JP2006279531A - Network processor, network processing method, and network processing program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform protocol processing without making a session memory overflow at the time of high-load access. <P>SOLUTION: A time-out time of a session is dynamically varied according to a session rate to enable the protocol processing without making the session memory overflow at the time of high-load access. A session rate measurement part 22 receives packets from a packet receiving means 10, and measures and stores a session rate (a) in a session rate storage part 31. A time-out time arithmetic part 23 reads the session rate (a) and session memory maximum capacity D out of the session rate storage part 31 and a session memory maximum capacity storage part 32, respectively, calculates a time-out time of the session from t=D/a, and registers the time-out time (t) in a session information storage part 33 through a time-out time registration part 24. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a network processing device, a network processing method, and a network processing program for processing a high load state caused by mass access, and more particularly to a network processing device, a network processing method, and a network for dynamically registering and updating a timeout time of a new session. It relates to a processing program.

  With the recent development of Internet technology, it is required to design network devices such as servers and routers on the Internet so that they can withstand higher loads and mass access. In addition, fraud attacking servers on the Internet is increasing due to continued mass access. Such fraud that continues mass access is generally called DoS (Denial of Service).

  A TCP-SYN-Flood attack exists as a form of DoS attack. “TCP-SYN-Flood” is an attack in which a large amount of TCP (Transmission Control Protocol) packets with the SYN flag set in the header field are sent. Generally, a server (network device) has a session memory that stores TCP session management information (session information) such as a TCP source address, a destination address, and a TCP state. When receiving the SYN packet, the server registers the session corresponding to the SYN packet as a new session in the session memory. In addition, the server returns a SYN-ACK packet to the host indicated by the source IP address. In this case, if there is no response from the transmission source host, the server continues to retransmit the SYN-ACK packet to the transmission source host until a timeout (Connection Establishment Timeout) occurs.

  When a TCP-SYN-Flood attack is performed, the attack target server often receives a SYN packet with a false source address from the attack source host. When a SYN packet in which the SourceIP address is false is received, the attack target server sends a SYN-ACK packet to the false IP address, so that a response from the transmission source cannot be obtained. If such an illegal SYN packet is continuously received, the attack target server runs out of session memory and cannot respond to an access from a legitimate host.

  Further, as another form of DoS attack, there is an attack called DDoS (Distributed DoS) in which a plurality of hosts simultaneously access a large number of attack target servers. In this case, a host that accesses a large amount is not necessarily owned by an attacker who normally performs unauthorized access, and is often attacked by another server used by the attacker.

  When receiving these DoS attacks, the server under attack generally cannot know which host is being attacked. In general, since these attacks are executed by an automatic process by a program, the attack target server is usually attacked for a long time.

  As a method for coping with a DoS attack, for example, Patent Literature 1 describes a network device that performs monitoring by setting a threshold value of the maximum traffic of TCP-SYN that is accepted in advance by a server to be protected. When the traffic exceeds the threshold, the network device described in Patent Document 1 performs filtering for the excess and notifies the address and threshold of the server to all subscriber accommodation edges and all border routers in the same ISP. By doing so, the network device minimizes DDoS attack countermeasure processing in the network.

  Non-Patent Document 1 describes a network program mounting method for dealing with TCP-SYN-Flood. In the method described in Non-Patent Document 1, when the TCP-SYN-Flood countermeasure internal flag is 1, whether the number of TCP Half-Open connections exceeds the threshold set in advance by the internal parameter. Determine whether. When the threshold value is exceeded, the number of times the SYN-ACK packet is retransmitted for SYN is reduced.

JP 2004-166029 A (paragraph 0026-0030, FIG. 1-2) "Security Considerations for Network Attacks", [online], Microsoft Corporation, [Search January 7, 2005], Internet <URL: http://www.microsoft.com/technet/archive/security/prodtech/windows/ iis / dosrv.mspx>

  When using the network device described in Patent Document 1 or the method described in Non-Patent Document 1, a network administrator must set a predetermined threshold value in advance. However, the optimum threshold value may vary depending on the network conditions (variation due to time, day of the week or season, event, change in network configuration, spread of virus). Therefore, it is burdensome for the network administrator to determine and set the optimal threshold value in advance.

  In the method described in Non-Patent Document 1, the network device accepts all sessions when the value is slightly smaller than the threshold value. On the other hand, when the number of sessions slightly increases and exceeds the threshold value, the number of sessions Even though the change in the signal is small, the response is completely different. That is, the network device does not take any DoS attack countermeasures for “light” attacks that do not exceed the threshold, but if the threshold is exceeded, no matter how “heavy” the attack is. Thus, countermeasures for DoS attacks are similarly taken. Therefore, by performing processing using the threshold value, the behavior (processing) of the network device near the threshold value becomes discontinuous.

  In addition, the network device described in Patent Literature 1 performs filtering for all new sessions that exceed the TCP Half-Open threshold. Therefore, as the DoS attack traffic increases, the frequency at which legitimate clients (hosts) are denied access increases. Therefore, while the server is under attack from an unauthorized host, even a legitimate client is denied access to the server.

  Even during a DoS attack, if the maximum number of entries in the session memory is sufficiently large, all sessions can be handled. For example, if a TCP-SYN-Flood attack is received at a rate of 100 (sessions / second) and the ConnectionEstablishment Timeout (timeout time) is 75 seconds, the maximum number of entries in the session memory is 100 (sessions / second) × If 75 (second) = 7500 entries or more, all connections can be handled. However, since the maximum number of entries in the session memory is finite, if the rate of the TCP-SYN-Flood attack is higher than 100 (sessions / second), the session memory overflows (overflows), and a connection that cannot respond is generated. Even if the maximum number of entries in the session memory is sufficiently large, it cannot be increased indefinitely. If the rate of the TCP-SYN-Flood attack is large, a connection that cannot be responded occurs.

  Therefore, the present invention provides a network processing device, a network processing method, and a network processing program capable of responding to access from a legitimate client even during overload access from an unauthorized host. Objective. It is another object of the present invention to provide a network processing device, a network processing method, and a network processing program that do not require a network administrator to perform threshold setting work and can reduce the burden on the network administrator. It is another object of the present invention to provide a network processing device, a network processing method, and a network processing program that can cope with an unauthorized attack access rate without providing a threshold.

  The network processing device according to the present invention is a network processing device for processing a high load state caused by mass access, and when a new session to be handled by the network processing device is detected, a timeout corresponding to the new session is determined according to a predetermined condition. Timeout deletion means for dynamically obtaining the time (for example, realized by the timeout time calculator 23) and entry deletion for deleting the entry of the session that has timed out based on the timeout time obtained by the timeout time calculation means Means (for example, realized by the aging processing means 40) and response means (for example, a response packet) for transmitting response data (for example, a response packet) to the client corresponding to the entry of the currently registered session. response Characterized by comprising a to) and implemented by packet sending unit 50.

