of suspicion signatures that this relay generates constitutes) manage accordingly, thereby need not with reference to the particular content of signing, only just can judge according to generating identifying information whether signature is registered.And, when signature contents identical and generate identifying information (generation source) not simultaneously, being judged to be is also unregistered signature and being registered in the signature list, and send in abutting connection with relay, thereby become the generation source each relay performance difference (for example, the difference of related algorithm etc. is removed in attack detecting or defence) come into one's own, can carry out safe packet control.

And, 19 or 26 invention according to Claim 8,, because when detecting attack suspicion packet, generate signature and generate identifying information, these signatures and generation identifying information are sent in abutting connection with relay, and being used to specify relay purposes ground information, generating identifying information and signature is registered in the signature list accordingly, thereby can give to signature reliably generating identifying information in abutting connection with relay as relay purposes ground.And, be necessary to resend under the situation of signature because of sending mistake or content update etc., by with reference to the relay purposes ground information, generation identifying information and the signature that are registered in the signature list, can resend same relay purposes ground to the signature of giving same generation identifying information reliably.

And, invention according to claim 9, under the also unregistered situation in signature list of the generation identifying information of the signature that is received from the adjacency relay, this generation identifying information is sent to other in abutting connection with relay, and be used in the trunk source information in abutting connection with relay of specifying as the trunk source before signature just, be used to specify as the ground of the relay purposes behind signature just in abutting connection with relay purposes ground information, the generation identifying information of relay and sign and be registered in the signature list accordingly.Then, under the registered situation in signature list of the generation identifying information of the signature that is received from the adjacency relay, judge further whether trunk source information is identical, under the identical situation of trunk source information, the signature rewriting is registered in the signature list, and signature send to by be registered in relay purposes ground information representation in the signature list other in abutting connection with relay, thereby resending under the situation of signing because of sending mistake or content update etc., this signature can be do not kept, relay purposes ground can be resend reliably.On the other hand, under trunk source information situation inequality, be judged to be and be not resending of signature, the result, can avoid reliably signing repeat registration or repeat sends.

And, invention according to claim 10, registered in signature list and under the trunk source information situation inequality at the generation identifying information of the signature that is received from the adjacency relay, this registered registered notice of signing of expression be returned to as the trunk source of signing in abutting connection with relay.Then, receiving in abutting connection with relay under the situation of this registered notice from other, relay purposes in the being stored in signature list ground information deletion with this in abutting connection with the corresponding relay purposes of relay information.Therefore, be necessary to resend under the situation of signature because of sending mistake or content update etc., the relay purposes ground that signature is not sent to from signature list to be deleted, even when resending signature, that also can avoid reliably signing repeats registration or repeats transmission.

Description of drawings

Fig. 1 is the system construction drawing of structure that the network attack defending system of embodiment 1 is shown.

Fig. 2 is the block diagram of structure that the relay of embodiment 1 is shown.

Fig. 3 is the figure that the example that is stored in the information in the attack suspicion testing conditions table is shown.

Fig. 4 is the figure that the example that is stored in the information in the illegal traffic carrying capacity testing conditions table is shown.

Fig. 5 is the figure that the example that is stored in the information in the lawful condition table is shown.

Fig. 6 is the flow chart of the processing procedure the when detection of attack suspicion packet is shown.

Fig. 7 is the flow chart of the processing procedure when the signature reception is shown.

Fig. 8 is the flow chart of the processing procedure the when detection of invalid data bag is shown.

Fig. 9 is the flow chart of the processing procedure when packet control is shown.

Figure 10 is the system construction drawing of structure that the network attack defending system of embodiment 2 is shown.

Figure 11 is the block diagram of structure that the relay of embodiment 2 is shown.

Figure 12 is the figure that the example that is stored in the information in the attack suspicion testing conditions table is shown.

Figure 13 is the figure that the example that is stored in the information in the illegal traffic carrying capacity testing conditions table is shown.

Figure 14 is the figure that the example that is stored in the information in the lawful condition table is shown.

Figure 15 is the figure that the example that is stored in the information in the signature list is shown.

Figure 16 illustrates the figure that gives to the example of the identifying information of signing.

Figure 17 is the flow chart of the processing procedure the when detection of attack suspicion packet is shown.

Figure 18 is the flow chart of the processing procedure when the signature reception is shown.

Figure 19 is the flow chart of the processing procedure the when detection of invalid data bag is shown.

Figure 20 is the flow chart of the processing procedure when packet control is shown.

Figure 21 is the block diagram of structure that the relay of embodiment 3 is shown.

Figure 22 is the flow chart of the processing procedure the when detection of attack suspicion packet is shown.

Figure 23 is the flow chart of the processing procedure when the signature reception is shown.

Figure 24 is used for the figure that the network attack defending system to prior art describes.

Figure 25 is used for the figure that the network attack defending system to prior art describes.

Symbol description

10: relay; 11: network interface; 12: the packet obtaining section; 13: attack detecting portion; 14: signature Department of Communication Force (signature sending part); 15a, 215b: data packet number detection unit; 15b, 215c: surpass the number of times detection unit continuously; 16: filter house; 20: server; 30: communication terminal 100,100a: network attack defending system; 110: relay; 111: network interface; 112: the packet obtaining section; 113: attack detecting portion; 114: the signature Department of Communication Force; 115,215a: identifying information detection unit; 116: filter house; 120: server; 130: communication terminal.

Embodiment

Following with reference to accompanying drawing, the embodiment of relay of the present invention, trunking method, trunking application and network attack defending system is elaborated.In addition, in embodiment 1, the situation of using defined threshold to limit the transmission processing of signature is described, in embodiment 2, the generation identifying information that uses signature is limited the situation that transmits processing of signing describe.And, in embodiment 3, the situation that the packet restriction treatment combination that carries out in embodiment 1 and embodiment 2 is got up is described.

Before the explanation of each embodiment, the summary of trunking scheme of the present invention is described.In trunking scheme of the present invention, has following principal character, that is: the signature that is received from the adjacency relay is not to be sent to other relays same as before, but after whether judgement should transmit the signature that is received, only be judged to be under the situation that should transmit, just be sent to other in abutting connection with relay.

For example, suppose that only the data packet number in the unit interval has surpassed under the situation of defined threshold, the number of times that has perhaps surpassed defined threshold has continuously surpassed under the situation of setting, just the signature that is received is sent to other relays.And the generation identifying information and each signature that are used in the generation of unique identification signature manage accordingly, have only satisfied under the situation of rated condition at this generation identifying information, just the signature that is received are sent to other relays.

So, can not sign to be repeated to send or signed by each relay is sent to the situation of all relays on the network, can reduce the processing load of each relay on the network, can carry out the processing relevant with the restriction of packet efficiently.

Embodiment 1

In embodiment 1, the situation of using defined threshold to limit signature transmission processing is described.In addition, below the main term that uses in present embodiment 1, summary and feature, the structure of relay and the effect of processing and present embodiment 1 of network attack defending system are described successively, the various variation to present embodiment 1 describe at last.

[term explanation]

At first, the main term that uses in present embodiment 1 is described." the suspicion signature " that uses in present embodiment 1 is the signature of the packet (attack suspicion packet) that is used to limit attack suspicion, specifically, to the expression restricted passage attack suspicion packet feature attribute (for example, IP address, destination, agreement, destination port numbering etc.) and limiting content (restricted information of the frequency band when for example, being used to limit particular data packet and flowing into etc.) stipulate to constitute.

And, " legitimate signature " that uses in present embodiment 1 is the signature that passes through of the legal data packet that is used for permitting the packet corresponding with the suspicion signature not to be regarded as attacking (as the legal data packet of the communication data packet of validated user), specifically, permit the attribute (for example, sending source IP address, COS, IP address, destination, agreement, destination port numbering etc.) of the feature of the legal data packet of passing through to stipulate to constitute to expression.

And, " false signature " that use in present embodiment 1 is the signature that is used to limit the invalid data bag (satisfying the packet of illegal traffic conditions) that is comprised in the illegal traffic carrying capacity, specifically, transmission source IP address of invalid data bag etc. is stipulated to constitute.

[summary of system and feature]

Below, use Fig. 1 that the summary and the feature of the network attack defending system of present embodiment 1 are described.Fig. 1 is the system construction drawing of structure that the network attack defending system of present embodiment 1 is shown.

As shown in the drawing, this network attack defending system 100 has a plurality of relays 10 and constitutes on network.And, on this network, be connected with as the server 20 of the computer that becomes DoS attack and ddos attack object with as the communication terminal 30 that can carry out the computer of this DoS attack and ddos attack.In addition, below, under the situation that the each side of illustrated relay 10 is distinguished, describe as relay 10-1～relay 10-7 respectively, under the situation that the each side of server 20 is distinguished, describe as server 20-1 or server 20-2, under the situation that the each side of communication terminal 30 is distinguished, describe as communication terminal 30-1～communication terminal 30-5.

In this network attack defending system 100, server 20 on 30 pairs of networks of the communication terminal more than at least 1 of relay 10 in detecting communication terminal 30 carries out under the situation of DoS attack or ddos attack, generation is used for the signature that the control data bag passes through (suspicion signature and false signature), and generates and be used to the legitimate signature of permitting that packet passes through.Then, relay 10 is registered in the signature (suspicion signature, false signature and legitimate signature) that oneself generates in the signature list.

And relay 10 sends to the suspicion signature (and the lawful condition that uses) that is generated in abutting connection with relay in the generation of legitimate signature.On the other hand, relay 10 is under the situation that receives suspicion signature etc. from the adjacency relay, generate legitimate signature according to lawful condition, and the suspicion that received signature and the legitimate signature that generated be registered in the signature list, then sending to other in abutting connection with relay from signature that the adjacency relay received etc.In addition, if the adjacency relay is given an example, then can enumerate: in Fig. 1, among the relay 10-3 is relay 10-1, relay 10-2, relay 10-4 and relay 10-7 in abutting connection with relay, does not have syntople with relay 10-5 and relay 10-6.And this syntople does not mean that physical abutment.

And relay 10 comes the control data bag to pass through according to the signature that is registered in the signature list as mentioned above.That is, at the corresponding packet of false signature or suspicion signature, the restriction transmission band passes through it or discards, and at packet corresponding with legitimate signature or the packet not corresponding with any signature, does not limit transmission band and permits and pass through.

In addition, relay 10 is the devices that are used in defensive attack packet being carried out relaying, for example, can bring into play the function of router, perhaps can bring into play the function of bridger.And relay 10 can be connected with network with the management that is used for supervisory relay device 10 grades, and signature can be received and dispatched with network by management.

Like this, relay 10 not only oneself generates and is used for the signature that the control data bag passes through and waits the control data bag, and the signature that is generated is sent in abutting connection with relay.And relay 10 is receiving from the adjacency relay under the situation of signature, and according to this signature control data bag, and a signature also sends to other in abutting connection with relay.Then, the signature that relay 10 in the present embodiment 1 is received from the adjacency relay at handle sends to other and have main feature in abutting connection with the processing of relay, the packet that 10 pairs of this relays satisfy the condition of the signature that is received from the adjacency relay monitors to be judged and has or not attack, only be judged to be under the situation of attack, just signature sent in abutting connection with relay.

Use Fig. 1 that this principal character is carried out simple declaration.As shown in Figure 1, for example, communication terminal 30-4 and communication terminal 30-5 carry out DoS attack to server 20-1, when relaying device 10-1 detects when being accused of attacking, relay 10-1 generates the suspicion signature that is used to limit attack suspicion packet, according to the suspicion that generated signature handle packet, and the relay 10-3 that (and lawful condition) sends to be become in abutting connection with relay (with reference to (1) and (2) of Fig. 1) that suspicion signed.

On the other hand, relay 10-3 receives the suspicion signature that is sent from relay 10-1, according to the suspicion signature handle packet that is received, and judge whether the data packet number of the condition that satisfies the suspicion signature that is received has surpassed defined threshold (with reference to (3) of Fig. 1) in the unit interval.That is, judge whether the attack corresponding with this suspicion signature is carried out via relay 10-3, and judgement has or not attack.

Then, in judging at this, the data packet number that satisfies the condition of suspicion signature has surpassed in the unit interval under the situation of defined threshold, and relay 10-3 sends to the suspicion signature that is received from relay 10-1 in abutting connection with relay (with reference to (4) of Fig. 1).Here, by relay 10-3 transmission suspicion signature in abutting connection with relay be except the suspicion signature to own transmission (relay 10-3) in abutting connection with the relay (relay 10-1) in abutting connection with relay, that is, relay 10-2, relay 10-4 and relay 10-7.And, in the example depicted in fig. 1,, thereby in relay 10-3, be judged to be " attack is arranged " because communication terminal 30-4 and communication terminal 30-5 attack server 20-1.

