JP2003091465A - Defensive system, device and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To prevent the depletion of resources at a server side with respect to a large amount of request packets transmitted through a network to the server. SOLUTION: A defensive device 30 inspects the header information of each of a request packet P1 related with a server 6 and a corresponding reply packet P2, and suppresses the passage of the request packet P1 in a boundary router 10 based on the delay of a reply time until the replay packet P2 is returned from the server 6.

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to the security of a server device connected to a network, and more particularly to a defense system for detecting a large number of processing requests to the server device and protecting the server device from resource exhaustion, Device and program

[0002]

2. Description of the Related Art An intrusion detection system is known as a technique for countering an intrusion attack in which an attacker sends an abnormal packet or a packet that punches a security hole in a server connected to a network.

FIG. 7 is a schematic diagram showing a network configuration to which this type of intrusion detection system is applied. The intrusion detection system 1 constantly sends a request packet sent from an attacker (hereinafter, also referred to as an attack agent) 2 to a server 6 on a communication subnet 5 via the Internet 3 and a router 4 in one direction on the same subnet 5. It is collected via the router 7.

Then, the intrusion detection system 1 analyzes the payload information of the request packet, detects the request packet for the intrusion / attack while referring to the intrusion detection rule database 8, and blocks the passage of the request packet. The request packet blocking instruction is sent to the router 4 via the control subnet 9.

However, such an intrusion detection system 1
Has the property of being ineffective against an attack that exhausts the resources of the server 6 using a regular access procedure such as a distributed denial of service attack, or a large number of processing requests (hereinafter referred to as an attack etc.), although it is not an attack.

For example, in a distributed denial of service attack, a plurality of attack agents 2 scattered on the Internet 2
When the attacker receives a command to start the attack, it sends an attack packet to the server 6 to be attacked. However, the arrival time of the attack packet includes the transmission time of the start command between the attacker and each attack agent 2 and the transmission time of the attack packet between each attack agent 2 and the server 6 to be attacked. The difference causes variations.

After transmitting the first attack packet, each attack agent 2 continuously transmits attack packets thereafter. Therefore, on the server 6 side, a small amount of packets arrive in the attack start state S1 as shown in FIG.
In transient state S2, attack packets from most attack agents begin to arrive, and in saturated state S3, a large number of packets arrive and the load becomes maximum.

In such a saturated state S3, even if the server 6 is operating as a whole, the service provided to the specific port is stopped, and the service is in a disabled state.

[0009]

As described above,
The existing intrusion detection system 1 has a powerless property against attacks using a regular access procedure.

Further, even if a host scanner is installed in the server 6 to detect an abnormality in the server 6, the server 6 cannot be determined to be abnormal because the load due to the regular access procedure is high.

From the external network, the server 6
Since there is no response to the request to the server 6, it is possible to determine that the server 6 is in an abnormal state. However, from the internal network, unless the server 6 is directly accessed using the same resource used for access from the external network, It cannot be determined that the server 6 is in an abnormal state.

On the other hand, even if the amount of resources on the side of the server 6 is increased, the amount of resources on the side of the attack agent 2 can be increased very easily, so this is not an essential solution.

The present invention has been made in consideration of the above circumstances, and provides a defense system, device and program capable of preventing exhaustion of resources on the server side with respect to a large number of request packets transmitted to a server via a network. It is characterized by providing.

[0014]

A first aspect of the present invention is a defense system for protecting the server from a large number of request packets addressed to the server, the request relating to the server on a subnet to which the server is connected. A defense system that inspects the response time of a response packet corresponding to a packet and suppresses the communication volume of a request packet based on the delay of the response time. Therefore, it is possible to prevent exhaustion of resources on the server side with respect to a large number of request packets transmitted to the server via the network.

A second invention relates to a communication path from an external network to a server via a router and a first subnet, and is a protection device for protecting the server from a large number of request packets addressed to the server. , The first
On the subnet, the response time of the response packet corresponding to the request packet for the server is inspected, and based on the delay of the response time, an instruction for suppressing the passage amount of the request packet is sent to the router by the second subnet. It is a defense device that is sent via. Therefore, the same operation as that of the first invention can be achieved.

In a third aspect based on the second aspect, as the response time check, the request packet and the response packet regarding the server are specified based on the header information of each packet on the first subnet. It is a defense device including. Therefore, in addition to obtaining the same effect as the first aspect of the invention, unlike the prior art, since the processing is based on the header information, it can be executed at high speed and with low load.