  The network processing apparatus is a network processing apparatus that processes a high load state caused by mass access, and is realized by a packet receiving unit (for example, the packet receiving unit 10) that receives a packet from a client via a communication network. ), A session information storage means (for example, realized by the session information storage unit 33) for storing session information indicating a session currently handled by the network processing apparatus, and a packet reception means receiving a packet of a new session A time-out time calculating means for dynamically obtaining a time-out time corresponding to a new session according to a predetermined condition; and session information including the time-out time obtained by the time-out time calculating means is stored in the session information storage means. Based on the time-out time indicated in the session information stored in the session information storage means by the entry registration means (for example, realized by the time-out time registration unit 24) for registering a new session entry, Timeout determination means (for example, realized by the aging processing means 40) for determining whether or not the timeout time has elapsed for the currently handled session, and session information when the timeout determination means determines that the timeout time has elapsed. By deleting the session information corresponding to the session for which the timeout period has elapsed from the storage means, the entry deletion means for deleting the session entry and the client corresponding to the currently registered session entry are communicated. Reply packet transmitting means for transmitting a response packet through the network (e.g., as implemented by the response packet transmitting unit 50) is desirably that a.

  Further, the network processing apparatus includes a session rate calculation unit (for example, realized by the session rate measurement unit 22) that obtains a session rate indicating a ratio of new sessions that occur per predetermined unit, and the timeout time calculation unit includes: A timeout time corresponding to a new session may be dynamically obtained based on the session rate obtained by the session rate calculation means.

  In the network processing apparatus, the session rate calculation means may determine the session rate by calculating an average of the number of received packets of a new session according to a predetermined sampling unit.

  Further, in the network processing device, the session rate calculation means may obtain the session rate according to a predetermined time unit as a sampling unit.

  In the network processing apparatus, the session rate calculation means may obtain the session rate according to a unit of the number of packets received in the past as a sampling unit.

  In the network processing apparatus, the session rate calculation means may obtain a session rate using an exponential smoothing method.

  Further, the network processing apparatus includes a session rate storage unit (for example, realized by the session rate storage unit 31) that stores the session rate obtained by the session rate calculation unit, and the timeout time calculation unit includes: The session rate a may be read and the timeout time t may be obtained using a predetermined function t = f (a).

  Further, the network processing apparatus stores maximum amount storage means (for example, session memory maximum amount storage) for storing a maximum registerable amount D (for example, maximum session memory amount) indicating the maximum amount of session entries that can be registered in the session information storage means. The time-out time calculation means reads the maximum registerable amount D from the maximum amount storage means and uses t = f (a) = D / a as the predetermined function f (a). Thus, the timeout time t may be obtained.

  Further, the network processing apparatus includes a session entry number storage unit (for example, realized by the session memory registration entry number storage unit 34) for storing the entry number d registered in the session information storage unit, and a timeout time calculation unit Reads the session rate a from the session rate storage means, reads the entry number d from the session entry number storage means, and synthesizes a predetermined function f (a) and function g (d). a, d)} may be used to determine the timeout time t.

  Further, in the network processing apparatus, the timeout time calculation means may obtain the timeout time t by using different calculation methods depending on whether the session rate is increased or the session rate is decreased.

  The network processing method according to the present invention is a network processing method for processing a high load state caused by mass access, and when a new session to be handled by a network processing apparatus that processes access from a client is detected, according to a predetermined condition, Dynamically determining the timeout period corresponding to the new session, deleting the session entry that has timed out based on the determined timeout period, and the client corresponding to the currently registered session entry. And transmitting response data via a communication network.

  The network processing method is a network processing method for processing a high load state caused by mass access, and stores session information indicating a session currently handled by a network processing device that processes access from a client in a storage unit. A step of receiving a packet from a client via a communication network, and a step of dynamically obtaining a timeout time corresponding to the new session according to a predetermined condition upon receiving a packet of the new session The network processing device is currently handling the step of registering a new session entry by newly storing the session information including the timeout time in the storage means and the timeout time indicated in the stored session information. The step of determining whether or not the timeout time has elapsed for the session, and if it is determined that the timeout time has elapsed, the session entry corresponding to the session for which the timeout time has elapsed is deleted from the storage means. And a step of transmitting a response packet to the client corresponding to the currently registered session entry via the communication network.

  The network processing program according to the present invention is a network processing program for processing a high load state caused by mass access. When a new session to be handled by the network processing device is detected in the computer, a new processing is performed according to a predetermined condition. Processing to dynamically determine the timeout time corresponding to the session, processing to delete the entry of the session that has timed out based on the calculated timeout time, and communication to the client corresponding to the currently registered session entry And processing for transmitting response data via a network.

  The network processing program is a network processing program for processing a high load state caused by mass access, and a computer having storage means for storing session information indicating a session currently handled by the network processing device. Processing for receiving a packet from a client via a communication network, processing for dynamically determining a timeout time corresponding to a new session according to a predetermined condition when receiving a packet for a new session, and calculating the calculated timeout time Based on the time-out time indicated in the stored session information based on the process of registering a new session entry by newly storing the session information including the storage means, the session currently handled by the network processing device, Processing for determining whether or not the timeout time has elapsed, and determining that the timeout time has elapsed, deletes the session entry by deleting session information corresponding to the session for which the timeout time has elapsed from the storage means It is desirable to cause the client corresponding to the currently registered session entry to execute a process of transmitting a response packet via the communication network.

  A network processing apparatus of the present invention includes a session rate measuring unit that measures a rate of a new SYN packet, a timeout time calculating unit that calculates a timeout time of a session, a timeout time registering unit, and a session information storage unit that stores a timeout time Including. The session information storage unit corresponds to a session memory, and may register session information necessary for various protocol processes.

  With the above configuration, the network processing apparatus is in the process of receiving an overload access from an unauthorized host by dynamically calculating and registering the timeout time according to the connection rate that changes continuously. However, it is possible to achieve the object of the present invention to be able to respond to access from a legitimate client.

  Further, the network processing apparatus obtains a session timeout time = t using the equation t = f (a) = D / a, where a is the session rate from the client and D is the maximum session memory, and sets the timeout value. . By doing so, there is no need for the network administrator to set a threshold value, the network administrator does not need to perform threshold setting work, and the object of the present invention is to reduce the burden on the network administrator. Can be achieved. Further, the object of the present invention can be achieved so that it is possible to cope with an illegal attack access rate without providing a threshold.

  According to the present invention, the timeout time is obtained dynamically even during overload. Then, the entry of the session that has timed out is deleted based on the obtained time-out time. Since it is possible to delete the entry of the session that has timed out based on the dynamically determined time-out time, it is possible to cope with an overloaded access from an unauthorized host. In addition, since it is not necessary to perform filtering based on traffic threshold determination, it is possible to respond to all registered clients. Therefore, even during an overloaded access from an unauthorized host, it is possible to respond to an access from a legitimate client.