Then, relay 10-4 and relay 10-2 receive the suspicion signature that is sent from relay 10-3, according to the suspicion signature handle packet that is received, and, judge whether the attack corresponding with this suspicion signature carries out (with reference to (5) and (6) of Fig. 1) via each relay with above-mentioned the same.Here, in the example depicted in fig. 1, because communication terminal 30-4 and communication terminal 30-5 attack server 20-1, thereby in relay 10-2 and relay 10-4, the data packet number that is not judged to be the condition of the satisfied suspicion signature that receives has surpassed defined threshold (promptly being judged to be " do not have and attack ") in the unit interval, as a result, can not send to the suspicion signature in abutting connection with relay.

On the other hand, relay 10-7 is the same with relay 10-2 with above-mentioned relay 10-4, the suspicion signature that reception is sent from relay 10-3, according to the suspicion signature handle packet that is received, and judge whether the attack corresponding with this suspicion signature is carried out via each relay, yet since do not exist except suspicion signature to own send in abutting connection with the relay in abutting connection with relay, thereby can not sign suspicion and send in abutting connection with relay (with reference to Fig. 1 (7)).

As previously discussed, in network attack defending system 100, the relay 10-1 in a plurality of relays 10, relay 10-3 and relay 10-7 will carry out relaying according to the suspicion signature from the packet that communication terminal 30-4 and communication terminal 30-5 are sent when limiting.In other words, suspicion signature is not sent to relay 10-5 and the relay 10-6 (the suspicion signature is not to be sent to all relays 10) in the relay 10 of network attack defending system 100.Therefore, can reduce the processing load that each relay 10 is applied that detects when being accused of attacking etc.

In addition, the signature that relay 10 sends is not limited to only transmission suspicion signature, and relay 10 also can send other signatures, and also both transmission suspicion is signed, and sends other signatures again.

[structure of relay]

Below, use Fig. 2 that the structure of relay shown in Figure 1 10 is described.Fig. 2 is the block diagram that the structure of relay 10 is shown.As shown in the drawing, this relay 10 constitutes to have: network interface portion 11; Packet obtaining section 12; Attack detecting portion 13 (and the suspicion of attack testing conditions table 13a, illegal traffic carrying capacity testing conditions table 13b and lawful condition table 13c); Signature Department of Communication Force 14; Data packet number detection unit 15a; Surpass number of times detection unit 15b continuously; And filter house 16 (and signature list 16a).

And, CPU), memory, hard disk etc. relay 10 has CPU, and (Central Processing Unit:, packet obtaining section 12, attack detecting portion 13, signature Department of Communication Force 14, data packet number detection unit 15a, to surpass number of times detection unit 15b and filter house 16 continuously can be the program module of being handled by CPU.And this program module can be handled by a CPU, also can be by a plurality of CPU dispersion treatment.And, the general purpose O S of Linux etc. has been installed in relay 10, can make the function of the packet filtering performance filter house 16 that is provided in the general purpose O S.

In addition, signature Department of Communication Force 14 is corresponding with interior " the signature transmitting element " put down in writing of Patent right requirement scope, data packet number detection unit 15a is same corresponding with " attack has or not identifying unit " and " data packet number identifying unit ", and it is corresponding with " attack has or not identifying unit " and " surpassing number of times continuously judges " equally to surpass number of times detection unit 15b continuously.

In Fig. 2, network interface portion 11 be with communication equipment that network is connected between the unit of transceive data bag, local area network (LAN)) or WAN (Wide Area Network: the formations such as network Connection Card that are connected such as network wide area network) specifically, by being used for (Local Area Network: with LAN.In addition, although not shown in Fig. 2, constitute relay 10 yet can have keyboard, mouse, microphone etc. receive the various information of output such as the input unit of various information and indication input and monitor (or display, touch panel) and loud speaker from network manager output unit.

Packet obtaining section 12 is to obtain the packet that received by network interface portion 11, and the statistical information of the statistical correlation of obtained packet is offered the handling part of attack detecting portion 13 and data packet number detection unit 15a.

Attack detecting portion 13 carries out attack detecting and attacks the handling part of analyzing according to the statistical information that is provided by packet obtaining section 12, as shown in Figure 2, be connected respectively with the suspicion of attack testing conditions table 13a, illegal traffic carrying capacity testing conditions table 13b and lawful condition table 13c.Here, to being stored in after the information of respectively showing in 13a～13c done to specify, the contents processing of attacking test section 13 is described.

Fig. 3 illustrates the information that is stored in the attack suspicion testing conditions table 13a, in more detail, for the attack suspicion packet with the possibility that receives packet attack packet being detected the figure of an example of using " attacking the suspicion testing conditions ".As shown in the drawing, attack suspicion testing conditions is made of many groups (the being 3 groups here) record that comprises the combination that detects attribute, detection threshold and assay intervals, attack at traffic carrying capacity and this under situation of term harmonization of each intrarecord any record of suspicion testing conditions, it is attack suspicion packet that the communication data packet of this traffic carrying capacity is identified as.In addition, for convenience's sake, use numbering to come designated recorder.

In " the detection attribute " of the suspicion of attack testing conditions, for example, specified the attribute of the IP head that is comprised in the IP packet, and the TCP head that is comprised in the payload portion of IP packet or the attribute of UDP head.Specifically, in Fig. 3, numbering 1 record detect attribute use " Destination IP Address (IP address, destination) " be " 192.168.1.1/32 " (dst=192.168.1.1/32), " Protocol (agreement) " of upper strata (TCP or the UDP) protocol class of expression IP be " TCP " (Protocol=TCP) and the upper-layer protocol of expression IP be that " Destination Port (the destination port numbering) " of the information of which application is that the group of " 80 " property value (Port=80) is specified.

And, numbering 2 record detect attribute use " Destination IP Address (IP address, destination) " be " 192.168.1.2/32 " (dst=192.168.1.2/32) and " Protocol (agreement) " be that the group of " UDP (User Datagram Protocol: User Datagram Protoco (UDP)) " property value (Protocol=UDP) is specified.Equally, numbering 3 record detects attribute to use " Destination IP Address (IP address, destination) " is that the attribute of " 192.168.1.0/24 " is specified.

" detection threshold " of attack suspicion testing conditions specified and is used for attacking " assay intervals " of suspicion testing conditions and specifying minimum continuous time equally having traffic carrying capacity by the reception packet of the specified detection attribute of identical recordings as the minimum transmission band that the suspicion of attack traffic carrying capacity detects.In addition, although it is not shown in Fig. 3, yet in detecting attribute, can specify " value of DestinationIP Address (IP address, destination) is set at unconditionally (any) and represents that " Protocol (agreement) " of the upper-layer protocol classification of IP is " ICMP (Internet Control MessageProtocol: the group of " property value internet control message protocol).

Fig. 4 illustrates the information that is stored in the illegal traffic carrying capacity testing conditions table 13b, in more detail, detects the figure of an example of " illegal traffic conditions " that illegal traffic carrying capacity uses for the traffic carrying capacity according to the suspicion of attack packet.As shown in the drawing, illegal traffic conditions is made of a plurality of traffic pattern of known ddos attack, and under the traffic carrying capacity of the suspicion of the attack packet situation consistent with any traffic pattern, being identified as is illegal traffic carrying capacity.In addition, for convenience's sake, use numbering to come designated recorder (pattern).

Specifically, the illegal traffic conditions of numbering 1 is represented the traffic pattern of " transmission band is sent the second more than or equal to S1 continuously more than or equal to T1Kbps, packet ".And numbering 2 illegal traffic conditions is represented the traffic pattern of " transmission band more than or equal to T2Kbps, ICMP (InternetControl Message Protocol: the packet that (EchoReply) message is replied in the response internet control message protocol) has been sent the second more than or equal to S2 continuously ".And numbering 3 illegal traffic conditions is represented the traffic pattern of " transmission band is divided into the segment data packet that a plurality of IP packets send to the data that comprised in the packet more than or equal to T3Kbps, expression because data are long and has been sent the second more than or equal to S3 continuously ".

Fig. 5 illustrates the information that is stored in the lawful condition table 13c, in more detail, and the figure of an example of " lawful condition " of the packet that expression is sent from the communication terminal 30 that is utilized by legal user.As shown in the drawing, lawful condition is made of a plurality of records of the group that comprises attribute in the IP packet and these property values.In addition, for convenience's sake, use numbering to come designated recorder (pattern).

Specifically, " Source IP Address (the transmission source IP address) " that numbering 1 record detects the attribute assigned ip be " 172.16.10.0/24 " (src=172.16.10.0/24), the record of numbering 2 detects attribute, and to specify " the Type of Service (COS) " of the service quality on the expression IP be " (16 system) 01 " (TOS=0 * 01).In this lawful condition, be set with the transmission source IP address of the branch company, affiliated company etc. of the possessory company of server for example, the server 20 of defence object etc., and be set with the transmission source IP address etc. that the owner by the LAN that contains server 20 is identified as the network that is validated user.

Get back to the explanation of Fig. 2, attack detecting portion 13 is detecting under the situation of attack according to the statistical information that is provided by packet obtaining section 12, generates the suspicion signature of the communication data packet (attacking the suspicion packet) that is used to limit attack suspicion traffic carrying capacity.Specifically, attack detecting portion 13 is according to attack suspicion testing conditions shown in Figure 3, check continuously than according to the longer time of specified time of assay intervals, use more than or equal to according to the specified transmission band of detection threshold, with the consistent traffic carrying capacity of detection attribute, under the situation consistent with each intrarecord any record, this traffic carrying capacity detected be attack suspicion traffic carrying capacity, and the record that generates the attack suspicion testing conditions that the attack suspicion traffic carrying capacity that detected this moment satisfies detects attribute and signs as suspicion.

And attack detecting portion 13 is detecting under the situation of attack, generates legitimate signature with the suspicion signature.Specifically, with reference to lawful condition shown in Figure 5, at the each side of all records of lawful condition, get with the suspicion signature " with " (AND) condition, and it is generated as legitimate signature.This legitimate signature is in order to permit the signature that uses as the legal data packet of the communication data packet of validated user in the suspicion signature, for example use the example of Fig. 3 and Fig. 5 to describe, suspicion signature according to the packet that record condition detected of the numbering among Fig. 31 is [dst=192.168.1.1/32, Protocol=TCP, Port=80], in Fig. 5, legitimate signature is [src=172.16.10.24, dst=192.168.1.1/32, Protocol=TCP, Port=80] and [TOS=0 * 01, dst=192.168.1.1/32, Protocol=TCP, Port=80].

Then, attack detecting portion 13 generates the false signature that is used to limit illegal traffic carrying capacity under the situation that detects the traffic carrying capacity consistent with the arbitrary patterns of illegal traffic conditions shown in Figure 4.Specifically, the transmission source IP address of the packet that satisfies the illegal traffic conditions detected is appointed as the illegal address scope, and to generate be that this illegal address scope and the condition consistent with the suspicion signature are as false signature.

Above-mentioned suspicion signature, legitimate signature and the false signature that is generated by attack detecting portion 13 is registered in the signature list 16a.In addition, as the signature (suspicion signature, legitimate signature and false signature) that is registered in the signature list 16a, except the signature that is generated by this attack detecting portion 13, also has the signature that is received from the adjacency relay by signature Department of Communication Force 14 described later.

In Fig. 2, signature Department of Communication Force 14 is being sent in abutting connection with relay by signature that attack detecting portion 13 generated etc. and receiving the signature that sent from the adjacency relay, then the signature that is received from the adjacency relay sent to other handling parts in abutting connection with relay.Here, the signature that is received from the adjacency relay being sent to other processing in abutting connection with relay carries out according to the result of determination of data packet number detection unit 15a described later and the continuous number of times detection unit 15b of surpassing.

Data packet number detection unit 15a judge to satisfy the handling part whether data packet number in unit interval of condition of the signature that is received by signature Department of Communication Force 14 has surpassed defined threshold.Specifically, data packet number detection unit 15a is according to the statistical information that is provided by packet obtaining section 12, obtains the packet that satisfies signature condition according to the constituent parts time, and judges whether obtained quantity of data packets has surpassed defined threshold.

Surpassing number of times detection unit 15b continuously is the handling part that whether has surpassed setting at the number of times that data packet number detection unit 15a is judged to be under the situation that has surpassed defined threshold, judgement has surpassed defined threshold continuously.Then, surpass number of times detection unit 15b continuously and surpassed at the number of times that has surpassed defined threshold continuously under the situation of setting, to the 14 output indications of signature sending part, so that the signature that is received from the adjacency relay is sent to other in abutting connection with relay.In addition, the signature sending part 14 that receives this indication select except signature to own transmission in abutting connection with the relay in abutting connection with relay, and signature is sent to selected in abutting connection with relay.