Although the first invention is expressed as a "system" and the second and third inventions are expressed as "apparatus", the invention is not limited to this and may be expressed using other expressions. . For example, the first invention may be expressed as "apparatus", "method" or "program", and the second and third inventions may be expressed as "method" or "program".

[0018]

DETAILED DESCRIPTION OF THE INVENTION An embodiment of the present invention will be described below with reference to the drawings. FIG. 1 is a schematic diagram showing a network configuration to which a defense system according to an embodiment of the present invention is applied, and the same parts as those in the above-mentioned drawings are designated by the same reference numerals.

This defense system protects the server 6 on the communication subnet 5 of the internal network against an attack from the attack agent 2 on the external network such as the Internet 3.

However, unlike the prior art, it does not have an intrusion detection function based on the payload of the request packet, and as described later, it suppresses the passing amount of the request packet based on the header information of each of the request packet and the response packet. To do.

Specifically, the defense system includes a border router 10, a one-way router 7, a communication tendency database 20, and a defense device 30. The defense system may include the function of the existing intrusion detection system 1. In this case, the defense device 30 includes the intrusion detection function of the intrusion detection system 1, and the communication tendency database 20 includes the intrusion detection rule database 8. However, in any case, the defense system operates independently of the existing intrusion detection system.

Now, the border router 10 of the defense system is
As shown in FIG. 2, the filtering engine 12 connected to the filtering rule DB 11 is connected to the Internet 3 as an external network via the external interface 13, while the communication subnet 5 as an internal network is connected via the internal interface 14. And the control subnet 9.

The filtering rule DB 11 is a database readable / writable by the filtering engine 12, and is used by the boundary router 10 for request packets transmitted from the attack agent 2 on the Internet to the server 6 on the communication subnet 5. From the viewpoint of suppressing the passing amount to be equal to or less than the amount designated by the command, it has a function of storing a filtering rule r for specifying a request packet to be suppressed.

Here, the filtering rule r is header information of the request packet addressed to the server 6, for example, the source address (attacker device), the destination address (server), the upper layer protocol, the transmission in the header information. The source port number (attacker device), the destination port number (server), and the like.

The filtering engine 12 is based on the packet passing amount designation command received from the defense device 30 via the control subnet 9, and the filtering rule DB 1
The write / read processing is performed on the request packet 1, the request packet taken from the Internet 3, passed through the boundary router 10 and transmitted to the communication subnet 5 is suppressed in the amount of passage in the boundary router 10.

The filtering engine 12 may inspect the header information of the request packet and the header information in the payload information. Here, TCP (Transmission Control Protocol) and U are used as upper layer protocols.
When DP (User Datagram Protocol) is used, upper payload information may be fragmented, and TCP header information may remain only in the fragmented request packet at the beginning. In this case, IP (Internet Protoco
l) Header identifier field and DF (Don't Fragme
nt) bits and whether or not the request packets are continuous request packets for the upper layer protocol. Therefore, when using the setting information (port number, etc.) in the upper layer protocol at the time of filtering, it is necessary to write the setting information also in the filtering rule DB 11.

Further, the filtering engine 12 is not limited to the configuration in which the filtering rule DB 11 is referred to,
A frequently used rule set may be cached in its own memory (not shown) to increase the speed, or another speed-up method may be used.

The present embodiment shows a case where the boundary router 10 suppresses the passage of a large number of packets from the Internet 3. That is, in order to suppress the passage of a large amount of packets from the internal communication subnet 5, similarly, a boundary router (not shown) dedicated to the internal may be provided.

The one-way router 7 is similar to the one described above, and protects each packet on the communication subnet 5 from the defense device 30.
And has a one-way transfer function for blocking the passage of packets from the protection device 30. However, the one-way router 7 is for hiding the intrusion detection system 1,
Since it is not an essential requirement of the present invention, it may be omitted.

The communication tendency database 20 is used as the defense device 3.
The data can be read / written from 0, and the communication tendency data indicating the communication tendency between the request packet addressed to the server 6 and the response packet on the communication subnet 5 is stored.