  Further, according to the present invention, the session rate is obtained using the exponential smoothing method, and the timeout time is obtained dynamically based on the session rate. Therefore, it is possible to reduce the memory resources and the number of operations when obtaining the timeout time.

  Further, according to the present invention, it is possible to deal with an overloaded access from an unauthorized host by obtaining a timeout time using t = f (a) for the session rate without using a traffic threshold. Can do. Therefore, it is not necessary for the network administrator to set the threshold value, and the burden on the network administrator can be reduced. Further, it is possible to cope with an illegal attack access rate without providing a traffic threshold.

  Further, according to the present invention, it is possible to deal with an overloaded access from an unauthorized host by obtaining a timeout time using the synthesis function f {g (a, d)}. Therefore, by adjusting the function g (d), it is possible to control so as not to exceed the maximum number of session entries even if the session rate varies greatly.

  Further, according to the present invention, the timeout time t is obtained using different calculation methods when the session rate is increased and when the session rate is decreased. By doing so, hysteresis can be given to the characteristic of the timeout time t. Therefore, it is possible to set the session timeout time to a larger value when the session rate is reduced, and to have a value closer to the original timeout value of the protocol when the session rate is reduced.

Embodiment 1 FIG.
Hereinafter, a first embodiment of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing an example of the configuration of a network processing apparatus according to the present invention. As shown in FIG. 1, the network processing apparatus includes a packet receiving unit 10, a protocol processing unit 20, a storage unit 30, an aging processing unit 40, and a response packet sending unit 50. In the present embodiment, the network processing device is specifically realized by a server or a relay device (for example, a router) that executes various TCP processes or implements a firewall or a gateway.

  Specifically, the packet receiving unit 10 is realized by a server operating according to a program, a CPU of a relay device, and a network interface unit. The packet receiving means 10 has a function of receiving a packet transmitted by a client via a communication network such as the Internet.

  Specifically, the protocol processing means 20 is realized by a server that operates according to a program or a CPU of a relay device. As shown in FIG. 1, the protocol processing means 20 includes a new packet determination unit 21, a session rate measurement unit 22, a timeout time calculation unit 23, a timeout time registration unit 24, and a protocol response processing unit 25.

  The new packet determining unit 21 has a function of determining whether or not the packet received by the packet receiving unit 10 is a packet for a new session. In the present embodiment, a “session” refers to a period from the start to the end of a series of communications performed between a network processing apparatus and a client. In the present embodiment, the packet that the network processing apparatus first receives from the client at the start of a new session is also referred to as a “new packet”.

  In the present embodiment, the new packet determination unit 21 determines whether or not the received packet is a new packet based on the header information of the received packet. For example, the new packet determination unit 21 determines whether the received packet is a TCP-SYN packet based on the header information. If it is determined that the packet is a TCP-SYN packet, the new packet determination unit 21 determines that the received packet is a new packet.

  The session rate measuring unit 22 has a function of determining at what rate the packet receiving means 10 is receiving a packet of a new session. In the present embodiment, the session rate measuring unit 22 obtains a session rate indicating the ratio of new sessions that occur per predetermined unit.

  In the present embodiment, session rate measurement unit 22 obtains a session rate by obtaining an average of the number of packets of a new session received according to a predetermined sampling unit. For example, the session rate measuring unit 22 obtains a session rate according to a predetermined time unit as a sampling unit. Further, for example, the session rate measuring unit 22 obtains a session rate according to a unit of the number of packets received in the past as a sampling unit.

  For example, the session rate measuring unit 22 counts how much a new packet has passed per unit time. Then, the session rate measuring unit 22 obtains the number of packets a of the new session received by the packet receiving unit 10 per unit time as the session rate based on the count value. For example, the session rate measuring unit 22 counts the number of new session packets determined by the new packet determining unit 21 per second, and obtains the number of new sessions a (sessions / second) per second as the session rate. In addition, the session rate measuring unit 22 writes the obtained value of the session rate a into the session rate storage unit 31.

  The timeout time calculation unit 23 has a function of calculating a timeout time for a new session. In the present embodiment, the timeout time calculation unit 23 reads the session rate a from the session rate storage unit 31 at a predetermined timing. In addition, the timeout time calculation unit 23 reads the session memory maximum amount D indicating the maximum amount of session entries that can be stored in the session memory from the session memory maximum amount storage unit 32. Then, the timeout time calculation unit 23 determines a timeout time t using Expression (1) based on the session rate a and the session memory maximum amount D, with a predetermined calculation function being f (a).

t = f (a) = D / a Formula (1)

  For example, the timeout time calculation unit 23 substitutes the read session rate a (sessions / second) and the maximum session memory amount D (sessions) into the equation (1) to obtain the timeout time t (second).

  The timeout time registration unit 24 has a function of registering the timeout time t as an entry for a new session in the session information storage unit (session memory) 33. In the present embodiment, the timeout time registration unit 24 causes the session information storage unit 33 to store session information necessary for protocol processing of a new session when the timeout time calculation unit 23 obtains the timeout time t. In the present embodiment, the session information stored in the session information storage unit 33 indicates a session currently handled by the network processing apparatus.

  “Protocol processing” is, for example, processing for determining whether or not to transmit a SYN-ACK packet to a transmission source for a TCP SYN packet. In the present embodiment, the timeout time registration unit 24 stores session information including, for example, the transmission source IP address, port number, TCP sequence number, confirmation response number, and TCP internal state in addition to the timeout time t. Store in the unit 33. In the present embodiment, “new entry registration” is realized by the timeout time registration unit 24 storing session information including the timeout time t in the session information storage unit 33 in association with the session. .

  The protocol response processing unit 25 has a function of executing various TCP processes for the received SYN packet. In the present embodiment, the protocol response processing unit 25 determines a packet to be responded by the protocol processing. Further, the protocol response processing unit 25 reads protocol information (session information) including the timeout time t from the session information storage unit 33. Further, the protocol response processing unit 25 instructs the response packet sending unit 50 to respond to the transmission source client based on the read session information.

  The protocol response processing unit 25 has a function of writing the updated protocol information in the session information storage unit 33. In the present embodiment, the protocol response processing unit 25 writes session information including the updated TCP internal state, sequence number, and confirmation response number by various TCP processes in the session information storage unit 33. In the present embodiment, when the aging processing unit 40 updates the timeout time t, the protocol response processing unit 25 updates the information stored in the session information storage unit 33 to the session information including the updated timeout time. .

  Specifically, the storage unit 30 is realized by a storage device (for example, a magnetic disk device) of a server or a relay device. As shown in FIG. 1, the storage unit 30 includes a session rate storage unit 31, a session memory maximum amount storage unit 32, and a session information storage unit 33.

  The session rate storage unit 31 stores the session rate a measured (obtained) by the session rate measuring unit 22. The session memory maximum amount storage unit 32 stores in advance the maximum registerable amount (session memory maximum amount D) of the session information storage unit 33.