In Fig. 2, filter house 16 is to receive packet that is received by network interface portion 11 and the handling part that passes through (packet is from 11 outputs of network interface portion) according to signature list 16a control data bag.Specifically, at the packet of being imported, differentiate " false signature ", " legitimate signature " interior, which side corresponding (perhaps not corresponding) in " suspicion signature " afterwards, according to passing through of the signature control data bag of correspondence with either party with being registered in signature list 16a.

In more detail, 16 packets corresponding with false signature of filter house are input to the illegal formation that is used to handle the invalid data bag, the packet corresponding with suspicion signature is input to the suspicion formation that the suspicion user uses, and the handle packet corresponding with legitimate signature or be input to the legal formation that validated user is used with the not corresponding packet of any signature.Then, filter house 16 is at the packet that is input to legal formation, do not limit transmission band and from network interface portion 11 output, at the packet that is input to suspicion formation and illegal formation, limit according to the transmission band limits value of each signature (as the selected signature that satisfies condition) expression and to export.

In addition, the detection attribute of the signature of filter house 16 in being registered in signature list 16a etc. has satisfied under the situation of the releasing judgment standard of stipulating, the signature of the releasing judgment standard of this regulation has been satisfied in releasing, and stops the processing to pass through according to the signature control data bag of being removed.

[processing when attacking the detection of suspicion packet]

Next, with reference to Fig. 6, the action when the attack suspicion packet of above-mentioned relay 10 is detected is handled and is described.Fig. 6 is the flow chart of the processing procedure the when detection of attack suspicion packet is shown.

As shown in the drawing, the attack detecting portion 13 of relay 10 is when detecting attack suspicion traffic carrying capacity according to attack suspicion testing conditions table 13a shown in Figure 3 (step S1), and generation suspicion is signed and legitimate signature (step S2).

Then, attack detecting portion 13 is registered in the suspicion that generated signature and legitimate signature in the signature list 16a of filter house 16 (step S3).Then, signature Department of Communication Force 14 is being sent in abutting connection with relay (step S4) by (in present embodiments 1, suspicion signature and lawful condition) such as signatures that attack detecting portion 13 generated.

[processing when signature receives]

Action when next, with reference to Fig. 7 the signature of above-mentioned relay 10 being received is handled and is described.Fig. 7 is the flow chart of the processing procedure when the signature reception is shown.

As shown in the drawing, receive signature of sending from the adjacency relay etc. when the signature Department of Communication Force 14 of relaying device 10 (present embodiment 1, suspicion signature and lawful condition) time (step S11), attack detecting portion 13 generates legitimate signature (step S12) according to the lawful condition that is received by signature Department of Communication Force 14.

Then, attack detecting portion 13 is registered in the legitimate signature of suspicion signature that is received from the adjacency relay and above-mentioned generation in the signature list 16a of filter house 16 (step S13).Afterwards, data packet number detection unit 15a is according to the statistical information that is provided by packet obtaining section 12, obtain according to the constituent parts time and to satisfy the above-mentioned packet that is registered in the condition of the suspicion signature in the signature list 16a, and judge whether obtained data packet number has surpassed defined threshold (step S14).

Here, under the situation that has surpassed this defined threshold (step S14 certainly), surpass number of times detection unit 15b continuously and judge whether the number of times that has surpassed defined threshold has continuously surpassed setting (step S15).As a result, surpassed at the number of times that has surpassed this defined threshold continuously (step S15 certainly) under the situation of setting, signature sending part 14 is signed by the above-mentioned suspicion that receives and lawful condition sends in abutting connection with relay (step S16).That is, select except signature to own transmission in abutting connection with the relay in abutting connection with relay, and signature is sent to selected in abutting connection with relay.

In addition, in above-mentioned steps S14, do not surpass (step S14 negates) under the situation of defined threshold at data packet number, perhaps in above-mentioned steps S15, do not surpass (step S15 negates) under the situation of setting at the number of times that has surpassed defined threshold continuously, do not carry out the signature that is received from the adjacency relay is sent to other processing in abutting connection with relay (processing of above-mentioned steps S16).

[processing when the invalid data bag detects]

Action when next, with reference to Fig. 8 the invalid data bag of above-mentioned relay 10 being detected is handled and is described.Fig. 8 is the flow chart of the processing procedure the when detection of invalid data bag is shown.

As shown in the drawing, the attack detecting portion 13 of relay 10 generates false signature (step S22) when detecting illegal traffic carrying capacity according to illegal traffic conditions detection table 13b shown in Figure 4 etc. (step S21).Then, attack detecting portion 13 is registered in the false signature that is generated in the signature list 16a of filter house 16 (step S23).

[processing during packet control]

Action when next, with reference to Fig. 9 the packet of above-mentioned relay 10 being controlled is handled and is described.Fig. 9 is the flow chart of the processing procedure when packet control is shown.

As shown in the drawing, filter house 16 at packet when network interface portion 11 is transfused to, judge whether be registered in signature list 16a in false signature consistent (step S31).Then, under the situation consistent with false signature (step S31 certainly), filter house 16 is input to packet the illegal formation (step S32) that is used to handle the invalid data bag.

In contrast, with the inconsistent situation of false signature under (step S31 negate), filter house 16 judge the packet imported whether be registered in signature list 16a in legitimate signature consistent (step S33).Then, under the situation consistent with legitimate signature (step S33 certainly), filter house 16 is input to the legal formation (step 834) that validated user is used to packet.

Then, with the inconsistent situation of this legitimate signature under (step S33 negate), filter house 16 judge the packet imported whether be registered in signature list 16a in suspicion signature consistent (step S35).Then, under the situation consistent with the suspicion signature (step S35 certainly), filter house 16 is input to the suspicion formation (step S36) that the suspicion user uses to packet.In contrast, signing (step S35 negates) under the inconsistent situation with suspicion, filter house 16 is input to legal formation (step S37) to packet.

Then, filter house 16 is at the packet in each formation, under the situation that is legal formation, do not limit transmission band and from 11 outputs of network interface portion, under the situation that is suspicion formation and illegal formation, limit according to transmission band limits value of each signature expression and to export.In addition, each signature of false signature, legitimate signature, suspicion signature can be registered a plurality of respectively in signature list 16a.And, having satisfied at the detection attribute of the signature of being registered etc. under the situation of judgment standard of regulation, filter house 16 is removed the signature of the judgment standard that has satisfied regulation, and stops the processing to pass through according to the signature control data bag of being removed.

[effect of embodiment 1]

As mentioned above, according to the foregoing description 1, owing to the packet of the condition that satisfies the signature that is received from the adjacency relay monitored judges and have or not attack, and only signature is sent in abutting connection with relay being judged to be under the situation of attack, thereby can generation suspicion signature be sent to the situation of all relays 10 on the network, the processing load of each relay 10 on the network can be reduced, the processing relevant can be carried out efficiently with the restriction of packet.

And, according to the foregoing description 1,, be judged to be attack because the data packet number in the unit interval of the condition that satisfies the signature received from the adjacency relay has surpassed under the situation of defined threshold, thus can be objective and reliably judgement have or not attack.In more detail, owing under satisfying the situation that data packet number in the unit interval of signature condition surpassed defined threshold, be not judged to be attack immediately, but only under the number of times that has surpassed defined threshold has continuously surpassed the situation of setting, just be judged to be attack, thereby can judge more reliably and have or not attack.

And, according to the foregoing description 1, since signature send to except signature in abutting connection with the relay other of own transmission in abutting connection with relay, thereby can prevent from signature is sent to the relay 10 that just carries out the processing relevant with the restriction of packet, the processing load of each relay 10 on the network can be reduced, the processing relevant can be carried out efficiently with the restriction of packet.

[other embodiment]

More than embodiments of the invention 1 are described, yet the present invention can also implement with various different modes except the foregoing description 1.

For example, in the foregoing description 1, the situation that is judged to be attack under satisfying the situation that number of times that data packet number in the unit interval of signature condition surpassed defined threshold and surpassed defined threshold continuously surpassed setting is described, yet the invention is not restricted to this, can the data packet number in the unit interval have surpassed under the situation of defined threshold and be judged to be attack immediately.That is, to have or not decision method be an example after all in illustrated attack in the foregoing description 1, the invention is not restricted to this, adopting other attacks to have or not under the situation of decision method, also can use the present invention equally.

And (for example, the illustrative relay 10 of Fig. 1) each inscape is the concept of function key element, not necessarily needs to constitute like that as shown in the figure physically to have made illustrated each device in the foregoing description 1.That is, the dispersion of relay 10/concentrated concrete form is not limited to diagram, and all or part of of relay 10 can disperse/concentrate to constitute on function or physically with arbitrary unit according to various loads and behaviour in service etc.And whole or any part of each processing capacity of being carried out by relay 10 can adopt CPU and analyze the program of carrying out by this CPU and realize, perhaps can adopt and use the hardware of hard wired logic to realize.

And, in illustrated each of the foregoing description 1 handled, also can manually carry out as all or part of of the processing that illustrates automatically, perhaps, also can adopt known method to carry out automatically as all or part of of the processing that manually illustrates.In addition, at in the above description with the processing procedure shown in the accompanying drawing, control procedure, concrete title, comprise various data and parameter information (for example, the content of attack suspicion testing conditions table, illegal traffic carrying capacity testing conditions table, lawful condition table etc.), except the situation of special record, can change arbitrarily.

In addition, in the foregoing description 1, be described realizing each device (for example, relay 10) of the present invention from function aspects, yet each function of each device also can realize by the executive program that makes personal computer and work station etc.That is, illustrated various processing procedures can realize by carrying out preprepared program on computers in present embodiment 1.Then, these programs can distribute by the network of the Internet etc.And these programs also can be recorded in the recording medium of embodied on computer readable of hard disk, floppy disk (FD), CD-ROM, MO, DVD etc., and read out execution by computer from recording medium.That is, be exemplified below: can distribute storing the CD-ROM of the relay shown in the embodiment 1, read the program that is stored in this CD-ROM by each computer and carry out with program.

Embodiment 2

In embodiment 2, the situation that the generation identifying information that uses signature is limited signature transmission processing describes.In addition, below summary and feature, the structure of relay and the effect of processing and present embodiment 2 of the main term that uses in present embodiment 2, prior art problems, network attack defending system described successively, the various variation to present embodiment 2 describe at last.

[term explanation]

At first, the main term that uses in present embodiment 2 is described." the suspicion signature " that uses in present embodiment 2 is the signature of the packet (attack suspicion packet) that is used to limit attack suspicion, specifically, to the expression restricted passage attack suspicion packet feature attribute (for example, IP address, destination, agreement, destination port numbering etc.) and limiting content (restricted information etc. that for example, is used for restricted band when particular data packet flows into) stipulate to constitute.

In addition, " legitimate signature " that uses in present embodiment 2 is the signature that passes through of the legal data packet that is used for permitting the packet corresponding with the suspicion signature not to be regarded as attacking (as the legal data packet of the communication data packet of validated user), specifically, permit the attribute (for example, sending source IP address, COS, IP address, destination, agreement, destination port numbering etc.) of the feature of the legal data packet of passing through to stipulate to constitute to expression.

And, " false signature " that use in present embodiment 2 is the signature that is used to limit the invalid data bag (satisfying the packet of illegal traffic conditions) that is comprised in the illegal traffic carrying capacity, specifically, transmission source IP address of invalid data bag etc. is stipulated to constitute.

And, " identifying information (" the generation identifying information " put down in writing with the Patent right requirement scope is corresponding) " of using in present embodiment 2 is the information that is used for the generation of the above-mentioned signature of unique identification, specifically, by (for example being used for unique identification as the identifier of the relay in the generation source of signature, the identifier that constitutes by engine type, Engine ID and node ID) and be used for unique respectively identification and constitute by the identifier (the generation numbering of for example, giving successively) of a plurality of suspicion signatures that this relay generated.

And, " downstream node (corresponding with " trunk source information " that the Patent right requirement scope is put down in writing) " of using in present embodiment 2 is to be used to specify receiving above-mentioned signature from the adjacency relay and sending to other in abutting connection with the relay of relay, as just this signature before trunk source in abutting connection with relay (promptly, which relay to receive signature from) information, specifically, the address of adjacency relay is stipulated to constitute.

And, " upstream node (corresponding with " relay purposes ground information " that the Patent right requirement scope is put down in writing) " of using in present embodiment 2 is to be used to specify receiving above-mentioned signature from the adjacency relay and sending to other in abutting connection with the relay of relay, as the relay purposes ground behind this signature just in abutting connection with relay (promptly, which relay signature is sent to) information, specifically, the address of adjacency relay is stipulated to constitute.In addition, always one of the trunk source of signature (downstream node), and relay purposes ground (upstream node) can be a plurality of.