Here, as the communication tendency data, for example, an appropriate combination of the following [1] to [5] can be used. [1] Header information of request packet {source address (attacker), destination address (server), upper layer protocol, source port number (attacker), destination port number (server)}. [2] Header information in the response packet to the request packet {source address (server), destination address (attacker), upper layer protocol, source port number (server), destination port number (attacker)}. [3] Statistical information (average value, standard deviation, etc.) of the response time of the response packet to the request packet obtained for each upper protocol. [4] Statistical information (average value, standard deviation, etc.) of the data length of the response packet obtained for each upper protocol. In addition, when the intrusion detection system 1 is installed side by side, the communication tendency database 20 may be provided in the same database server as the intrusion detection rule database 8 when importance is attached to simplicity, and is different when importance is attached to performance. It may be installed in the database server of.

On the other hand, the defense device 30 monitors the header information of each packet on the communication subnet 5,
It has a function of detecting the transient state S2 of the request packet to the server 6 and a function of outputting a packet passage amount designation command for leaving the saturated state S3 after the transient state S2 to the boundary router 10 to the control subnet 9. There is.

Here, as a function of detecting the transient state S2, for example, whether the response time of the response packet of the server 6 (or the number of responses based on the response time) deviates from the communication tendency data in the communication tendency database 20. A function for determining whether or not (a function for detecting a delay in response to a request) is sufficient. Although it is optional, a function to determine whether or not an attack packet includes a characteristic part (eg, an address of an attacking bastion site), or a pre-registered use protocol (and / or software) A function of determining whether or not there is a deviation from the combination of the port number and the used port number (a function of determining an attack packet when the used port number has high randomness) may be added.

Further, the packet passage amount designation command includes header information (source address, destination address, upper layer protocol, source port number, destination port number) for identifying the corresponding request packet and the corresponding request packet. It includes the designation of the passing amount.

The protection device 30 may be realized only by a software configuration of a program installed in advance, but is not limited to this, and may be realized by a hardware configuration and / or a software configuration.

Next, the operation of the defense system configured as described above will be described in the order of "preparation operation" and "defense operation".

(Preparation operation) As shown in FIG. 3, the protection device 30 relates to the packet of the request packet P1 and the response packet P2 related to the server 6 among the packets on the communication subnet 5, and the header of each packet. Information (not payload information) is stored in the communication tendency database 20.

Thereafter, the defense device 30 analyzes the stored contents and stores the statistical information of the response time and the data length of the response packet P2 in the communication tendency database 20.

The response time has a characteristic for each protocol. For example, in the case of a simple request-response type protocol, the response time is instantaneous, but in the case of a protocol in which some calculation is performed on the server side, the response time becomes long.

Similarly, the data length also has a characteristic for each protocol. For example, regarding the response packet, HTTP (HyperT
ext Transfer Protocol) and FTP (File Transfer Pro)
The data length of "tocol)" is relatively long, but the data length of Telnet is not so long.

Further, the contents of the request packet P1 are biased for each user. This is because some users prefer HTTP
This is because some users prefer the lnet session. Further, the frequency of request packets P1 is also biased for each user.

Therefore, it is important to manage the higher level protocol used for each transmission source.

As described above, the response time of the response packet, the data length, and the content of the request packet have their respective characteristics.

The protection device 30 routinely stores these characteristics in the communication tendency database 20 as communication tendency data and updates them as needed.

Based on the above-mentioned communication tendency data, the defense device 30 determines and detects an attack by a large number of packets and a transient state S2 in which a large number of packets are received although it is not an attack.

It should be noted that, as a criterion for judging an attack or the like, it can be generally determined from experience that the contents of each packet are biased to some extent. However, even if it is not based on experience, if the number of response packets P2 extremely decreases with respect to the number of request packets P1, it can be determined that an attack has been clearly made.

Since the same agent is often used many times for the denial of service attack agent, the characteristic part of the attack packet generated by the agent program (eg, attack step site) Address)
Can be used as a criterion for attack.

The source port number and the destination port number are different when the attacker is the sender and the server 6 is the receiver, and when the attacker is the receiver and the server 6 is the sender (eg, FTP, etc.). ).

In this case, the used port number according to the used protocol and the used software may be registered in advance. This makes it possible to create a criterion for determining an attack packet when the port number used is highly random.

(Defense Operation) Now, as described above, the communication tendency data is held in the communication tendency database 20, and the protection device 30 is a one-way router from the communication subnet 5 as shown in FIG. It is assumed that, out of the packets obtained via the server 7, the request packet addressed to the server 6 and its response packet are specified and monitored based on the respective header information (time t0).