  The session information storage unit 33 stores the timeout time t obtained by the timeout time calculation unit 23 in accordance with an instruction from the timeout time registration unit 24. Further, the session information storage unit 33 stores session information necessary for protocol processing including the timeout time of each session. In the present embodiment, the session memory is realized by the session information storage unit 33.

  Specifically, the aging processing means 40 is realized by a CPU that operates according to a program or a CPU of a relay device. The aging processing means 40 has a function of updating the timeout time of each entry stored in the session information storage unit 33 and determining whether or not the elapsed time after receiving a new packet has exceeded the timeout time. Further, the aging processing means 40 has a function of performing processing for deleting an entry of a session that has timed out when it is determined that the time-out time has elapsed. In the present embodiment, “deletion of entry” is realized by the aging processing unit 40 deleting session information including a timeout time from the session information storage unit 33.

  Specifically, the response packet sending unit 50 is realized by a server operating according to a program, a CPU of a relay device, and a network interface unit. The response packet sending unit 50 has a function of sending a response packet to the transmission source client in accordance with a response instruction from the protocol response processing unit 25.

  In the present embodiment, the storage device of the network processing device stores various programs for dealing with unauthorized mass access. For example, when the storage device of the network processing device detects a new session to be handled by the network processing device in the computer, the processing for dynamically obtaining the timeout time corresponding to the new session according to a predetermined condition and the obtained timeout A network processing program for executing processing for deleting a session entry that has timed out based on time and processing for transmitting response data via a communication network to a client corresponding to the currently registered session entry Is remembered.

  Next, the operation will be described. FIG. 2 is a flowchart illustrating an example of a process in which the network processing apparatus registers an entry for a new session and a process in which a response packet is transmitted to the transmission source client. The packet receiving means 10 receives various packets from each client as needed via the communication network (step S11). When receiving a packet from the client, the packet receiving unit 10 outputs the received packet to the new packet determining unit 21.

  The new packet determination unit 21. It is determined whether or not the packet from the packet receiving means 10 is a packet for a new session (steps S12 and S13). For example, when communication is performed using TCP, the new packet determination unit 21 checks whether a TCP-SYN flag is set in the packet. In this case, for example, the new packet determination unit 21 determines whether the TCP-SYN flag is included in the header information of the packet. If it is determined that the TCP-SYN flag is set (included in the header information), the new packet determination unit 21 determines that the received packet is a new session packet. If it is determined that the TCP-SYN flag is not set (not included in the header information), the new packet determination unit 21 determines that the received packet is not a new session packet.

  If it is determined that the packet is not a new packet, the new packet determination unit 21 passes the processing to the protocol response processing unit 25 as it is without performing the processing from step S14 to step S16.

  If it is determined that the packet is a new packet, the new packet determination unit 21 passes the processing to the session rate measurement unit 22. The session rate processing unit 22 counts new session packets flowing per unit time, and obtains the counted value as the session rate a (step S14). In addition, the session rate measuring unit 22 registers the obtained session rate a in the session rate storage unit 31. That is, the session rate measuring unit 22 obtains the number of packets a of a new session received by the packet receiving unit 10 per unit time as the session rate based on the count value. Then, the session rate measuring unit 22 stores the obtained session rate a in the session rate storage unit 31.

  The timeout time calculation unit 23 reads the session rate a from the session rate storage unit 31. Further, the timeout time calculation unit 23 reads the session memory maximum amount D from the session memory maximum amount storage unit 32. Then, the timeout time calculating unit 23 sets f (a) as a function for obtaining the value of the session timeout time t, and uses the expression (1) to calculate the timeout time t based on the read session rate a and session memory maximum amount D. Is obtained (step S15). Further, the timeout time calculation unit 23 passes the obtained timeout time t to the timeout time registration unit 24.

  The timeout time registration unit 24 registers the timeout time t as a new session entry in the session information storage unit (session memory) 33 (step S16). In this case, the timeout time registration unit 24 registers the new session entry by causing the session information storage unit 33 to store the session information including the timeout time t obtained by the timeout time calculation unit 23. Then, the timeout time registration unit 24 moves the process to the protocol response processing unit 25.

  As described above, by executing the processing from step S11 to step S16, when the network processing apparatus receives a packet for a new session, it dynamically obtains a timeout time according to the current session rate a, Register the entry.

  Next, an operation in which the network processing apparatus transmits a response packet every predetermined time to the client corresponding to each session will be described. The protocol response processing unit 25 performs main processing of protocol operation at every predetermined time. The “main process of protocol operation” is, for example, a process of checking the TCP sequence number and ACK number of a received packet and performing various window controls.

  The protocol response processing unit 25 reads main processing information (session information) including the timeout time of each session from the session memory (session information storage unit 33) at predetermined time intervals. Further, the protocol response processing unit 25 instructs the response packet sending unit 50 for each entry to transmit a response packet to the transmission source client based on the read session information. For example, the protocol response processing unit 25 instructs transmission of a response packet according to the transmission source address indicated in the read session information.

  In addition, the network processing device writes the value updated by the protocol processing in the session memory 33 again (step S17). For example, the protocol response processing unit 25 writes the session information including the updated TCP internal state, sequence number, and confirmation response number by various TCP processes in the session information storage unit 33. For example, the protocol response processing unit 25 updates the session information storage unit 33 based on the session information including the timeout time updated by the aging processing unit 40.

  The response packet sending means 50 transmits the response packet to the client via the communication network in accordance with the instruction from the protocol response processing unit 25 (step S18). For example, when TCP is used, the response packet sending means 50 sends a SYN-ACK packet to the client for the SYN packet, sends an ACK packet to the client for the data packet, and performs a FIN for the FIN-ACK packet. -Send an ACK response packet to the client.

  As described above, by executing the processing of step S17 and step S18, the network processing apparatus transmits a response packet to each transmission source client for each session currently registered for entry every predetermined time.

  Next, the operation of the aging processing means 40 will be described. The aging processing means 40 performs an aging process for the session memory. The “aging process” is a timer update process for the session memory. In the present embodiment, the aging processing means 40 executes, for example, the aging process at the timing of performing the protocol process in step S17, and updates the timeout time of each session. Then, the aging processing means 40 updates the session information storage unit 33 based on the session information including the updated timeout time. Further, in the present embodiment, the aging processing means 40 deletes an entry for which there is no response from the client even after the timeout time has elapsed by executing a predetermined aging process.

  FIG. 3 is a flowchart showing an example of the aging processing performed by the aging processing means. The aging processing means 40 reads the timeout value from the session information storage unit (session memory) 33 of a certain entry pointer at a predetermined timing (step S21). In the present embodiment, the aging processing means 40 reads the timeout time t from the session information storage unit 33 when the predetermined time Δt has elapsed.

  Further, the aging processing means 40 subtracts a predetermined elapsed time Δt from the read timeout time t (step S22). Further, the aging processing means 40 determines whether or not the timeout time t after subtraction is smaller than 0 (step S23). In the present embodiment, when the aging processing means 40 determines that the time-out time t after subtraction is smaller than 0, it determines that the entry corresponding to the time-out time has timed out. If the aging processing means 40 determines that the time-out time t after subtraction is not smaller than 0, it determines that the entry corresponding to the time-out time has not yet timed out.