[prior art problems]

In addition, in the prior art, because signature is sent in abutting connection with relay, thereby according to the relation of adjoining each other of the relay in the network attack defending system, there is the relay that receives same signature in abutting connection with relay from different sometimes.And, in this relay, carrying out based on the processing that repeats to sign, result, the problem that has are to carry out the relevant processing of the restriction with packet based on signature effectively.Below, use Figure 24 and Figure 25 that this problem is specifically described.Figure 24 and Figure 25 are used for the figure that the network attack defending system to prior art describes.

As shown in figure 24, when the server 120 of relay 109-1 on detecting 130 pairs of networks of 2 communication terminals carries out ddos attack (with reference to (1) of this figure), signature is sent to relay 109-2 and the relay 109-3 (with reference to (2) of this figure) that becomes in abutting connection with relay.And, from become receive signature in abutting connection with the relay 109-1 of relay relay 109-2 according to the signature handle packet that is received, and signature sent to the relay 109-3 that becomes in abutting connection with relay.Equally, from become receive signature in abutting connection with the relay 109-1 of relay relay 109-3 according to the signature handle packet that is received, and signature sent to the relay 109-2 (with reference to (3) of this figure) that becomes in abutting connection with relay.In addition, in example shown in Figure 24, the relay 109 that receives signature from the adjacency relay not signature send to oneself sent in abutting connection with relay.

When having carried out this signature when sending, in example shown in Figure 24, relay 109-3 receives same signature from becoming in abutting connection with the relay 109-1 and the relay 109-2 of relay.And identical therewith, relay 109-2 also receives same signature from becoming in abutting connection with the relay 109-1 and the relay 109-3 of relay.As a result, in relay 109-2 and relay 109-3, carry out, can not carry out the relevant processing of the restriction with packet effectively based on signature based on the packet control and treatment that repeats to sign.

And, as shown in figure 25, when the server 120 of relay 109-1 on detecting 130 pairs of networks of 2 communication terminals carries out ddos attack (with reference to (1) of this figure), signature is sent to relay 109-2 and the relay 109-3 (with reference to (2) of this figure) that becomes in abutting connection with relay.And, receive the relay 109-2 of signature and relay 109-3 according to the signature handle packet that is received from becoming, and signature sent to become each relay 109-4 (with reference to (3) of this figure) in abutting connection with relay in abutting connection with the relay 109-1 of relay.

When having carried out this signature when sending, in example shown in Figure 25, relay 109-4 receives same signature from becoming in abutting connection with the relay 109-2 and the relay 109-3 of relay.As a result, in relay 109-2 and relay 109-3, carry out, can not carry out the relevant processing of the restriction with packet effectively based on signature based on the packet control and treatment that repeats to sign.

Therefore, present embodiment 2 carries out for the problem that solves above-mentioned prior art, and the purpose of present embodiment 2 provides repeating of can avoiding signing and registers or repeat to send and can carry out relay, trunking method, trunking application and network attack defending system based on the packet control of signature effectively.

[summary of system and feature]

Below, use Figure 10 that the summary and the feature of the network attack defending system of present embodiment 2 are described.Figure 10 is the system construction drawing of structure that the network attack defending system of present embodiment 2 is shown.

As shown in the drawing, this network attack defending system 100a constitutes has a plurality of relays 110 on network.And, on this network, be connected with as the server 120 of the computer that becomes DoS attack and ddos attack object with as the communication terminal 130 that can carry out the computer of this DoS attack and ddos attack.In addition, below under the situation that the each side of illustrated relay 110 is distinguished, be recited as relay 110-1～relay 110-7 respectively, under the situation that the each side of server 120 is distinguished, be recited as server 120-1 or server 120-2, under the situation that the each side of communication terminal 130 is distinguished, be recited as communication terminal 130-1～communication terminal 130-5.

Here, at first the principle function to relay 110 describes, server 120 on 130 pairs of networks of the communication terminal more than at least 1 of relay 110 in detecting communication terminal 130 carries out under the situation of DoS attack or ddos attack, generation is used for the signature that the control data bag passes through (suspicion signature and false signature), and generates and be used to the legitimate signature of permitting that packet passes through.Then, relay 110 is registered in the signature (suspicion signature, false signature and legitimate signature) that oneself generates in the signature list.

And relay 110 sends to the suspicion signature (and the lawful condition that uses) that is generated in abutting connection with relay in the generation of legitimate signature.Then, relay 110 and is being necessary to resend under the situation of suspicion signature because of sending mistake or content update etc. not only just after the generation of suspicion signature, again suspicion signature etc. is sent in abutting connection with relay.

On the other hand, relay 110 is under the situation that receives suspicion signature etc. from the adjacency relay, in principle, generate legitimate signature according to lawful condition, and the suspicion that received signature and the legitimate signature that generated be registered in the signature list, then the suspicion signature and the lawful condition that are received are sent to other in abutting connection with relay.In addition, be exemplified below at the adjacency relay: in Figure 10, among the relay 110-3 is relay 110-1, relay 110-2, relay 110-4 and relay 110-7 in abutting connection with relay, does not have syntople with relay 110-5 and relay 110-6.And this syntople does not mean that physical abutment.

Like this, in network attack defending system 100a shown in Figure 10, each relay 110 that receives signature repeats signature and sends, and like this, all relays 110 on the network are registered in identical suspicion signature and legitimate signature in the signature list.And, in each relay 110, pass through according to the signature control data bag that is registered in this signature list.That is, at the corresponding packet of false signature or suspicion signature, the restriction transmission band passes through it or discards, and at packet corresponding with legitimate signature or the packet not corresponding with any signature, does not limit transmission band and permits and pass through.

In addition, relay 110 in the present embodiment 2, except the mentioned above principle function, also have following principal character: whether judgement is registered in signature list from the signature that the adjacency relay is received, as long as under unregistered situation also, just signature is registered in the signature list, and sends in abutting connection with relay.That is, can avoid the signature that received from the adjacency relay repeat registration or repeat send, can carry out packet control effectively based on signature.

Here, relay 110 is described for realizing the feature functionality that above-mentioned principal character has, in detecting the relay of being accused of attacking 110, generate the identifying information that is used to limit the suspicion signature of attack suspicion packet and is used for the generation of unique identification suspicion signature.And, these suspicion signatures and identifying information are registered in the signature list accordingly, and the suspicion signature (and lawful condition) and the identifying information that are generated are sent in abutting connection with relay.Then, according to the relaying of this suspicion signature and identifying information, be used in appointment as relay purposes ground in abutting connection with the upstream node of relay and suspicion is signed and identifying information is registered in the signature list accordingly.Then, under the situation that is necessary to resend the suspicion signature, with reference to this signature list, the signature of giving same identifying information resend as same relay purposes ground in abutting connection with relay.

On the other hand, in the relay 110 that receives suspicion signature and identifying information, whether the identifying information of judging the suspicion signature that is received is registered in the signature list of oneself, under unregistered situation also, the suspicion signature and the identifying information that are received are registered in the signature list, and this suspicion signature and identifying information are sent in abutting connection with relay.Then, according to the relaying of this suspicion signature and identifying information, be used in appointment as trunk source in abutting connection with the downstream node of relay and be used to specify as relay purposes ground in abutting connection with the upstream node of relay and suspicion is signed and identifying information is registered in the signature list accordingly.

And, in the relay 110 that receives suspicion signature etc., with above-mentioned opposite, under the registered situation in signature list of identifying information of the suspicion signature that is received, judge further whether the downstream node of registering accordingly with identifying information is identical with the downstream node of the present signature that receives.Then, under the identical situation of downstream node, being judged to be is resending of signature, the suspicion that received signature is rewritten be registered in the signature list, and signature resend be registered in that the upstream node in the signature list represents other in abutting connection with relay.

On the other hand, in the relay 110 that receives suspicion signature etc., under above-mentioned judgement middle and lower reaches node situation inequality, be judged to be and be not resending of signature, neither the suspicion signature that is received is registered (or rewriting registration) in signature list, do not send yet (or resending) to other in abutting connection with relay, but this registered registered notice of signing of expression be returned to as the downstream node of the signature that is received in abutting connection with relay.Then, receiving from the adjacency relay the relay 110 of this registered notice, from be stored in the signature list upstream node deletion with this in abutting connection with the corresponding information of relay (address).

Below, use Figure 10 that the concrete example of realizing above-mentioned principal character is described.As shown in the drawing, for example, communication terminal 130-4 and communication terminal 130-5 carry out DoS attack to server 120-1, when relaying device 110-1 detects when being accused of attacking, relay 110-1 generates suspicion signature and the identifying information that is used to limit attack suspicion packet, these suspicion signatures and identifying information are registered in the signature list accordingly, and the suspicion signature (and lawful condition) and the identifying information that are generated are sent to as relay 110-2 and relay 110-3 in abutting connection with relay.Then, the relaying according to this suspicion signature and identifying information is registered in (with reference to (1) and (2) of Figure 10) in the signature list to the address of relay 110-2 and relay 110-3 as upstream node.

On the other hand, relay 110-2 and relay 110-3 are when receiving suspicion signature and identifying information from relay 110-1, whether the identifying information of judging the suspicion signature that is received is registered in the signature list of oneself, yet here, because identifying information is also unregistered, thereby the suspicion that received signature and identifying information be registered in the signature list, and this suspicion signed and identifying information sends in abutting connection with relay.That is, relay 110-2 sends to relay 110-4 to suspicion signature and identifying information, and relay 110-3 sends to relay 110-4 and relay 110-7 (with reference to (3) and (4) of this figure) to suspicion signature and identifying information.

Then, according to the relaying of this suspicion signature and identifying information, relay 110-2 and relay 110-3 the information registering of downstream node and upstream node in signature list.Promptly, relay 110-2 the address of relay 110-1 as downstream node, and the address of relay 110-4 is registered in the signature list as upstream node, and, relay 110-3 the address of relay 110-1 as downstream node, and the address of relay 110-4 and relay 110-7 is registered in the signature list as upstream node.

Then, relay 110-7 is when receiving suspicion signature and identifying information from relay 110-3, because the identifying information of the suspicion that is received signature is also unregistered in the signature list of oneself, thereby it is the same with relay 110-3 with above-mentioned relay 110-2, the suspicion signature and the identifying information that are received are registered in the signature list, yet because, thereby this suspicion signature and identifying information are not sent in abutting connection with relay not in abutting connection with relay.Then, although relay 110-7 does not register upstream node, yet the address of relay 110-3 is registered in (with reference to (5) of this figure) in the signature list as downstream node.

On the other hand, relay 110-4 is for example receiving from relay 110-2 earlier than relay 110-3 under the situation of suspicion signature and identifying information, because the identifying information of the suspicion that is received signature is also unregistered in the signature list of oneself, thereby it is the same with relay 110-3 with above-mentioned relay 110-2, the suspicion signature and the identifying information that are received are registered in the signature list, and this suspicion signature and identifying information are sent to relay 110-3, relay 110-5 and the relay 110-6 that becomes in abutting connection with relay.Then, relay 110-4 is registered in the address of relay 110-2 in the signature list as downstream node, and the address of relay 110-3, relay 110-5 and relay 110-6 is registered in (with reference to (6) and (7) of this figure) in the signature list as upstream node.

Then, relay 110-5 and relay 110-6 are when receiving suspicion signature and identifying information from relay 110-4, because the identifying information of the suspicion that is received signature is also unregistered in the signature list of oneself, thereby it is the same with above-mentioned relay 110-7, the suspicion signature and the identifying information that are received are registered in the signature list, yet because, thereby can not send to this suspicion signature and identifying information in abutting connection with relay not in abutting connection with relay.Then, although relay 110-5 and relay 110-6 do not register upstream node, yet the address of relay 110-4 is registered in (with reference to (8) of this figure) in the signature list as downstream node.

In addition, relay 110-4 is according to above-mentioned example, receive suspicion signature and identifying information from relay 110-2 after, also receive from relay 110-3 under the situation of same suspicion signature and identifying information, because the identifying information of the suspicion that is received signature is registered in the signature list of oneself, and the downstream node (relay 110-2) of registering accordingly with identifying information is inequality with the downstream node (relay 110-3) of the present signature that receives, thereby neither the suspicion signature that is received is registered (or rewriting registration) in signature list, do not send (or resending) yet and arrive other in abutting connection with relay, but representing that this registered registered notice of signing is returned to the relay 110-2 as the downstream node of the signature that is received.Then, receiving from relay 110-4 the relay 110-3 of this registered notice, deleting the address of relay 110-4 from the upstream node that is stored in this signature in the signature list.