At this time, as shown in FIG. 5, the defense device 30 causes the response time of the response packet P2 to the request packet P1 on the communication subnet 5 to be the response time of the communication tendency data (eg, average value) + It is checked whether it is within an error range (eg, about twice the standard deviation) (ST1), and the transient state S
It is determined whether it is 2 (ST2).

As a result of the judgment, the defense device 30 determines that the transient state S
When 2 is detected (time t1), a packet passage amount designation command for suppressing the passage amount of the request packet P1 is sent to the border router 10 via the control subnet 9 (ST.
3).

The boundary router 10 individually cuts off or passes a plurality of arriving request packets P1 based on the packet passage amount designating instruction, thereby determining the number of request packets P1 sent to the communication subnet 5 as a server. 6 is suppressed to a number that can respond (ST4; time t
2).

The border router 10 sends the request packet P
It is preferable to completely prevent the saturation state S3 of 1.
The present invention is not limited to this, and it is sufficient that the saturated state S3 is restored for a short period of time (time t2 ^* ).

For example, although it is a problem that the server 6 stops for a long time, it may stop even in a mainframe which is said to be robust, so if MTBF (average down interval) is long and MTTR (average recovery time) is short. I think there is no problem.

In any case, the request packet P arriving at the server 6 is reached by suppressing the passage amount by the border router 10.
Since the amount of 1 decreases, the server 6 maintains the responsive state.

After that, when the defense device 30 determines that the attack or the like has converged (ST5), it sends a cancellation command to the border router 10 via the control subnet 9 to cancel the suppression of the passing amount and return to the normal state. (ST6).

The criterion for convergence is empirically determined in consideration of the trade-off between security and availability of the server 6, but in this example, the border router 10 is notified based on the notification from the border router 10. When the number of arriving request packets P1 is reduced to about 30% of the maximum load, it is restored. However, the present invention is not limited to this, and may be restored when the passing amount of the request packet P1 becomes a value lower than the value of the passing amount designation command.

As described above, according to the present embodiment, the defense device 30 inspects the header information of each of the request packet P1 regarding the server 6 and the corresponding response packet P2, and the server 6 returns the response packet P2. Based on the delay in response time, the request packet P in the border router 10
Since the passing amount of 1 is suppressed, it is possible to prevent exhaustion of resources on the server side with respect to a large number of request packets transmitted to the server via the network.

Supplementally, in the present embodiment, the inspection is performed based on the header information such as the transmission source address and the response data length for each protocol, but unlike the prior art, the inspection and statistical analysis of the payload information of the request packet P1 are not performed. The configuration realizes high-speed processing and a small amount of storage area.

Further, according to the present embodiment, the request packet P1 and the response packet P2 for the server 6 are associated with each other at the passing amount level, which is different from the conventional one, and even a normal request packet P1 will result in an attack. The request packet P1 can be detected.

Further, in the present embodiment, the policy of "preventing an attack etc. to the extent that the server 6 can respond" makes the detection process of an attack etc. more efficient.

For example, if an attack is detected and an attacker is specified, a large amount of calculation is required. However, since the present invention is specialized in preventing an attack and does not specify an attacker, a small amount of resources are required. Can be implemented in. Note that the identification of an attacker via the network often ends in vain due to IP address spoofing (spoofing) or the like. Therefore, in the present invention,
We are trying to improve efficiency without unnecessary identification.

Further, by dynamically changing the filtering rule r of the boundary router 10, the amount of request packets can be changed according to the start of an attack or the end of an attack, so that the server can be operated efficiently. can do.

The present embodiment may be modified into a configuration in which the boundary router 10 transfers the request packet P1 and the response packet P2 to the control subnet 9 as shown in FIG. 6, for example. That is, regardless of the specific network topology, the defense device 30 can monitor each of the packets P1 and P2, can transmit the packet passage amount designation command to the boundary router 10, and as a result can suppress the passage amount of the request packet P1. If any, it is included in the scope of the present invention.

The method described in each of the above embodiments is
As a program that can be executed by a computer, a magnetic disk (floppy (registered trademark) disk,
Hard disk, etc., Optical disk (CD-ROM, D
It can be stored in a storage medium such as a VD), a magneto-optical disk (MO), a semiconductor memory or the like and distributed.

The storage medium may have any storage format as long as it can store the program and can be read by a computer.

Further, an OS (operating system) running on the computer based on an instruction of a program installed in the computer from the storage medium,
MW such as database management software and network software
(Middleware) or the like may execute a part of each processing for realizing the present embodiment.