  If it is determined that the time-out time t after subtraction is smaller than 0, the aging processing means 40 deletes the entry corresponding to the time-out time from the session information storage unit 33 (step S24). In this case, the aging processing unit 40 deletes the entry by deleting the session information including the timeout time t from the session information storage unit 33.

  Further, the aging processing means 40 advances the entry pointer by 1 (adds 1 to the pointer), and advances the pointer to the next entry registered in the session information storage unit 33 (step S25). And the aging process means 40 returns to the process of step S21, and repeatedly performs the process from step S21 to step S25.

  If it is determined in step S23 that the time-out time t after subtraction is not smaller than 0, the aging processing means 40 advances the entry pointer by one without deleting the entry. And the aging process means 40 returns to the process of step S21, and repeatedly performs the process from step S21 to step S25.

  By executing the aging processing from step S21 to step S25 described above, the aging processing means 40 deletes the entry that has timed out when the time-out time t first obtained by the time-out time calculator 23 has elapsed.

  Here, a session registered at a constant session rate a is deleted at a constant rate a by the aging process when the timeout time t (seconds) elapses. Therefore, the number of entries in the session information storage unit 33 after the timeout t (seconds) should be a constant value of a × t. In this case, in order to accept as many sessions as possible, the value of the number of entries may be set equal to the maximum capacity D of the session memory. Therefore, in order to be able to accept the largest number of sessions, it is sufficient to design so as to satisfy Equation (2).

D = a × t Formula (2)

  From Expression (2), Expression (1) is obtained with f (a) as a function for calculating the optimum timeout time t.

  FIG. 4 is an explanatory diagram showing an example of the relationship between the number d of sessions registered in the session memory and the elapsed time. As shown in FIG. 4, the number of sessions d input at the session rate a0 increases linearly until the timeout time t. However, when the elapsed time t0 = D / a0 is exceeded, the maximum session number (session memory maximum amount D) is constant. Further, the number of sessions d input at the session rate a1 (a1> a0) becomes constant at the maximum number of sessions (maximum amount of session memory D) when the elapsed time t1 = D / a1 is exceeded.

  In order to make the timeout time t conform to the protocol behavior, the timeout time t should be as close as possible to the specified value of the protocol. Further, the network processing device cannot distinguish (determine) whether the new session is a session from a valid client, a session due to an unauthorized attack, or a session transmitted with a false source address. Therefore, the network processing device must respond to all sessions. In addition, it is desirable that the timeout process can be dynamically changed with respect to the session rate so that a response corresponding to the session rate can be performed.

  In the present embodiment, the network processing apparatus continuously varies the timeout time t using the equation (1) based on the session rate a and the maximum capacity of the session entry (maximum amount of session memory D). By doing so, it is possible to cope with the DoS attack dynamically according to the session rate of the DoS attack while responding to all the sessions.

  As described above, according to the present embodiment, the network processing apparatus dynamically sets the session timeout time so that the session memory does not overflow in accordance with the access rate (session rate) even during an overload. Set. Then, the network processing device deletes the entry of the session that has timed out based on the dynamically set time-out time t. According to the present embodiment, it is possible to delete an entry of a session that has timed out based on a dynamically obtained time-out time, and thus it is possible to cope with an overloaded access from an unauthorized host. Also, according to the present embodiment, since it is not necessary to perform filtering based on traffic threshold determination, it is possible to respond to all registered clients. Therefore, even during an overloaded access from an unauthorized host, it is possible to respond to an access from a legitimate client.

  Further, according to the present embodiment, even if a traffic threshold is not used, a timeout value is obtained and set using t = f (a) for the input rate, and an overloaded access from an unauthorized host Can deal with. Therefore, it is not necessary for the network administrator to set the threshold value, and the burden on the network administrator can be reduced. Further, it is possible to cope with an illegal attack access rate without providing a traffic threshold.

Embodiment 2. FIG.
Next, a second embodiment of the present invention will be described with reference to the drawings. FIG. 5 is a block diagram illustrating another configuration example of the network processing apparatus. As shown in FIG. 5, in the present embodiment, the storage means 30 </ b> A includes the session memory registration entry number in addition to the session rate storage unit 31, the session memory maximum capacity storage unit 32, and the session information storage unit 33 shown in FIG. 1. It differs from the first embodiment in that it includes the storage unit 34. Further, in the present embodiment, the functions of the timeout time calculation unit 23A and the timeout time registration unit 24A of the protocol processing unit 20A are different from those shown in the first embodiment. In the present embodiment, the function of the aging processing means 40A is different from the function of the aging processing means 40 shown in the first embodiment.

  Further, in the present embodiment, the timeout time calculation unit 23A obtains the timeout time t by using the expression (3) instead of the expression (1) as the expression for calculating the timeout time. And different.

t = f · g (a, d) Equation (3)

  In equation (3), d indicates the number of entries registered in the session memory.

  The session memory registration entry number storage unit 34 stores the number of entries d currently registered in the session information storage unit (session memory).

  The timeout time calculation unit 23A has a function of calculating a timeout time for a new session. In the present embodiment, the timeout time calculation unit 23A reads the session rate a from the session rate storage unit 31 at a predetermined timing. Further, the timeout time calculation unit 23A reads the maximum entry amount (maximum session memory amount D) from the maximum session memory amount storage unit 32. Further, the timeout time calculation unit 23A reads the number of entries d currently registered in the session memory from the session memory registration entry number storage unit 34. Then, the timeout time calculation unit 23A obtains the timeout time t using a predetermined calculation function based on the session rate a, the session memory maximum amount D, and the number of entries d. Further, the timeout time calculation unit 23A causes the timeout time registration unit 24A to register the obtained timeout time t.

  The timeout time registration unit 24A has a function of registering a new entry in the session memory storage unit 33, similarly to the timeout time registration unit 24 described in the first embodiment. Further, the timeout time registration unit 24A has a function of incrementing the value of the entry number d stored in the session memory registration entry number storage unit 34 by 1 when a new entry is registered.

  As with the aging processing unit 40 described in the first embodiment, the aging processing unit 40A has a function of deleting an entry that has timed out due to a time-out period. Further, the aging processing unit 40A has a function of reducing the value of the entry number d stored in the session memory registered entry number storage unit 34 by 1 when an entry is deleted.

  Note that the functions of the new packet determination unit 21, the session rate measurement unit 22, and the protocol response processing unit 25 of the protocol processing unit 20 are the same as those described in the first embodiment. Information stored in the session rate storage unit 31, the session memory maximum amount storage unit 32, and the session information storage unit 33 of the storage unit 30A is the same as the information stored in the first embodiment. The functions of the packet receiving means 10 and the response packet sending means 50 are the same as those shown in the first embodiment.