And, relay 110-3 is according to above-mentioned example, under the situation that also receives same suspicion signature and identifying information from relay 110-4, because the identifying information of the suspicion that is received signature is registered in the signature list of oneself, and the downstream node (relay 110-1) of registering accordingly with identifying information is inequality with the downstream node (relay 110-4) of the present signature that receives, thereby neither the suspicion signature that is received is registered (or rewriting registration) in signature list, do not send (or resending) yet and arrive other in abutting connection with relay, but representing that this registered registered notice of signing is returned to the relay 110-4 as the downstream node of the signature that is received.Then, receiving from relay 110-3 the relay 110-4 of this registered notice, deleting the address of relay 110-3 from the upstream node (address of relay 110-3, relay 110-5 and relay 110-6) that is stored in this signature in the signature list.

Then, relay 110-4 is according to above-mentioned example, receive suspicion signature and identifying information from relay 110-2 after, receive under the situation of the suspicion signature that constitutes by same identifying information from relay 110-2 equally, because the identifying information of the suspicion that is received signature is registered in the signature list of oneself, and the downstream node (relay 110-2) of registering accordingly with identifying information is identical with the downstream node (relay 110-2) of the present signature that receives, thereby be judged to be the signature resend, the suspicion signature rewriting that is received is registered in the signature list, and the suspicion signature is resend the relay 110-5 and the relay 110-6 of upstream node (address of relay 110-5 and the relay 110-6) expression that is registered in the signature list.

As previously discussed, in network attack defending system shown in Figure 10, whether judgement is registered in signature list from the signature that the adjacency relay is received, as long as under unregistered situation also, just signature is registered in the signature list, and sends to, thus in above-mentioned example in abutting connection with relay, can avoid signing in relay 110-4 and relay 110-3 repeat registration or repeat sends, and can carry out the packet control based on signature effectively.

In addition, relay 110 is the devices that are used in defensive attack packet being carried out relaying, for example, can bring into play the function of router, perhaps can bring into play the function of bridger.And relay 110 can be connected with network with the management that is used for supervisory relay device 110 grades, and signature can be received and dispatched with network by management.And the signature that relay 110 sends is not limited only to the suspicion signature, and relay 110 also can send other signatures, and also both transmission suspicion signature sends other signatures again.

[structure of relay]

Below, use Figure 11 that the structure of relay shown in Figure 10 110 is described.Figure 11 is the block diagram that the structure of relay 110 is shown.As shown in the drawing, this relay 110 constitutes to have: network interface portion 111; Packet obtaining section 112; Attack detecting portion 113 (and the suspicion of attack testing conditions table 113a, illegal traffic carrying capacity testing conditions table 113b and lawful condition table 113c); Signature Department of Communication Force 114; Identifying information detection unit 115; And filter house 116 (and signature list 116a).

And, CPU), memory, hard disk etc. relay 110 has CPU, and (Central Processing Unit:, packet obtaining section 112, attack detecting portion 113, signature Department of Communication Force 114, identifying information detection unit 115 and filter house 116 can be the program modules of being handled by CPU.And this program module can be handled by a CPU, also can be by a plurality of CPU dispersion treatment.And, the general purpose O S of Linux etc. has been installed in relay 110, can make the function of the packet filtering performance filter house 116 that is provided in the general purpose O S.

In addition, attack detecting portion 113 is corresponding with interior " the signature generation unit " put down in writing of Patent right requirement scope, signature Department of Communication Force 114 is same corresponding with " signature communication unit ", identifying information detection unit 115 is corresponding with " signature registration identifying unit " equally, and signature list 116a is same corresponding with " signature memory cell ".

In Figure 11, network interface portion 111 be with communication equipment that network is connected between the unit of transceive data bag, local area network (LAN)) or WAN (Wide Area Network: the formations such as network Connection Card that are connected such as network wide area network) specifically, by being used for (Local Area Network: with LAN.In addition, although not shown in Figure 11, constitute relay 110 yet can have keyboard, mouse, microphone etc. receive the various information of output such as the input unit of various information and indication input and monitor (or display, touch panel) and loud speaker from network manager output unit.

Packet obtaining section 112 is to obtain the packet that received by network interface portion 111, and the statistical information of the statistical correlation of obtained packet is offered the handling part of attack detecting portion 113 and data packet number detection unit 115a.

Attack detecting portion 113 carries out attack detecting and attacks the handling part of analyzing according to the statistical information that is provided by packet obtaining section 112, as shown in figure 11, be connected respectively with the suspicion of attack testing conditions table 113a, illegal traffic carrying capacity testing conditions table 113b and lawful condition table 113c.Here, to being stored in after the information of respectively showing in 113a～113c done to specify, the contents processing of attacking test section 113 is described.

Figure 12 illustrates the information that is stored in the attack suspicion testing conditions table 113a, in more detail, for the attack suspicion packet with the possibility that receives packet attack packet being detected the figure of an example of using " attacking the suspicion testing conditions ".As shown in the drawing, attack suspicion testing conditions is made of many groups (the being 3 groups here) record that comprises the combination that detects attribute, detection threshold and assay intervals, attack at traffic carrying capacity and this under situation of term harmonization of each intrarecord any record of suspicion testing conditions, it is attack suspicion packet that the communication data packet of this traffic carrying capacity is identified as.In addition, for convenience's sake, use numbering to come designated recorder.

In " the detection attribute " of the suspicion of attack testing conditions, for example, specified the attribute of the IP head that is comprised in the IP packet, and the TCP head that is comprised in the payload portion of IP packet or the attribute of UDP head.Specifically, in Figure 12, numbering 1 record detect attribute use " Destination IP Address (IP address, destination) " be " 192.168.1.1/32 " (dst=192.168.1.1/32), " Protocol (agreement) " of upper strata (TCP or the UDP) protocol class of expression IP be " TCP " (Protocol=TCP) and the upper-layer protocol of expression IP be that " Destination Port (the destination port numbering) " of the information of which application is that the group of " 80 " property value (Port=80) is specified.

And, numbering 2 record detect attribute use " Destination IP Address (IP address, destination) " be " 192.168.1.2/32 " (dst=192.168.1.2/32) and " Protocol (agreement) " be that the group of " UDP (User Datagram Protocol: User Datagram Protoco (UDP)) " property value (Protocol=UDP) is specified.Equally, numbering 3 record detects attribute to use " Destination IP Address (IP address, destination) " is that the attribute of " 192.168.1.0/24 " is specified.

" detection threshold " of attack suspicion testing conditions specified and is used for attacking " assay intervals " of suspicion testing conditions and specifying minimum continuous time equally having traffic carrying capacity by the reception packet of the specified detection attribute of identical recordings as the minimum transmission band that the suspicion of attack traffic carrying capacity detects.In addition, although it is not shown in Figure 12, yet in detecting attribute, can specify the value of " DestinationIP Address (IP address, destination) " is set at unconditionally (any) and represents that " Protocol (agreement) " of the upper-layer protocol classification of IP is " ICMP (Internet Control MessageProtocol: the group of " property value internet control message protocol).

Figure 13 illustrates the information that is stored in the illegal traffic carrying capacity testing conditions table 113b, in more detail, detects the figure of an example of " illegal traffic conditions " that illegal traffic carrying capacity uses for the traffic carrying capacity according to the suspicion of attack packet.As shown in the drawing, illegal traffic conditions is made of a plurality of traffic pattern of known ddos attack, and under the traffic carrying capacity of the suspicion of the attack packet situation consistent with any traffic pattern, being identified as is illegal traffic carrying capacity.In addition, for convenience's sake, use numbering to come designated recorder (pattern).

Specifically, the illegal traffic conditions of numbering 1 is represented the traffic pattern of " transmission band is sent the second more than or equal to S1 continuously more than or equal to T1Kbps, packet ".And numbering 2 illegal traffic conditions is represented the traffic pattern of " transmission band more than or equal to T2Kbps, ICMP (InternetControl Message Protocol: the packet that (EchoReply) message is replied in the response internet control message protocol) has been sent the second more than or equal to S2 continuously ".And numbering 3 illegal traffic conditions is represented the traffic pattern of " transmission band is divided into the segment data packet that a plurality of IP packets send to the data that comprised in the packet more than or equal to T3Kbps, expression because data are long and has been sent the second more than or equal to S3 continuously ".

Figure 14 illustrates the information that is stored in the lawful condition table 113c, in more detail, and the figure of an example of " lawful condition " of the packet that expression is sent from the communication terminal 130 that is utilized by legal user.As shown in the drawing, lawful condition is made of a plurality of records of the group that comprises attribute in the IP packet and these property values.In addition, for convenience's sake, use numbering to come designated recorder (pattern).

Specifically, " Source IP Address (the transmission source IP address) " that numbering 1 record detects the attribute assigned ip be " 172.16.10.0/24 " (src=172.16.10.0/24), the record of numbering 2 detects attribute, and to specify " the Type of Service (COS) " of the service quality on the expression IP be " (16 system) 01 " (TOS=0 * 01).In this lawful condition, be set with the transmission source IP address of the branch company, affiliated company etc. of the possessory company of server for example, the server 120 of defence object etc., and be set with the transmission source IP address etc. that the owner by the LAN that contains server 120 is identified as the network that is validated user.

Get back to the explanation of Figure 11, attack detecting portion 113 is detecting under the situation of attack according to the statistical information that is provided by packet obtaining section 112, generates the suspicion signature of the communication data packet (attacking the suspicion packet) that is used to limit attack suspicion traffic carrying capacity.Specifically, attack detecting portion 113 is according to attack suspicion testing conditions shown in Figure 12, check continuously than according to the longer time of specified time of assay intervals, use more than or equal to according to the specified transmission band of detection threshold, with the consistent traffic carrying capacity of detection attribute, under the situation consistent with each intrarecord any record, this traffic carrying capacity detected be attack suspicion traffic carrying capacity, and the record that generates the attack suspicion testing conditions that the attack suspicion traffic carrying capacity that detected this moment satisfies detects attribute and signs as suspicion.

And attack detecting portion 113 is detecting under the situation of attack, generates legitimate signature with the suspicion signature.Specifically, with reference to lawful condition shown in Figure 14, according to the each side of all records of lawful condition, get with the suspicion signature " with " (AND) condition, and it is generated as legitimate signature.This legitimate signature is in order to permit the signature that uses as the legal data packet of the communication data packet of validated user in the suspicion signature, for example, use the example of Figure 12 and Figure 14 to describe, suspicion signature according to the packet that record condition detected of the numbering among Figure 12 1 is [dst=192.168.1.1/32, Protocol=TCP, Port=80], in Figure 14, legitimate signature is [src=172.16.10.24, dst=192.168.1.1/32, Protocol=TCP, Port=80] and [TOS=0 * 01, dst=192.168.1.1/32, Protocol=TCP, Port=80].

Then, attack detecting portion 113 generates the false signature that is used to limit illegal traffic carrying capacity under the situation that detects the traffic carrying capacity consistent with the arbitrary patterns of illegal traffic conditions shown in Figure 13.Specifically, the transmission source IP address of the packet that satisfies the illegal traffic conditions detected is appointed as the illegal address scope, and to generate be that this illegal address scope and the condition consistent with the suspicion signature are as false signature.

Above-mentioned suspicion signature, legitimate signature and the false signature that is generated by attack detecting portion 113 is registered in the signature list 116a (with reference to Figure 15).Then, attack detecting portion 113 generates the identifying information of the generation that is used for each signature of unique identification, and signing in this identifying information is registered in signature list 116a.

Here, with reference to Figure 16, the identifying information of giving to signature is described.Figure 16 illustrates the figure that gives to the example of the identifying information of signing, as shown in the drawing, attack detecting portion 113 generates identifying information, this identifying information is by as the identifier of the relay 110 in the generation source of signature (for example being used for unique identification, the identifier that constitutes by engine type, Engine ID and node ID) and be used for unique respectively identification and constitute by the identifier (the generation numbering of for example, giving successively) of a plurality of suspicion signatures that this relay generated.

In Figure 11, signature Department of Communication Force 114 is being sent in abutting connection with relay by signature that attack detecting portion 113 generated etc., and receiving the signature that sent from the adjacency relay and a signature that is received from the adjacency relay is registered in the signature list 116a, then the signature that is received from the adjacency relay is sent to other handling parts in abutting connection with relay.

Specifically, signature Department of Communication Force 114 sends to the signature of being registered etc. in abutting connection with relay with identifying information when being registered in signature and identifying information in the signature list 116a by attack detecting portion 113.Then, signature Department of Communication Force 114 is according to this signature and the relaying of identifying information, is used in appointment and is registered in (with reference to Figure 15) in the signature list 116a as relay purposes ground accordingly in abutting connection with the upstream node of relay and signature and identifying information.Then, signature Department of Communication Force 114 is being necessary to resend under the situation of suspicion signature etc., with reference to this signature list 116a, the signature of giving same identifying information resend as same relay purposes ground in abutting connection with relay.

