JP2006345268A - Packet filter circuit and packet filter method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a packet filter circuit capable of passing only a packet of a normal access and capable of omitting unnecessary repeating processing. <P>SOLUTION: A packet filter circuit part 200 comprises: a passage setting table 220 for registering the header information of a packet to be passed as an entry; a passage determination part 210 for determining whether the packet is allowed to pass or not by referring to the passage setting table 220; a SYNACK proxy response part 230 for performing the proxy response of an SYNACK packet to a SYN packet when a packet prohibited to pass is the SYN packet; a passage setting entry adding part 250 for adding the header information of the ACK packet to the entry in the passage setting table when the packet prohibited to pass is the ACK packet; and a connection cutting part 240 for informing a transmission source of the ACK packet of disconnection in the case of adding the entry by the passage setting entry adding part 250. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a packet filter circuit and a packet filter method for passing a packet based on header information registered in a passage setting table.

  Any open network such as the Internet can be freely connected. While various services are provided via the network and its convenience is increased, a distributed service refusal (a malicious third party sends a large number of packets to the device providing the service to prevent the use of general users) Distributed Denial of Service (DDoS) attacks are a problem. A wide variety of patterns have been confirmed in DDoS attacks. SynFlood attacks that prevent general users from establishing new connections by making connection requests exceeding the allowable amount to attack target devices, and unnecessary ICMP packets are intentionally performed. There is a smurf attack that occupies the bandwidth by sending a large amount to the attack target device. Among them, the SynFlood attack can efficiently put the attack target device into a connection rejection state by a simple method, so there is a research report by the University of California that it is currently the most common and accounts for many DoS attacks (for example, Non-Patent Document 1).

  SynFlood attack is an attack method that exploits TCP's 3-way handshake. Connection establishment by TCP is as follows: (1) When a “establishment request (SYN)” is sent from the client side, (2) the server side sends “acknowledgment request acknowledgment (ACK) and“ establishment request (SYN) ”at the same time. (3) Further, a procedure of “acknowledgment (ACK)” transmission from the client side is taken.

  SYN and ACK can be identified by TCP header format flags. If the SYN flag is ON, the packet is an establishment request packet. Here, the malicious third party transmits a SYN packet spoofing the transmission source information to the attack target device. The attack target device transmits SYNACK, but since there is often no spoofed device, an ACK packet is not returned and the attack target device enters a standby state. Depending on the implementation, the process frequently occurs by sending a large number of establishment request (SYN) packets with a waiting time of about 60 seconds until the process is completed due to a timeout, and resources are illegally consumed and other devices. Make communication difficult.

  However, the packet used for the SynFlood attack is the same as a normal TCP SYN packet except that the source address is spoofed. Therefore, it is not possible to distinguish a normal access SYN packet from an attack packet in the attack target device. Have difficulty.

  Conventionally, there is a technology called TCP Proxy as a mechanism to defend against SynFlood attacks. This technology is mainly implemented in firewalls and is the most reliable way to correctly distinguish between normally accessed packets and attack packets. TCP Proxy is a method in which a firewall maintains a state for each TCP connection and passes only a packet of a normal TCP flow for which three-way handshake has been completed to the destination host. When the firewall receives the SYN packet, it sends back a SYNACK packet on behalf of the destination host, and reduces the attack by delivering the actual SYN packet only to the packet that received the ACK.

  FIG. 9 is a sequence chart for explaining the operation of the conventional TCP Proxy. In the figure, the attack source host indicates a host used by a malicious third party to transmit a large number of SYN packets. Although only one attack source host is shown in the figure, it is assumed that there are a plurality of attack source hosts in the DDoS attack.

  First, a SYN packet in which the source IP address is spoofed is transmitted from the attack source host toward the defense target (step S501). When receiving the SYN packet, the TCP Proxy function unit transmits a SYNACK packet (step S502). The acknowledgment number of the SYNACK packet contains the value of the SYN packet sequence number + 1. An arbitrary value is inserted into the sequence number of SYNACK. Here, since the source IP address of the SYN packet transmitted by the attack source host is spoofed, the SYNACK packet is transmitted to the host having the spoofed IP address. Since the host with the spoofed IP address does not exist or does not follow the normal 3-way handshake procedure, the ACK packet is not returned because the RST packet is sent and the connection is disconnected. In this way, the load of the protection target can be reduced by using TCP Proxy as a defense wall for attack packets.