  Next, the operation will be described. In the first embodiment, the case has been described in which the network processing apparatus handles all sessions when the new session rate from the client is a constant value. However, if the new session rate varies greatly with time, the session entry may overflow from the session memory. Therefore, in the present embodiment, the network processing device prepares the session memory registration entry number storage unit 34 and stores the registration entry number d currently stored in the session information storage unit 33 in the session memory registration entry number storage unit 34. .

  FIG. 6 is a flowchart illustrating another example of the process of registering a new session entry and the process of transmitting a response packet to the transmission source client by the network processing apparatus. When the network processing apparatus receives various packets from each client in accordance with the same processing from step S11 to step S14 described in the first embodiment, it determines whether or not the packet is a new session, and determines the session rate. a is measured (steps S31 to S34).

  The timeout time calculation unit 23A reads the session rate a from the session rate storage unit 31. The timeout time calculation unit 23A reads the session memory maximum amount D from the session memory maximum amount storage unit storage unit 32. Further, the timeout time calculation unit 23A reads the session memory registration number (registration entry number) d from the session memory registration entry number storage unit 34. Then, the timeout time calculation unit 23A uses the calculation function using the function g (d) for the session memory registration number d in addition to the function f (a) used in the first embodiment to calculate the timeout value. Ask. In the present embodiment, the timeout time calculation unit 23A obtains the timeout time t using Expression (3) based on the read session rate a, the session memory maximum amount D, and the number of registered entries d (step S35).

  In Expression (3), f · g (a, d) represents a composite function f {g (a, d)} of the function f (a) and the function g (d). In the formula (3), g (d) is an arbitrary function.

  The timeout time registration unit 24A registers the timeout time t as a new session entry in the session information storage unit 33 according to the same process as step S16 described in the first embodiment (step S36). In this case, the timeout time registration unit 24A registers the new session entry by causing the session information storage unit 33 to store the session information including the timeout time t obtained by the timeout time calculation unit 23A.

  Further, when registering a new entry, the timeout time registration unit 24A updates the registration entry number d stored in the session memory registration entry number storage unit 34 (step S37). In the present embodiment, when a new entry is registered, the timeout time registration unit 24A adds 1 to the registration entry number d stored in the session memory registration entry number storage unit 34.

  In addition, the network processing apparatus executes a protocol response process according to the same process as step S17 and step S18 described in the first embodiment, and responds to the transmission source client corresponding to each session at predetermined time intervals. A packet is transmitted (steps S38 and S39).

  Next, the operation of the aging processing means 40A will be described. FIG. 7 is a flowchart showing another example of aging processing performed by the aging processing means. The aging processing means 40A updates the timeout time t according to the same processing from step S21 to step S24 shown in the first embodiment, and if it is determined that the entry has timed out, the entry is stored in the session information storage unit. It deletes from 33 (step S41-step S44).

  Further, when the entry is deleted, the aging processing means 40A updates the registered entry number d stored in the session memory registered entry number storage unit 34 (step S45). In the present embodiment, when the entry is deleted, the aging processing means 40A subtracts 1 from the registered entry number d stored in the session memory registered entry number storage unit 34.

  Then, the aging processing means 40A advances the entry pointer by 1 (adds 1 to the pointer) according to the same processing as in step S25 described in the first embodiment, and the next registered in the session information storage unit 33. The pointer is advanced to the entry (step S46). Then, the aging processing means 40A returns to the process of step S41, and repeatedly executes the processes from step S41 to step S46.

  FIG. 8 is an explanatory diagram showing another example of the relationship between the number d of sessions registered in the session memory and the elapsed time. As shown in FIG. 8, when the session rate from the client side greatly fluctuates, the number of entries d fluctuates different from linear. Further, when the fluctuation rate from the client side does not have the law, the change in the number of entries d cannot be predicted. Therefore, depending on the variable transmission rate on the client side, the session memory registration number d may exceed the maximum number D of session memories, and new entries may overflow from the session memory.

  Therefore, in the present embodiment, a wait function g (d) for reducing the timeout value is prepared when the number of registered entries d is near the maximum session memory amount D. For example, the network processing apparatus uses a function indicating an inverse number with respect to d as g (d). Then, the network processing apparatus can obtain the timeout time using Expression (4) as a function for obtaining the timeout time t.

t = f · g (a, d) = D / (a × d) Equation (4)

  As shown in Expression (4), the timeout time t is the inverse of the session rate a and the number of registered sessions (number of registered entries d).

  FIG. 9 is an explanatory diagram showing the relationship between the number of registered sessions d and the elapsed time when the timeout time is controlled using Expression (4). As illustrated in FIG. 9, when the number of registered sessions (registered entry number d) increases, the network processing device decreases the timeout value by an increase in the registered entry number d. As the number of registered sessions increases, the session timeout time decreases. However, the network processing apparatus does not exceed the maximum number of session entries even if the session rate varies greatly by adjusting the function g (d). Can be.

Embodiment 3 FIG.
Next, a third embodiment of the present invention will be described. In the present embodiment, the configuration of the network processing apparatus is the same as that of the first embodiment. In the present embodiment, the method by which the session rate measuring unit 22 measures the rate is different from the method shown in the first embodiment. In the present embodiment, the session rate measurement unit 22 does not calculate the session rate by counting the number of new packets that pass per unit time, but based on the time interval between the packet that passed first and the packet that passed at the current time. The speed is obtained, and the connection rate R1 is obtained as a function of the speed at which past packets pass.

  For example, assuming that the time when a packet has passed first is t1 and the time when a new packet has passed at the current time is t2, the session rate measuring unit 22 uses the time difference t2−t1 and the previously measured rate R0 as the connection rate R1. Find the function with. For example, the session rate measurement unit 22 obtains the connection rate R1 using Equation (5), where h is the function of the connection rate.

R1 = h (t2-t1, R0) Formula (5)

  For example, when the connection rate R1 is obtained based on a function using exponential smoothing, the session rate measurement unit 22 sets the weighting coefficient α (0 <α <1) and uses the connection rate using the equation (6). Find R1.

R1 = α (the SYN packet passing speed between t2 and t1) + (1-α) R0
= Α / (t2−t1) + (1−α) R0 Formula (6)

  In the first embodiment, a case has been described in which the session rate a is calculated based on the number of new packets passing in a certain time. However, when the number of new packets passing through varies from time to time, the number of sampling packets for rate calculation becomes uneven. Therefore, the reliability of the calculation rate for each sampling time may be lowered.

  In the present embodiment, the rate is calculated for each packet reception based on the rate at the time of receiving the previous packet and the time until the next packet is received. Therefore, even when the packet interval varies, a more reliable rate can be obtained, and a new packet timeout time can be obtained appropriately. Also, memory resources and the number of operations can be reduced compared to the case where the session rate is obtained by counting new packets.

Embodiment 4 FIG.
Next, a fourth embodiment of the present invention will be described with reference to the drawings. In the present embodiment, the configuration of the network processing apparatus is the same as that of the first embodiment. This embodiment is different from the first embodiment in that the timeout time calculation unit 23 uses different calculation functions when the session rate is increased and decreased when calculating the timeout time.