And, signature Department of Communication Force 114 carries out the signature that is received from the adjacency relay is registered in the processing in the signature list 116a and sends to other processing in abutting connection with relay, yet this processing is carried out according to the result of determination of the identifying information detection unit 115 of following explanation.

Identifying information detection unit 115 is being received from the adjacency relay under the situation of signature by signature Department of Communication Force 114, judges whether the identifying information of the signature that is received is registered in signature list 116a.Then, be judged to be under the also unregistered situation at identifying information detection unit 115, above-mentioned signature Department of Communication Force 114 is registered in signature that is received and identifying information in the signature list 116a, and this signature and identifying information are sent in abutting connection with relay.Then, signature Department of Communication Force 114 be used in appointment as trunk source in abutting connection with the downstream node of relay and be used to specify and be registered in (with reference to Figure 15) in the signature list 116a accordingly in abutting connection with the upstream node of relay and signature and identifying information as relay purposes ground.

In contrast, under the registered situation in signature list 116a of the identifying information of the signature that is received, identifying information detection unit 115 judges further whether the downstream node of registering accordingly with identifying information is identical with the downstream node of the present signature that receives.Then, be judged to be under the identical situation of downstream node at identifying information detection unit 115, it is resending of signature that above-mentioned signature Department of Communication Force 114 is judged to be, the signature that received rewritten be registered in the signature list 116a, and signature resend be registered in that the upstream node in the signature list 116a represents other in abutting connection with relay.

Then, in above-mentioned judgement, be judged to be under the downstream node situation inequality by identifying information detection unit 115, above-mentioned signature Department of Communication Force 114 is judged to be and is not resending of signature, neither the suspicion signature that is received is registered (or rewriting registration) in signature list 116a, do not send yet (or resending) to other in abutting connection with relay, but this registered registered notice of signing of expression be returned to as the downstream node of the signature that is received in abutting connection with relay.On the other hand, signature Department of Communication Force 114 is receiving from the adjacency relay under the situation of this registered notice, from be stored in the signature list 116a upstream node deletion with this in abutting connection with the corresponding information of relay (address).

In Figure 11, filter house 116 is to receive packet that is received by network interface portion 111 and the handling part that passes through (packet is from 111 outputs of network interface portion) according to signature list 116a control data bag.Specifically, at the packet of being imported, differentiate " false signature ", " legitimate signature " interior, which side corresponding (perhaps not corresponding) in " suspicion signature " afterwards, pass through according to the signature control data bag of correspondence with either party with being registered in signature list 116a.

In more detail, 116 packets corresponding with false signature of filter house are input to the illegal formation that is used to handle the invalid data bag, the packet corresponding with suspicion signature is input to the suspicion formation that the suspicion user uses, and the handle packet corresponding with legitimate signature or be input to the legal formation that validated user is used with the not corresponding packet of any signature.Then, filter house 116 is at the packet that is input to legal formation, do not limit transmission band and from network interface portion 111 output, at the packet that is input to suspicion formation and illegal formation, limit according to the transmission band limits value of each signature (as the selected signature that satisfies condition) expression and to export.

In addition, the detection attribute of the signature of filter house 116 in being registered in signature list 116a etc. has satisfied under the situation of the releasing judgment standard of stipulating, the signature of the releasing judgment standard of this regulation has been satisfied in releasing, and stops the processing to pass through according to the signature control data bag of being removed.

[processing when attacking the detection of suspicion packet]

Action when next, with reference to Figure 17 the attack suspicion packet of above-mentioned relay 110 being detected is handled and is described.Figure 17 is the flow chart of the processing procedure the when detection of attack suspicion packet is shown.

As shown in the drawing, the attack detecting portion 113 of relay 110 is when detecting attack suspicion traffic carrying capacity according to attack suspicion testing conditions table 113a shown in Figure 12 (step S101), and generation suspicion is signed and legitimate signature (step S102).

Then, attack detecting portion 113 generates the identifying information (step S103) of the generation that is used for each signature of unique identification, suspicion signature and legitimate signature in this identifying information is registered in the signature list 116a of filter house 116 (step S104).Then, signature Department of Communication Force 114 is being sent in abutting connection with relay (step S105) with identifying information by (in present embodiment 2, being suspicion signature and lawful condition) such as signatures that attack detecting portion 113 generated.

In addition, signature Department of Communication Force 114 is registered in the upstream node in abutting connection with relay that is used to specify as relay purposes ground in the signature list 116a according to the relaying of the signature of above-mentioned steps S104 etc.Then, signature Department of Communication Force 114 is being necessary to resend under the situation of suspicion signature etc., with reference to this signature list 116a, the signature of giving same identifying information resend as same relay purposes ground in abutting connection with relay.

[processing when signature receives]

Action when next, with reference to Figure 18 the signature of above-mentioned relay 110 being received is handled and is described.Figure 18 is the flow chart of the processing procedure when the signature reception is shown.

As shown in the figure, receive signature of sending from the adjacency relay etc. when the signature Department of Communication Force 114 of relaying device 110 (present embodiment 2, be suspicion signature and lawful condition) time (step S111), identifying information detection unit 115 judges whether the identifying information of the signature that is received is registered in the signature list 116a of filter house 116 (step S112), then, under the registered situation in signature list 116a of this identifying information (step S112 certainly), judge the downstream node of registering accordingly with identifying information whether with the downstream node identical (step S113) of the present signature that receives.

In this judgement, be judged to be identifying information registered in signature list 116a and under the downstream node situation inequality (step S112 certainly and step 8113 negate) by identifying information detection unit 115, signature Department of Communication Force 114 is neither registered (or rewriting registration) to the suspicion signature that is received in signature list 116a, do not send yet (or resending) to other in abutting connection with relay, but this registered registered notice of signing of expression be returned to as the downstream node of the signature that is received in abutting connection with relay (step S118).In addition, receiving from the adjacency relay the relay 110 of this registered notice, from be stored in the signature list 116a upstream node deletion with this in abutting connection with the corresponding information of relay (address).

In contrast, be judged to be at identifying information detection unit 115 (step S112 negates) under the also unregistered situation in signature list 116a of identifying information of the signature that is received, signature Department of Communication Force 114 is registered in the signature that is received and identifying information in the signature list 116a of filter house 116 (step S114), attack detecting portion 113 generates legitimate signature (step S115) according to the lawful condition that is received by signature Department of Communication Force 114, and legitimate signature is registered in (step S116) in the signature list 116a.

Then, signature Department of Communication Force 114 sends to the suspicion signature and the identifying information (and the lawful condition that uses) that are registered in the signature list 116a in abutting connection with relay (step S117) in the generation of legitimate signature.In addition, signature Department of Communication Force 114 is according to the relaying of the signature of this step S117 etc., be used in appointment as trunk source in abutting connection with the downstream node of relay and be used to specify being registered in accordingly in the signature list 116a as relay purposes ground in abutting connection with the upstream node of relay and signature and identifying information.

In addition, in the judgement of above-mentioned steps S113, be judged to be by identifying information detection unit 115, the identifying information of the signature that is received is registered in signature list 116a, and under the identical situation of the downstream node of downstream node of registering accordingly with identifying information and the present signature that receives (step S113 certainly), it is resending of signature that signature Department of Communication Force 114 is judged to be, the signature rewriting that is received is registered in (step S119) in the signature list 116a, and attack detecting portion 113 regenerates legitimate signature (step S120) according to the lawful condition that is received by signature Department of Communication Force 114, and the legitimate signature rewriting is registered in (step S121) in the signature list 116a.Then, signature Department of Communication Force 114 suspicion signature and identifying information (and the lawful condition that in the generation of legitimate signature, uses) resend be registered in that the upstream node in the signature list 116a represents other in abutting connection with relay (step S122).

In addition, in above-mentioned, to be judged to be the signature situation about resending under (registered in signature list 116a at the identifying information of the signature that is received, and under the identical situation of the downstream node of downstream node of registering accordingly with identifying information and the present signature that receives), carry out the rewriting registration of suspicion signature, (situation of step S119～S121) is described in the registration that regenerates and rewrite of legitimate signature, yet the present invention not necessarily is subject to this, can save these processing (step S119～S121), sign and only carry out suspicion, the resending of identifying information and lawful condition (step S122).

[processing when the invalid data bag detects]

Action when next, with reference to Figure 19 the invalid data bag of above-mentioned relay 19 being detected is handled and is described.Figure 19 is the flow chart of the processing procedure the when detection of invalid data bag is shown.

As shown in the drawing, the attack detecting portion 117 of relay 110 generates false signature (step S132) when detecting illegal traffic carrying capacity according to illegal traffic conditions shown in Figure 13 (step S131).Then, attack detecting portion 117 is registered in the false signature that is generated in the signature list 116a of filter house 116 (step S133).

[processing during packet control]

Action when next, with reference to Figure 20 the packet of above-mentioned relay 110 being controlled is handled and is described.Figure 20 is the flow chart of the processing procedure when packet control is shown.

As shown in the drawing, filter house 116 is packet (step S141 is certainly) when network interface portion 111 is transfused to, judge whether be registered in signature list 116a in false signature consistent (step S142).Then, under the situation consistent with false signature (step S142 certainly), filter house 116 is input to packet the illegal formation (step S143) that is used to handle the invalid data bag.

In contrast, with the inconsistent situation of false signature under (step S142 negate), filter house 116 judge the packet imported whether be registered in signature list 116a in legitimate signature consistent (step S144).Then, under the situation consistent with legitimate signature (step S144 certainly), filter house 116 is input to the legal formation (step S145) that validated user is used to packet.

Then, with the also inconsistent situation of this legitimate signature under (step S144 negate), filter house 116 judge the packet imported whether be registered in signature list 116a in suspicion signature consistent (step S146).Then, under the situation consistent with the suspicion signature (step S146 certainly), filter house 116 is input to the suspicion formation (step S147) that the suspicion user uses to packet.In contrast, signing (step S146 negates) under the inconsistent situation with suspicion, filter house 116 is input to legal formation (step S148) to packet.

Then, filter house 116 is at the packet in each formation, under the situation that is legal formation, do not limit transmission band and from 111 outputs of network interface portion, under the situation that is suspicion formation and illegal formation, limit according to transmission band limits value of each signature expression and to export.In addition, each signature of false signature, legitimate signature, suspicion signature can be registered a plurality of respectively in signature list 116a.And, having satisfied at the detection attribute of the signature of being registered etc. under the situation of judgment standard of regulation, filter house 116 is removed the signature of the judgment standard that has satisfied regulation, and stops the processing to pass through according to the signature control data bag of being removed.

[effect of embodiment 2]

As mentioned above, according to the foregoing description 2, because whether judgement is registered from the signature that the adjacency relay is received, only unregistered signature also is registered in the signature list 116a, and send in abutting connection with relay, thereby can avoid signing repeat registration or repeat send, can carry out packet control efficiently based on signature.

And, according to the foregoing description 2, manage accordingly owing to be used in identifying information and each signature that unique identification signature generates, thereby even need not particular content with reference to signature, only according to identifying information with regard to can judge sign whether registered.And, when the identical and identifying information (generation source) of signature contents not simultaneously, being judged to be is also unregistered signature and being registered in the signature list 116a, and send in abutting connection with relay, thereby become the generation source each relay performance difference (for example, the difference of related algorithm etc. is removed in attack detecting or defence) come into one's own, can carry out safe packet control.

And, according to the foregoing description 2, because when detecting attack suspicion packet, generation suspicion signature and identifying information, and these the signature and identifying information send in abutting connection with relay, and the upstream node in abutting connection with relay, identifying information and the suspicion signature that are used to specify as relay purposes ground are registered in the signature list 116a accordingly, thereby can give identifying information to signature reliably.And, be necessary to resend under the situation of signature because of sending mistake or content update etc., by with reference to the upstream node, identifying information and the signature that are registered in the signature list 116a, can resend same relay purposes ground to the signature of giving same identifying information reliably.

And, according to the foregoing description 2, under the also unregistered situation in signature list 116a of the identifying information of the signature that is received from the adjacency relay, this identifying information is sent to other in abutting connection with relay, and be used in the downstream node in abutting connection with relay of specifying, be used to specify as the upstream node in abutting connection with relay, the identifying information on the ground of the relay purposes behind signature just and sign and be registered in (with reference to Figure 15) in the signature list 116a accordingly as the trunk source before signature just.Then, under the registered situation in signature list 116a of the identifying information of the signature that is received from the adjacency relay, judge further whether downstream node is identical, under the identical situation of downstream node, the signature rewriting is registered in the signature list 116a, and signature send to be registered in that the upstream node in the signature list 116a represents other in abutting connection with relay, thereby resending under the situation of signing because of sending mistake or content update etc., this signature can be do not kept, relay purposes ground can be resend reliably.On the other hand, under downstream node situation inequality, be judged to be and be not resending of signature, the result, can avoid reliably signing repeat registration or repeat sends.