  Further, when the TCP Proxy function unit makes a proxy response to the SYNACK packet in response to the SYN packet transmission from the normal host (step S503) (step S504), the ACK packet is returned (step S505). In this way, by relaying only packets of normal TCP flows for which 3 WayHandshake has been completed to the protection target, normal access can be correctly delivered to the protection target (from step S506 to step S508).

In addition, as a mechanism for preventing other SynFlood attacks, there is a method of monitoring the flow rate of received packets in the attack target and thinning out the packets accumulated in the packet buffer when the predetermined threshold is exceeded (for example, Patent Document 1). This is effective as a mechanism that prevents the system from going down.
JP-A-2004-248198 (page 7 to page 13, FIG. 1) "Inferring Internet Denial-of-Service Activity", David Moore, M. Voelker and Stefan Savage, San Diego Supercomputer Center University of California, San Diego

  In the future, it is expected that terminal devices such as home appliances and mobile terminals will be connected to open networks, but the demand for cost reduction is strong for terminal devices, so even if the SynFlood attack defense function is installed, the cost It is required not to use expensive high-performance CPU and additional memory. When the TCP Proxy function is installed in a terminal device, it is necessary to relay the TCP flow with the TCP / IP protocol stack incorporated in the OS. When relaying this TCP flow, it is necessary to hold session information (source port number, destination port number, sequence number, confirmation response number, etc.) for each TCP flow. Must be ensured, and the amount of memory (that is, the circuit scale) increases.

  Further, as in the Dos attack prevention method disclosed in Patent Document 1, the method of monitoring the received packet flow rate and thinning out the packets stored in the packet buffer when the predetermined threshold value is exceeded is as follows. It is effective as a method to avoid system down. However, since packets are thinned out without confirming session information, data is thinned out despite normal access.

  The present invention has been made in view of the above-described conventional circumstances, and it is an object of the present invention to provide a packet filter circuit and a packet filter method that allow only normal access packets to pass through and eliminate unnecessary relay processing. To do.

  The packet filter circuit of the present invention is a packet filter circuit that allows a packet to pass based on header information registered in the passage setting table, and determines whether or not to allow the packet to pass by referring to the passage setting table. If the packet is determined to be non-passable when the packet is determined to be non-passable, the SYNACK proxy response unit that proxy-responses the SYNACK packet for the SYN packet, and the packet that is determined to be non-passable is an ACK packet. Pass setting entry adding means for adding header information of the ACK packet to the entry of the pass setting table, and when the pass setting entry adding means adds an entry, it notifies the source of the ACK packet of disconnection Connection cutting means.

  According to the above configuration, the packet from the attack source host that sends only the SYN packet can be discarded by passing only the packet from the source host that sends back the ACK response to the SYNACK packet that is the proxy response. Therefore, it is possible to pass only normal access packets and eliminate unnecessary processing related to unauthorized access. Also, without holding session information for each TCP flow, an RST (reset) is sent to the source host that sends back the ACK response, and the packets after the retransmitted SYN packet are passed to the protection target. Therefore, TCP flow relay processing is not performed only by filter pass setting processing and connection disconnection processing, so when TCP Proxy is installed in a terminal device, TCP Proxy requires TCP for 3 Way Handshake relay processing with the OS. A state storage area for each flow is not required, and the memory can be reduced.

  In addition, the packet filter circuit of the present invention includes a packet flow rate monitoring unit that monitors whether or not the packet flow rate is less than a predetermined threshold value. When the packet flow rate is less than the threshold value, Pass through.

  According to the above configuration, if the packet processing capability of the protection target is not exceeded, all packets are allowed to pass, and if a SYNFlood attack that exceeds the packet processing capability of the protection target is received, The packet from the transmission source host that sends back the ACK response is passed, and the packets after the retransmitted SYN packet are passed to the protection target. Therefore, when a SynFlood attack that exceeds the packet processing capacity to be protected is received, packets from the attacking host that sends only SYN packets can be discarded, and system down due to the SynFlood attack can be prevented.