  FIG. 10 is an explanatory diagram showing an example of the relationship between the session rate a and the timeout time calculated by the timeout time calculation unit 23. As shown in FIG. 10, when the session rate a increases, the timeout time calculation unit 23 obtains a timeout time using the calculation function t = D / a and registers the obtained timeout time. As shown in FIG. 10, when the session rate is decreased, the timeout time calculation unit 23 may obtain a timeout time using the calculation function t = i (a), and may give hysteresis to the characteristic of the timeout time. By doing so, it is possible to set the session timeout time to a larger value when the session rate is decreased, and to have a value closer to the original timeout value of the protocol when the session rate is decreased.

  Next, a first embodiment of the present invention will be described with reference to the drawings. Note that this example corresponds to a specific implementation of the network processing apparatus shown in the first embodiment. FIG. 11 is a block diagram illustrating still another configuration example of the network processing apparatus. In this embodiment, it is assumed that the network processing apparatus is a network apparatus that implements TCP as a protocol.

  In this embodiment, as shown in FIG. 11, the network device includes a TCP packet receiving unit 10B as a packet receiving unit, a protocol processing unit 20B as a protocol processing unit, a magnetic disk storage device 30B as a storage unit, and an aging processing unit. As an aging processing unit 40B and a TCP response packet sending unit 50B as a response packet sending means. The protocol processing unit 20B is realized by a device internal circuit such as a CPU that operates according to a program for performing TCP processing. The aging processing unit 40B is realized by a device internal circuit such as a CPU that operates according to a program.

  The protocol processing unit 20B includes an input (new) packet determination unit 21B, a session rate measurement unit 22B, a timeout time calculation unit 23B, a timeout time registration unit 24B, and a protocol response processing unit 25B.

  The magnetic disk device 30B also includes a session rate storage unit 31B, a session memory maximum amount storage unit 32B, and a session information storage unit 33B. The session rate storage unit 31B stores a session rate. The session memory maximum amount storage unit 32B stores the session memory maximum amount. The session information storage unit 33 stores session information including a timeout time.

  Next, the operation of the network device will be described. When there is an access by a SYN packet using TCP from the client, the packet receiving unit 10B of the network device receives the TCP packet from the client via the communication network. Further, the new packet determination unit 21B of the network device determines whether or not the received packet is a new packet. In addition, the session rate determination unit 22B counts received packets to obtain a session rate a. When the unit time has elapsed, the session rate determination unit 22B writes the measured session rate a in the session rate storage unit 31B.

  The timeout time calculation unit 23B reads the session rate a from the session rate storage unit 31B, and reads the session memory maximum amount D from the session memory maximum amount storage unit 32B. Then, the timeout time calculation unit 23B obtains the timeout time t using the equation t = D / a based on the read session rate a and session memory maximum amount D.

  The timeout time registration unit 24B registers the session information including the timeout time obtained by the timeout time calculation unit 23B in the session information storage unit 33B of the magnetic disk device 30B. In addition, when the timeout time t elapses, the aging processing unit 40B deletes the registered entry from the session memory (session information storage unit 33B).

  The protocol response processing unit 25B executes protocol processing, which is processing necessary for TCP, on the input (received) SYN packet. For example, the protocol response processing unit 25B updates the IP address and port number included in the session information, information for specifying the TCP session, and various internal parameters. Further, the protocol response processing unit 25B reads the timeout value from the session information storage unit 33B and writes it again in the session memory (session information storage unit 33B) together with the updated various internal parameters.

  Further, the protocol response processing unit 25B outputs a transmission instruction of the SYN-ACK packet for the SYN packet to the response packet transmission unit 50B. The response packet sending unit 50B transmits a SYN-ACK packet to the client in accordance with an instruction from the protocol response processing unit 25B.

  Next, a second embodiment of the present invention will be described with reference to the drawings. This example corresponds to a specific implementation of the network processing apparatus shown in the second embodiment. FIG. 12 is a block diagram illustrating still another configuration example of the network processing apparatus.

  In this embodiment, the magnetic disk device 30C includes the session memory registration entry number storage unit 34B in addition to the session rate storage unit 31B, the session memory maximum amount storage unit 32B, and the session information storage unit 33B. Different from the embodiment. In this embodiment, the functions of the timeout time calculator 23C and the timeout time register 24C of the protocol processor 20C are different from those of the protocol processor 20B shown in the first embodiment. In the present embodiment, the function of the aging processing unit 40C is different from the function of the aging processing unit 40B shown in the first embodiment.

  The functions of the new packet determination unit 21B, the session rate measurement unit 22B, and the protocol response processing unit 25B of the protocol processing unit 20C are the same as those shown in the first embodiment. The functions of the TCP packet receiving unit 10B and the TCP response packet sending unit 50B are the same as those shown in the first embodiment.

  The session memory registration entry number storage unit 34B stores the number of TCP sessions currently registered in the session memory (session information storage unit 33B). The method of obtaining the timeout time t based on the session rate a is effective when there is an access from a client at a constant session rate. However, when the session rate fluctuates greatly, the entry is the maximum registration number D of the session memory. May be exceeded.

  Therefore, in this embodiment, a weighting function g (d) is prepared so that the timeout value becomes smaller as the registered number d of session entries approaches the maximum number D of session entries. The time-out time is obtained using (3). By doing so, the network processing apparatus can adjust the registered entries so that the number of session entries d does not exceed the maximum number D of session entries.

  Next, a third embodiment of the present invention will be described. In the first embodiment, the number of new packets passing per unit time is calculated and the session rate a is obtained. In this embodiment, the network processing apparatus uses the exponential smoothing method to obtain a speed (connection rate). Find R1.

  For example, it is assumed that the session rate when the packet n−1 arrives is R0, and the arrival time is t0. The time when the packet n arrives is t1, and the predetermined weighting coefficient is α = 0.125. Then, the session rate measuring unit 22B obtains the session rate R1 using Expression (7).

R1 = 0.125 / (t2-t1) + 0.875R0 Formula (7)

  In this embodiment, the network processing device uses the exponential smoothing method to adjust the speed using two parameters, the rate when the previous packet arrives and the time until the packet arrives at the current time. Can be sought.

  Next, a fourth embodiment of the present invention will be described. In this embodiment, the network processing apparatus gives a hysteresis characteristic to the characteristic or function of the timeout time when calculating the timeout value. In this embodiment, the network processing device calculates the timeout time t using the equation t = D / a when the session rate increases. Further, the network processing apparatus calculates the timeout time t using the function t = i (a) when the session rate is decreased.

  The present invention can be installed in a network relay device such as a block that performs TCP processing of a server device or the like, a gateway, an application firewall, or the like, and can be applied to a use for preventing a DoS attack. Further, the present invention can be applied not only to TCP but also to an application that adjusts so that registration entries do not overflow when access is made at a high rate in an apparatus using all protocols that perform timeout processing.