And, according to the foregoing description 2, registered in signature list 116a and under the downstream node situation also inequality at the identifying information of the signature that is received from the adjacency relay, this registered registered notice of signing of expression be returned to as the downstream node of signing in abutting connection with relay.Then, receiving in abutting connection with relay under the situation of this registered notice from other, from be stored in the signature list 116a upstream node deletion with this in abutting connection with the corresponding information of relay (address).Therefore, be necessary to resend under the situation of signature because of sending mistake or content update etc., signature is not sent to the relay purposes ground of being deleted from signature list 116a, even when resending signature, that also can avoid reliably signing repeats registration or repeat transmission.

[other embodiment]

More than embodiments of the invention 2 are described, yet the present invention can also implement with various different modes except the foregoing description 2.

For example, in the foregoing description 2, to judging that according to the generation identifying information that is used for the generation of unique identification signature the situation that repeats to register is described, yet the invention is not restricted to this, the performance that can ignore each relay that becomes the generation source, according to signature contents whether identical judge repeat registration.And, can be considered to performance into each relay that generates the source, whether identical whether the performance in and the source of generation according to signature contents identical judges and repeats registration.

And each relay 110 can send to the suspicion that received signature and identifying information before the relay, judges whether the data packet number that satisfies the condition that suspicion signs has surpassed defined threshold in the unit interval.That is, only (only be judged to be under the situation of attack) being judged to be under the situation that has surpassed defined threshold, just can sending to the suspicion signature that is received in abutting connection with relay.For example, in the example depicted in fig. 10, relay 110-4 is not owing to can be attacked by communication terminal 130-1～communication terminal 130-3, even thereby receive suspicion signature and identifying information from relay 110-2 or relay 110-3, can not be judged to be yet and surpassed defined threshold, can not send to relay 110-5 or the relay 110-6 that becomes in abutting connection with relay to the suspicion signature.

And (for example, the illustrative relay 110 of Figure 10) each inscape is the concept of function key element, not necessarily needs to constitute like that as shown in the figure physically to have made illustrated each device in the foregoing description 2.That is, the dispersion of relay 110/concentrated concrete form is not limited to diagram, and all or part of of relay 110 can disperse/concentrate to constitute on function or physically with arbitrary unit according to various loads and behaviour in service etc.And by each processing capacity that relay 110 is carried out, its whole or any part can adopt CPU and analyze the program of carrying out by this CPU and realize, perhaps can adopt and use the hardware of hard wired logic to realize.

And, during illustrated each handled in the foregoing description 2, also can manually carry out as all or part of of the processing that illustrates automatically, perhaps, also can adopt known method to carry out automatically as all or part of of the processing that manually illustrates.In addition, at in the above description with the processing procedure shown in the accompanying drawing, control procedure, concrete title, comprise various data and parameter information (for example, the content of attack suspicion testing conditions table, illegal traffic carrying capacity testing conditions table, lawful condition table etc.), except the situation of special record, can change arbitrarily.

In addition, in the foregoing description 2, be described realizing each device (for example, relay 110) of the present invention from function aspects, yet each function of each device also can realize by the executive program that makes personal computer and work station etc.That is, illustrated various processing procedures can realize by carrying out preprepared program on computers in present embodiment 2.Then, these programs can distribute by the network of the Internet etc.And these programs also can be recorded in the recording medium of embodied on computer readable of hard disk, floppy disk (FD), CD-ROM, MO, DVD etc., and read out execution by computer in recording medium.That is, be exemplified below: can distribute storing the CD-ROM of the relay shown in the embodiment 2, read the program that is stored in this CD-ROM by each computer and carry out with program.

Embodiment 3

In embodiment 3, the situation that the packet restriction treatment combination that carries out in the foregoing description 1 and embodiment 2 is got up is described.Figure 21 is the block diagram of structure that the relay 210 of embodiment 3 is shown.In addition, below, mainly the difference of the relay (10 and 110) shown in embodiment 1 and the embodiment 2 with the relay 210 of present embodiment 3 described, omit explanation to common ground.

[summary of system and feature]

As shown in figure 21, relay 210 has with the lower part as carrying out the handling part that the packet restriction is handled, that is: identifying information detection unit 215a (corresponding) with the identifying information detection unit 115 of the relay 110 of embodiment 2, data packet number detection unit 215b (corresponding) with the data packet number detection unit 15a of the relay 10 of embodiment 1, and surpass number of times detection unit 215c (same and corresponding above number of times detection unit 15b continuously) continuously.

Promptly, relay 210 is used for identifying information that unique identification signature generates and limits relaying data packets to other relays, and whether has surpassed defined threshold according to the number of times whether data packet number in the unit interval of satisfying signature condition has surpassed defined threshold and surpassed this defined threshold continuously and come restricting data bag relaying.The restriction of like this, can be flexibly and carrying out relaying data packets is reliably handled.

[processing when attacking the detection of suspicion packet]

Action when next, with reference to Figure 22 the attack suspicion packet of above-mentioned relay 210 being detected is handled and is described.Figure 22 is the flow chart of the processing procedure the when detection of attack suspicion packet is shown.

As shown in the drawing, the attack detecting portion 213 of relay 210 is when detecting attack suspicion traffic carrying capacity according to attack suspicion testing conditions table 113a shown in Figure 12 (step S201), and generation suspicion is signed and legitimate signature (step S202).

Then, attack detecting portion 213 generates the identifying information (step S203) of the generation that is used for each signature of unique identification, suspicion signature and legitimate signature in this identifying information is registered in the signature list 216a of filter house 216 (step S204).Then, signature Department of Communication Force 214 is being sent in abutting connection with relay (step S205) with identifying information by (in present embodiment 3, being suspicion signature and lawful condition) such as signatures that attack detecting portion 213 generated.

In addition, signature Department of Communication Force 214 is registered in the upstream node in abutting connection with relay that is used to specify as relay purposes ground in the signature list 216a according to the relaying of the signature of above-mentioned steps S204 etc.Then, signature Department of Communication Force 214 is being necessary to resend under the situation of suspicion signature etc., with reference to this signature list 216a, the signature of giving same identifying information resend as same relay purposes ground in abutting connection with relay.

[processing when signature receives]

Action when next, with reference to Figure 23 the signature of above-mentioned relay 210 being received is handled and is described.Figure 23 is the flow chart of the processing procedure when the signature reception is shown.

As shown in the drawing, receive signature of sending from the adjacency relay etc. when the signature Department of Communication Force 214 of relaying device 210 (present embodiment 3, be suspicion signature and lawful condition) time (step S211), identifying information detection unit 215a judges whether the identifying information of the signature that is received is registered in the signature list 216a of filter house 216 (step S212), then, under the registered situation in signature list 216a of this identifying information (step S212 certainly), judge the downstream node of registering accordingly with identifying information whether with the downstream node identical (step S213) of the present signature that receives.

In this judgement, be judged to be identifying information registered in signature list 216a and under the downstream node situation inequality (step S212 certainly and step S213 negate) by identifying information detection unit 215a, signature Department of Communication Force 214 is neither registered (or rewriting registration) to the suspicion signature that is received in signature list 216a, do not send yet (or resending) to other in abutting connection with relay, but this registered registered notice of signing of expression be returned to as the downstream node of the signature that is received in abutting connection with relay (step S220).In addition, receiving from the adjacency relay the relay 210 of this registered notice, from be stored in the signature list 216a upstream node deletion with this in abutting connection with the corresponding information of relay (address).

In contrast, be judged to be at identifying information detection unit 215a (step S212 negates) under the also unregistered situation in signature list 216a of identifying information of the signature that is received, signature Department of Communication Force 214 is registered in the signature that is received and identifying information in the signature list 216a of filter house 216 (step S214), attack detecting portion 213 generates legitimate signature (step S215) according to the lawful condition that is received by signature Department of Communication Force 214, and legitimate signature is registered in (step S216) in the signature list 216a.

Next, data packet number detection unit 215b is according to the statistical information that is provided by packet obtaining section 212, obtain according to the constituent parts time and to satisfy the above-mentioned packet that is registered in the condition of the suspicion signature in the signature list 216a, and judge whether obtained data packet number has surpassed defined threshold (step S217).

Here, under the situation that has surpassed this defined threshold (step S217 certainly), surpass number of times detection unit 215c continuously and judge whether the number of times that has surpassed defined threshold has continuously surpassed setting (step S218).The result, surpassed at the number of times that has surpassed this defined threshold continuously under the situation of setting (step S218), signature Department of Communication Force 214 sends to the suspicion signature and the identifying information (and the lawful condition that uses) that are registered in the signature list 216a in abutting connection with relay (step S219) in the generation of legitimate signature.In addition, signature Department of Communication Force 214 is according to the relaying of the signature of this step S219 etc., be used in appointment as trunk source in abutting connection with the downstream node of relay and be used to specify being registered in accordingly in the signature list 216a as relay purposes ground in abutting connection with the upstream node of relay and signature and identifying information.

And, in above-mentioned steps S217, data packet number does not surpass (step S217 negates) under the situation of defined threshold, perhaps in above-mentioned steps S218, the number of times that has surpassed defined threshold does not continuously surpass (step S218 negates) under the situation of setting, does not carry out the signature that is received from the adjacency relay is sent to other processing in abutting connection with relay (processing of above-mentioned steps S219).

In addition, in the judgement of above-mentioned steps S213, be judged to be by identifying information detection unit 215, the identifying information of the signature that is received is registered in signature list 216a, and under the identical situation of the downstream node of downstream node of registering accordingly with identifying information and the present signature that receives (step S213 certainly), it is resending of signature that signature Department of Communication Force 214 is judged to be, the signature rewriting that is received is registered in (step S221) in the signature list 216a, and attack detecting portion 213 regenerates legitimate signature (step S222) according to the lawful condition that is received by signature Department of Communication Force 214, and the legitimate signature rewriting is registered in (step S223) in the signature list 216a.

Next, data packet number detection unit 215b is according to the statistical information that is provided by packet obtaining section 212, obtain according to the constituent parts time and to satisfy the above-mentioned packet that is registered in the condition of the suspicion signature in the signature list 216a, and judge whether obtained data packet number has surpassed defined threshold (step S224).

Here, under the situation that has surpassed this defined threshold (step S224 certainly), surpass number of times detection unit 215c continuously and judge whether the number of times that has surpassed defined threshold has continuously surpassed setting (step S225).The result, surpassed at the number of times that has surpassed this defined threshold continuously (step S225 is certainly) under the situation of setting, signature Department of Communication Force 214 suspicion signature and identifying information (and the lawful condition that in the generation of legitimate signature, uses) resend be registered in that the upstream node in the signature list 216a represents other in abutting connection with relay (step S226).

And, in above-mentioned steps S224, do not surpass (step S224 negates) under the situation of defined threshold at data packet number, perhaps in above-mentioned steps S225, do not surpass (step S225 negates) under the situation of setting at the number of times that has surpassed defined threshold continuously, do not carry out the signature that is received from the adjacency relay is sent to other processing in abutting connection with relay (processing of above-mentioned steps S226).

And, in above-mentioned, to be judged to be the signature situation about resending under (registered in signature list 216a at the identifying information of the signature that is received, and under the identical situation of the downstream node of downstream node of registering accordingly with identifying information and the present signature that receives), carry out the rewriting registration of suspicion signature, (situation of step S221～S223) is described in the registration that regenerates and rewrite of legitimate signature, yet the present invention not necessarily is subject to this, can save these processing (step S221～S223), only carry out the later processing of above-mentioned steps S224.

And, in above-mentioned, to (for example in the distribution of the processing of having carried out using the signature identifying information, step S212) afterwards, (for example, step S217 and step S218) situation is described, yet the present invention not necessarily is subject to this to use the determination processing of defined threshold, can processing be distributed by the judgement of using defined threshold, use the determination processing of signature identifying information then.

[effect of embodiment 3]

As mentioned above, according to the foregoing description 3, relay is used for identifying information that unique identification signature generates and limits relaying data packets to other relays, and whether has surpassed defined threshold according to the number of times whether data packet number in the unit interval of satisfying signature condition has surpassed defined threshold and surpassed this defined threshold continuously and come restricting data bag relaying.The restriction of like this, can be flexibly and carrying out relaying data packets is reliably handled.