  The packet filter circuit of the present invention further comprises number calculation means for calculating a 32-bit number based on a predetermined calculation formula using TCP flow information as a key, and the SYNACK proxy response means receives the TCP flow of the received SYN packet. A SYNACK packet with the number calculated by the number calculation means as a sequence number is transmitted from the information, and the passage setting entry addition means sets 1 to the number calculated by the number calculation means from the TCP flow information of the received ACK packet. Only when the added value matches the acknowledgment number included in the TCP header of the received ACK packet, the ACK packet is registered in the passage setting table.

  According to the above configuration, a SYNACK packet with a number calculated by a specific calculation formula using TCP flow information as a key as an initial sequence number is sent as a proxy response, a number is calculated from the TCP flow information using the same calculation formula, and the value is By checking whether or not the value obtained by adding 1 matches the confirmation response number of the ACK packet, it is possible to check whether or not the ACK packet is camouflaged. As a result, it is possible to prevent a forged ACK packet from being added to the passage setting table illegally.

  The packet filter method of the present invention is a packet filter method that allows a packet to pass based on header information registered in the passage setting table, and whether or not to allow the packet to pass by referring to the passage setting table. If the packet is determined to be non-passable, and if the packet is determined to be non-passable, the SYNACK proxy response step is a proxy response of the SYNACK packet for the SYN packet, and the packet is determined to be non-passable is the ACK packet. In this case, when adding an entry in the pass setting entry adding step for adding the header information of the ACK packet to the entry of the pass setting table, and adding the entry in the pass setting entry adding step, the connection is disconnected to the transmission source of the ACK packet. And a connection disconnection step to be notified.

  In the packet filter method of the present invention, the passage determining step allows all packets to pass when the packet flow rate is less than a predetermined threshold.

  Furthermore, in the packet filter method of the present invention, the SYNACK proxy response step includes a SYNACK packet to which a sequence number is assigned as a 32-bit number calculated based on a predetermined formula using the TCP flow information of the received SYN packet as a key. A value obtained by adding 1 to the 32-bit number calculated based on a predetermined calculation formula using the TCP flow information of the received ACK packet as a key in the transmission setting entry adding step is the TCP header of the received ACK packet The ACK packet is registered in the passage setting table only when it matches the confirmation response number included in.

  According to the packet filter circuit of the present invention, a packet from an attack source host that sends only a SYN packet is discarded by passing only a packet from a source host that sends back an ACK response to a SYNACK packet that is a proxy response. Therefore, only normal access packets can be passed and unnecessary processing related to unauthorized access can be omitted.

  Hereinafter, a packet filter circuit according to an embodiment of the present invention will be described in detail with reference to the accompanying drawings.

[Embodiment 1]
FIG. 1 is a diagram showing a configuration of a packet processing device according to Embodiment 1 of the present invention. The packet processing apparatus 100 includes a packet receiving unit 110 that receives packets from the network, a packet transmission unit 120 that transmits packets to the network, and a packet filter that allows packets from a transmission source registered in a passage setting table (described later) to pass. A circuit unit 200 and a defense target 300 are provided. Here, the packet processing device 100 represents a terminal device connected to a network such as an Internet home appliance or a portable terminal.

  Further, the packet filter circuit unit 200 refers to the passage setting table 220 and the passage setting table 220 for registering, as an entry, header information of the packet to be passed, including at least the transmission source information. A passage determining unit 210 that determines whether or not a packet is determined not to pass, a SYNACK proxy responding unit 230 that performs a proxy response to the SYNACK packet for the SYN packet, and a packet that is determined not to pass is an ACK packet. If there is a pass setting entry adding unit 250 for adding the header information of the ACK packet to the entry of the pass setting table, and the pass setting entry adding unit 250 adds the entry, the connection is disconnected with respect to the transmission source of the ACK packet. The connection disconnection unit 240 is notified.

  When the packet receiving unit 110 of the packet processing device 100 receives a packet, the passage determining unit 210 of the packet filter circuit unit 200 determines whether or not to allow the packet to pass. The protection target 300 is a functional block that executes the main functions of the packet processing apparatus 100 including the network function and serves as a packet processing unit. Consists of CPU, memory, OS, various protocol stacks, application software, etc.

  The passage determination unit 210 extracts header information including at least transmission source information from the header information of the packet, performs a match comparison with the entry of the passage setting table 220, and if it matches the entry, passes the passage instruction signal to the passage determination unit 210. Notice.