It is a block diagram which shows an example of a structure of the network processing apparatus by this invention. 10 is a flowchart illustrating an example of processing for registering an entry for a new session and processing for transmitting a response packet to a transmission source client. It is a flowchart which shows an example of the aging process which an aging process means performs. It is explanatory drawing which shows an example of the relationship between the registration session number d to session memory, and elapsed time. It is a block diagram which shows the other structural example of a network processing apparatus. 12 is a flowchart illustrating another example of processing for registering an entry for a new session and processing for transmitting a response packet to a transmission source client by a network processing apparatus. It is a flowchart which shows the other example of the aging process which an aging process means performs. It is explanatory drawing which shows the other example of the relationship between the registration session number d to session memory, and elapsed time. It is explanatory drawing which shows the relationship between the number d of registration sessions at the time of controlling timeout time using Formula (4), and elapsed time. It is explanatory drawing which shows the example of the relationship between the session rate a and the timeout time which the timeout time calculating part 23 calculates | requires. It is a block diagram which shows the further another structural example of a network processing apparatus. It is a block diagram which shows the further another structural example of a network processing apparatus.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Packet receiving means 20 Protocol processing means 21 New packet determination part 22 Session rate measurement part 23 Timeout time calculation part 24 Timeout time registration part 25 Protocol response processing part 30 Storage means 31 Session rate storage part 32 Session memory maximum amount storage part 33 Session Information storage unit 40 Aging processing means 50 Response packet sending means

Claims (15)

A network processing device for processing a high load state caused by mass access,
When detecting a new session to be handled by the network processing device, according to a predetermined condition, a timeout time calculation means for dynamically obtaining a timeout time corresponding to the new session;
Based on the timeout time obtained by the timeout time calculating means, an entry deleting means for deleting an entry of a session that has timed out;
A network processing apparatus comprising: response means for transmitting response data to a client corresponding to an entry of a currently registered session via a communication network. A network processing device for processing a high load state caused by mass access,
A packet receiving means for receiving a packet from a client via a communication network;
Session information storage means for storing session information indicating a session currently handled by the network processing device;
When the packet receiving means receives a packet for a new session, a timeout time calculating means for dynamically obtaining a timeout time corresponding to the new session according to a predetermined condition;
Entry registration means for registering the entry of the new session by storing session information including the timeout time obtained by the timeout time calculation means in the session information storage means;
Timeout determination means for determining whether or not a timeout time has elapsed for a session currently handled by the network processing device based on a timeout time indicated in session information stored by the session information storage means;
When the timeout determination unit determines that a timeout period has elapsed, an entry deletion unit that deletes a session entry by deleting session information corresponding to the session for which the timeout period has elapsed from the session information storage unit;
A network processing apparatus comprising: response packet transmission means for transmitting a response packet to a client corresponding to an entry of a currently registered session via a communication network. A session rate calculating means for obtaining a session rate indicating a ratio of new sessions generated per predetermined unit;
The network processing device according to claim 2, wherein the timeout time calculating unit dynamically calculates a timeout time corresponding to a new session based on the session rate calculated by the session rate calculating unit.   The network processing device according to claim 3, wherein the session rate calculation means calculates the session rate by calculating an average of the number of packets of the received new session according to a predetermined sampling unit.   The network processing device according to claim 4, wherein the session rate calculation means calculates the session rate according to a predetermined time unit as a sampling unit.   The network processing device according to claim 4, wherein the session rate calculation means calculates the session rate according to a unit of the number of packets received in the past as a sampling unit.   The network processing apparatus according to claim 3, wherein the session rate calculation means obtains the session rate using an exponential smoothing method. Session rate storage means for storing the session rate obtained by the session rate calculation means,
The timeout time calculation means is
Read session rate a from the session rate storage means;
The network processing device according to any one of claims 3 to 7, wherein a timeout time t is obtained using a predetermined function t = f (a). A maximum amount storage means for storing a maximum registerable amount D indicating the maximum amount of session entries that can be registered in the session information storage means;
The timeout time calculation means is
Reading the maximum registerable amount D from the maximum amount storage means,
The network processing device according to claim 8, wherein the timeout time t is obtained by using t = f (a) = D / a as the predetermined function f (a). Session entry number storage means for storing the number of entries d registered in the session information storage means,
The timeout time calculation means is
Read session rate a from the session rate storage means,
Read the entry number d from the session entry number storage means,
The network processing device according to claim 8, wherein the timeout time t is obtained using a composite function f {g (a, d)} obtained by combining a predetermined function f (a) and a function g (d).   The network according to any one of claims 8 to 10, wherein the time-out time calculation means obtains the time-out time t by using different calculation methods when the session rate is increased and when the session rate is decreased. Processing equipment. A network processing method for processing a high load state caused by mass access,
When a new session to be handled by a network processing device that processes access from a client is detected, a timeout time corresponding to the new session is dynamically determined according to a predetermined condition;
Deleting a session entry that has timed out based on the determined time-out period;
Transmitting response data via a communication network to a client corresponding to a currently registered session entry. A network processing method for processing a high load state caused by mass access,
Storing session information indicating a session currently handled by a network processing device that processes access from a client in a storage unit;
Receiving a packet from a client via a communication network;
Dynamically receiving a timeout period corresponding to the new session according to a predetermined condition upon receiving a packet of the new session;
Registering the new session entry by newly storing session information including the determined timeout time in the storage means;
Determining whether or not a timeout time has elapsed for a session currently handled by the network processing device based on a timeout time indicated in the stored session information;
Determining that the timeout period has elapsed, deleting a session entry from the storage means by deleting session information corresponding to the session for which the timeout period has elapsed; and
Transmitting a response packet to a client corresponding to an entry of a currently registered session via a communication network. A network processing program for processing a high load state caused by mass access,
On the computer,
When a new session to be handled by the network processing device is detected, a process for dynamically obtaining a timeout time corresponding to the new session according to a predetermined condition;
A process of deleting an entry of a session that has timed out based on the determined time-out period;
A network processing program that causes a client corresponding to an entry of a currently registered session to execute response data transmission processing via a communication network. A network processing program for processing a high load state caused by mass access,
In a computer comprising storage means for storing session information indicating a session currently handled by the network processing device,
Receiving a packet from a client via a communication network;
When a packet for a new session is received, a process for dynamically obtaining a timeout time corresponding to the new session according to a predetermined condition;
A process of registering an entry for the new session by newly storing session information including the determined timeout time in the storage means;
Based on the time-out time indicated in the stored session information, a process for determining whether or not the time-out time has elapsed for the session currently handled by the network processing device;
When it is determined that the timeout time has elapsed, processing for deleting a session entry by deleting session information corresponding to the session for which the timeout time has elapsed from the storage unit;
A network processing program that causes a client corresponding to an entry of a currently registered session to execute a process of transmitting a response packet via a communication network.

Images