Utilizability on the industry

As previously discussed, relay of the present invention, trunking method, trunking application and network are attacked Hit system of defense and receive to be used for signature that the control packet passes through from the adjacency relay and this It is useful in the situation of relay that the signature that receives sends to other, particularly, suitable Close in the processing load that reduces each relay on the network, and carry out efficiently limit with packet The processing that system is relevant.

Claims (26)

1. a relay is used for the signature that the control data bag passes through from the reception of adjacency relay, and the signature that this received is sent to other in abutting connection with relay, it is characterized in that,

According to judging whether should send to other to this signature in abutting connection with relay in abutting connection with the signature that relay received from aforementioned, and be judged to be should send to aforementioned other under the situation of relay, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

2. relay according to claim 1 is characterized in that having:

Attack has or not identifying unit, and it monitors the packet that satisfies the condition in abutting connection with the signature that relay received from aforementioned, judges that this packet has or not attack; And

The signature transmitting element, it is being had or not identifying unit to be judged to be under the situation of attack by aforementioned attack, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

3. relay according to claim 2 is characterized in that,

Aforementioned attack has or not identifying unit to have: the data packet number identifying unit, and it judges whether the data packet number in the unit interval of satisfying the condition in abutting connection with the signature that relay received from aforementioned has surpassed defined threshold;

Aforementioned signature transmitting element has surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity identifying unit, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

4. relay according to claim 3 is characterized in that,

Aforementioned attack has or not identifying unit also to have: surpass the number of times identifying unit continuously, it has surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity identifying unit, judges whether the number of times that has surpassed this defined threshold has continuously surpassed setting;

Aforementioned signature transmitting element is being judged to be under the situation that has surpassed setting by the aforementioned number of times identifying unit that surpasses continuously, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

5. according to claim 2,3 or 4 described relays, it is characterized in that, aforementioned signature transmitting element aforementioned signature send in all of its neighbor relay except in abutting connection with the relay other that sent aforementioned signature in abutting connection with relay.

6. relay according to claim 1 is characterized in that having:

The signature memory cell, the aforementioned signature that its storage is received;

Signature registration identifying unit, whether it judges from aforementioned registered in aforementioned signature memory cell in abutting connection with the signature that relay received; And

The signature communication unit, it is being judged to be under the also unregistered situation by aforementioned identification information identifying unit, being registered in the aforementioned signature memory cell in abutting connection with the signature that relay received from aforementioned, and this signature is sent to other in abutting connection with relay.

7. relay according to claim 6 is characterized in that,

Aforementioned signature memory cell is stored each signature and the generation identifying information that is used for the generation of the aforementioned signature of unique identification accordingly;

Aforementioned signature registration identifying unit judges whether the generation identifying information in abutting connection with the signature that relay received is registered in aforementioned signature memory cell from aforementioned;

Aforementioned signature communication unit is being judged to be under the also unregistered situation in aforementioned signature memory cell of aforementioned generation identifying information by aforementioned signature registration identifying unit, from aforementioned in abutting connection with signature that relay received with generate identifying information and be registered in the aforementioned signature memory cell, and this signature with generate identifying information and send to other in abutting connection with relay.

8. relay according to claim 7 is characterized in that,

Have: the signature generation unit, its detection according to the suspicion of attack packet generates signature, and generates the generation identifying information of this signature;

This signature generation unit sends to aforementioned signature and generation identifying information in abutting connection with relay, and being used to specify being registered in accordingly in the aforementioned signature memory cell in abutting connection with the relay purposes ground information of relay, aforementioned generation identifying information and signature as this relay purposes ground.

9. relay according to claim 8 is characterized in that,

Aforementioned signature communication unit is being judged to be under the also unregistered situation in aforementioned signature memory cell of aforementioned generation identifying information by aforementioned signature registration identifying unit, from aforementioned in abutting connection with signature that relay received with generate identifying information and send to other, and being used to specify as the trunk source information in abutting connection with relay of the trunk source before this signature just in abutting connection with relay, be used to specify the just relay purposes ground information in abutting connection with relay on the ground of the relay purposes behind this signature of conduct, aforementioned generation identifying information and suspicion signature are registered in the aforementioned signature memory cell accordingly;

Aforementioned signature registration identifying unit judges also under the registered situation in aforementioned signature memory cell of aforementioned generation identifying information in abutting connection with the signature that relay received whether the trunk source information of registering accordingly with this generation identifying information is identical with the trunk source information of the aforementioned signature that receives;

Aforementioned signature communication unit is in that be judged to be aforementioned generation identifying information by aforementioned signature registration identifying unit registered in aforementioned signature memory cell, and under the identical situation of aforementioned trunk source information, being registered in the aforementioned signature memory cell from aforementioned the rewriting in abutting connection with signature that relay received, and this signature send to by be registered in relay purposes ground information representation in the aforementioned signature memory cell other in abutting connection with relay.

10. relay according to claim 9, it is characterized in that, aforementioned signature communication unit is being judged to be under the aforementioned trunk source information situation inequality by aforementioned signature registration identifying unit, this registered registered notice of signing of expression be returned to as the trunk source of aforementioned signature in abutting connection with relay, and receiving in abutting connection with relay under the situation of this registered notice from other, relay purposes in the being stored in aforementioned signature memory cell ground information deletion with this in abutting connection with the corresponding relay purposes of relay information.

11. a network attack defending system comprises a plurality of relays, these a plurality of relays receive from the adjacency relay and are used for the signature that the control data bag passes through, and the signature that this received is sent to other in abutting connection with relay, it is characterized in that,

Aforementioned relay has:

Attack has or not identifying unit, and it monitors the packet that satisfies the condition in abutting connection with the signature that relay received from aforementioned, judges that this packet has or not attack; And

The signature transmitting element, it is being had or not identifying unit to be judged to be under the situation of attack by aforementioned attack, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

12. network attack defending system, comprise a plurality of relays, these a plurality of relays receive from the adjacency relay and are used for the signature that the control data bag passes through, the signature that this received is registered in signature comes the control data bag to pass through in the memory cell, and this signature is sent to other in abutting connection with relay; It is characterized in that,

Aforementioned relay has:

Signature registration identifying unit, whether it judges from aforementioned registered in aforementioned signature memory cell in abutting connection with the signature that relay received; And

The signature communication unit, it is being judged to be under the also unregistered situation by aforementioned identification information identifying unit, being registered in the aforementioned signature memory cell in abutting connection with the signature that relay received from aforementioned, and this signature is sent to other in abutting connection with relay.

13. trunking method, be the trunking method in the relay, this relay receives from the adjacency relay and is used for the signature that the control data bag passes through, and the signature that this received is sent to other in abutting connection with relay, it is characterized in that this trunking method comprises:

Attack has or not determination step, and the packet that satisfies the condition in abutting connection with the signature that relay received from aforementioned is monitored, judges that this packet has or not attack; And

The signature forwarding step, having or not determination step to be judged to be under the situation of attack by aforementioned attack, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

14. trunking method according to claim 13 is characterized in that,

Aforementioned attack has or not determination step to comprise: the data packet number determination step, judge whether the data packet number in the unit interval of satisfying the condition in abutting connection with the signature that relay received from aforementioned has surpassed defined threshold;

Aforementioned signature forwarding step has surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity determination step, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

15. trunking method according to claim 14 is characterized in that,

Aforementioned attack has or not determination step also to comprise: surpass the number of times determination step continuously, surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity determination step, judged whether the number of times that has surpassed this defined threshold has continuously surpassed setting;

Aforementioned signature forwarding step is being judged to be under the situation that has surpassed setting by the aforementioned number of times determination step that surpasses continuously, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

16. according to claim 13,14 or 15 described trunking methods, it is characterized in that, aforementioned signature forwarding step aforementioned signature send in all of its neighbor relay except in abutting connection with the relay other that sent aforementioned signature in abutting connection with relay.

17. trunking method, be used for the signature that the control data bag passes through from the reception of adjacency relay, the signature that this received be registered in the signature memory cell come the control data bag to pass through, and this signature is sent to other in abutting connection with relay, it is characterized in that this trunking method comprises:

Whether signature registration determination step is judged from aforementioned registered in aforementioned signature memory cell in abutting connection with the signature that relay received; And

The signature communication steps is being judged to be under the also unregistered situation by aforementioned identification information determination step, being registered in the aforementioned signature memory cell in abutting connection with the signature that relay received from aforementioned, and this signature is sent to other in abutting connection with relay.

18. trunking method according to claim 17 is characterized in that,

Aforementioned signature memory cell is stored each signature and the generation identifying information that is used for the generation of the aforementioned signature of unique identification accordingly;

Aforementioned signature registration determination step judges whether the generation identifying information in abutting connection with the signature that relay received is registered in aforementioned signature memory cell from aforementioned;

Aforementioned signature communication steps is being judged to be under the also unregistered situation in aforementioned signature memory cell of aforementioned generation identifying information by aforementioned signature registration determination step, from aforementioned in abutting connection with signature that relay received with generate identifying information and be registered in the aforementioned signature memory cell, and this signature with generate identifying information and send to other in abutting connection with relay.

19. trunking method according to claim 18 is characterized in that,

Comprise: signature generates step, signs according to the detection generation of the suspicion of attack packet, and generates the generation identifying information of this signature;

This signature generates step aforementioned signature and generation identifying information is sent in abutting connection with relay, and being used to specify being registered in accordingly in the aforementioned signature memory cell in abutting connection with the relay purposes ground information of relay, aforementioned generation identifying information and signature as this relay purposes ground.

20. trunking application, make as the computer of relay and carry out, this relay receives from the adjacency relay and is used for the signature that the control data bag passes through, and the signature that this received is sent to other in abutting connection with relay, it is characterized in that this trunking application is carried out computer:

Attack has or not decision process, and the packet that satisfies the condition in abutting connection with the signature that relay received from aforementioned is monitored, judges that this packet has or not attack; And

The signature process of transmitting, having or not decision process to be judged to be under the situation of attack by aforementioned attack, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

21. trunking application according to claim 20 is characterized in that,

Aforementioned attack has or not decision process that computer is carried out: the data packet number decision process, judge whether the data packet number in the unit interval of satisfying the condition in abutting connection with the signature that relay received from aforementioned has surpassed defined threshold;

Aforementioned signature process of transmitting has surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity decision process, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

22. trunking application according to claim 21 is characterized in that,

Aforementioned attack has or not decision process that computer is carried out: surpass the number of times decision process continuously, surpassed under the situation of defined threshold at the data packet number that is judged to be in the aforementioned unit interval by aforementioned data bag quantity decision process, judged whether the number of times that has surpassed this defined threshold has continuously surpassed setting;

Aforementioned signature process of transmitting is being judged to be under the situation that has surpassed setting by the aforementioned number of times decision process that surpasses continuously, from aforementioned in abutting connection with the signature that relay received send to aforementioned other in abutting connection with relay.

23. according to claim 20,21 or 22 described trunking applications, it is characterized in that, aforementioned signature process of transmitting aforementioned signature send in all of its neighbor relay except in abutting connection with the relay other that sent aforementioned signature in abutting connection with relay.

24. trunking application, make as the computer of relay and carry out, this relay receives from the adjacency relay and is used for the signature that the control data bag passes through, the signature that this received is registered in signature comes the control data bag to pass through in the memory cell, and this signature sent to other in abutting connection with relay, it is characterized in that this trunking application is carried out computer:

Whether signature registration decision process is judged from aforementioned registered in aforementioned signature memory cell in abutting connection with the signature that relay received; And

The signature communication process is being judged to be under the also unregistered situation by aforementioned identification information decision process, being registered in the aforementioned signature memory cell in abutting connection with the signature that relay received from aforementioned, and this signature is sent to other in abutting connection with relay.

25. trunking application according to claim 24 is characterized in that,

Aforementioned signature memory cell is stored each signature and the generation identifying information that is used for the generation of the aforementioned signature of unique identification accordingly;

Aforementioned signature registration decision process judges whether the generation identifying information in abutting connection with the signature that relay received is registered in aforementioned signature memory cell from aforementioned;

Aforementioned signature communication process is being judged to be under the also unregistered situation in aforementioned signature memory cell of aforementioned generation identifying information by aforementioned signature registration decision process, from aforementioned in abutting connection with signature that relay received with generate identifying information and be registered in the aforementioned signature memory cell, and this signature with generate identifying information and send to other in abutting connection with relay.

26. trunking application according to claim 25 is characterized in that,

Computer is carried out: the signature generative process, sign according to the detection generation of the suspicion of attack packet, and generate the generation identifying information of this signature;

This signature generative process sends to aforementioned signature and generation identifying information in abutting connection with relay, and being used to specify being registered in accordingly in the aforementioned signature memory cell in abutting connection with the relay purposes ground information of relay, aforementioned generation identifying information and signature as this relay purposes ground.

Images