Further, the storage medium in the present invention is not limited to a medium independent of a computer, but includes a storage medium in which a program transmitted via a LAN, the Internet or the like is downloaded and stored or temporarily stored.

Further, the number of storage media is not limited to one, and a case in which the processing in this embodiment is executed from a plurality of media is also included in the storage media in the present invention, and the medium configuration may be any configuration.

The computer according to the present invention executes each processing in the present embodiment based on the program stored in the storage medium, and a device such as a personal computer and a plurality of devices are connected to the network. It may have any configuration such as an established system.

The computer in the present invention means
Not only a personal computer but also an arithmetic processing unit, a microcomputer, and the like included in an information processing device, which collectively refer to a device and a device that can realize the functions of the present invention by a program.

The invention of the present application is not limited to the above-described embodiments, and can be variously modified at the stage of implementation without departing from the scope of the invention. In addition, the respective embodiments may be implemented by being combined appropriately as far as possible, in which case the combined effects can be obtained. Further, the above-described embodiments include inventions at various stages, and various inventions can be extracted by appropriately combining a plurality of disclosed constituent requirements. For example, when the invention is extracted by omitting some of the constituent elements shown in the embodiment, when omitting the extracted invention, the omitted portions are appropriately supplemented by well-known and common techniques. It is something that will be done.

In addition, the present invention can be variously modified and implemented without departing from the scope of the invention.

[0075]

As described above, according to the present invention, exhaustion of resources on the server side can be prevented for a large number of request packets transmitted to a server via a network.

[Brief description of drawings]

FIG. 1 is a schematic diagram showing a network configuration to which a defense system according to an embodiment of the present invention is applied.

FIG. 2 is a schematic diagram showing a configuration of a border router in the same embodiment.

FIG. 3 is a schematic diagram for explaining an operation in the same embodiment.

FIG. 4 is a schematic diagram showing a passing amount of a request packet in the same embodiment.

FIG. 5 is a flowchart for explaining an operation in the same embodiment.

FIG. 6 is a schematic diagram showing a modified configuration of the same embodiment.

FIG. 7 is a schematic diagram showing a network configuration to which a conventional intrusion detection system is applied.

FIG. 8 is a schematic diagram showing the arrival amount of request packets to a conventional server.

[Explanation of symbols]

2 ... Attacker, attack agent 3 ... Internet 5 ... Communication subnet 6 ... server 7 ... One way router 9 ... Control subnet 9 10 ... Border router 11 ... Filtering rule DB 12 ... Filtering engine 13 ... External interface 14 ... Internal interface 20 ... Communication trend database 30 ... Defense device

   ─────────────────────────────────────────────────── ─── Continued front page    (72) Inventor Toshiaki Saisho             No. 1 Toshiba-cho, Fuchu-shi, Tokyo Toshiba Corporation             Fuchu Office F-term (reference) 5B089 GA11 GA31 GB02 KA17 KC47                       KC52 KC54 MA01 MC06                 5K030 HA08 HD03 HD06 KA01 KA02                       LC01 MB06 MB09

Claims (5)

[Claims] 1. A defense system for protecting a server from a large number of request packets addressed to the server, wherein a response time of a response packet corresponding to the request packet for the server on a subnet to which the server is connected is set. A defense system which checks and suppresses the communication volume of request packets based on the delay of the response time. 2. A communication path from an external network to a server via a router and a first subnet,
A defense device for protecting the server from a large number of request packets addressed to the server, inspecting a response time of a response packet corresponding to the request packet for the server on the first subnet, and delaying the response time. Based on the above, a defense device is characterized in that a command for suppressing the passing amount of a request packet is sent to the router via the second subnet. 3. The defense device according to claim 2, wherein the response time check identifies a request packet and a response packet regarding the server based on header information of each packet on the first subnet. A defense device characterized by including. 4. A communication path from an external network to a server via a router and a first subnet,
A defense program used in a defense device for defending the server from a large number of request packets addressed to the server, wherein a computer of the defense device responds to a request packet relating to the server on the first subnet. A defense for functioning as a means for inspecting the response time of a packet and sending an instruction for suppressing the passage amount of a request packet to the router via the second subnet based on the delay of the response time. For programs. 5. The defense program according to claim 4, wherein the response time check specifies a request packet and a response packet regarding the server based on header information of each packet on the first subnet. A defense program characterized by including.