  On the other hand, when there is no matching entry, the following two types of processing are performed. First, when the received packet is a SYN packet, the passage determination unit 210 notifies the SYNACK proxy response unit 230 of the header information, and the SYNACK proxy response unit 230 generates a SYNACK packet corresponding to the SYN packet to the network. Send. Next, when the received packet is an ACK packet, the passage determination unit 210 notifies the header setting entry adding unit 250 of the header information, and the passage setting entry adding unit 250 extracts header information including at least transmission source information from the header information. At the same time, a new entry is added to the passage setting table 220, and at the same time, header information is notified to the connection disconnection unit 240, and an RST packet is generated and transmitted to the transmission source of the ACK packet.

  The header information set in the passage setting table 220 includes at least one of a transmission source IP address, a transmission source port number, and a TCP sequence number, and an entry can be configured by one or a plurality of combinations.

  The packet transmission to the network is performed via the packet transmission unit 120. Note that the packet transmission unit 120 may be configured to multiplex and transmit transmission packets from the defense device 300.

  FIG. 2 is a flowchart showing a processing procedure of the packet processing apparatus according to Embodiment 1 of the present invention. First, when the packet receiving unit 110 receives a packet (step S101), the passage determination unit 210 of the packet filter circuit unit 200 searches the passage setting table 220 (step S102), and the entry matches the passage setting table 220. It is analyzed whether or not there is (step S103). If there is a matching entry, the received packet is passed (step S104). On the other hand, if there is no matching entry in the passage setting table 220, the received packet is discarded by the following processing procedure.

  The passage determination unit 210 analyzes whether or not the received packet is a TCP SYN packet (step S105). If the packet is a SYN packet, the passage determination unit 210 notifies the SYNACK proxy response unit 230 of the header information, The SYNACK proxy response unit 230 generates a SYNACK packet corresponding to the received SYN packet and transmits it to the network (step S106).

  On the other hand, if the received packet is not a TCP SYN packet, the passage determination unit 210 further analyzes whether or not the received packet is a TCP ACK packet (step S107). If the packet is an ACK packet, the passage determination unit 210 registers the transmission source information of the received ACK packet in the passage setting table 220 (step S108). Here, an example in which the transmission source information is only the transmission source IP address is described. The passage determination unit 210 simultaneously notifies the connection disconnection unit 240 of the header information, and the connection disconnection unit 240 transmits an RST packet to the transmission source of the received ACK packet and disconnects the connection (step S109).

  After the transmission of the RST packet and if it is determined in step S107 that the packet is not an ACK packet, the passage determination unit 210 discards the received packet after transmitting the SYNACK packet in step S106 (step S110). After passing or discarding the received packet as described above, the packet processing ends (step S111).

  FIG. 3 is a sequence chart showing an operation example of the packet processing apparatus according to Embodiment 1 of the present invention. The attack source host is a host used by a malicious third party to transmit a large amount of SYN packets. Although only one attack source host is shown in the figure for convenience, it is assumed that there are a plurality of attack source hosts. When the SYN packet spoofing the transmission source IP address is transmitted from the attack source host to the defense target (step S201), the packet filter circuit unit 200 makes a proxy response to the SYNACK packet for the SYN packet (step S202). The acknowledgment number of the SYNACK packet contains the value of the sequence number + 1 of the SYN packet. An arbitrary value is assigned to the sequence number of SYNACK. Since the source IP address of the SYN packet transmitted by the attacking source host is spoofed, the SYNACK packet is transmitted to the host having the spoofed IP address. Since the host with the spoofed IP address does not exist or does not follow the normal 3WayHandshake procedure, even if it exists, the RST packet is sent and the connection is disconnected, so the ACK packet is not returned. In this way, the load on the protection target can be reduced by the packet filter circuit unit 200 becoming a defense wall against attack packets.

  In response to a SYN packet from a normal host (step S203), when the packet filter circuit unit 200 makes a proxy response to the SYNACK packet (step S204), an ACK packet is returned (step S205). It can be determined that the source of the packet of the normal TCP flow for which 3 WayHandshake has been completed is reliable.

  The packet filter circuit unit 200 extracts information including at least transmission source information from the header information of the ACK packet, registers it in the entry of the passage setting table, and simultaneously transmits an RST packet to the transmission source of the ACK packet to establish a connection. Is cut (step S206). A normal host attempts to reconnect a new connection when the connection is disconnected. For example, in the Linux kernel Ver2.4, the number of SYN retransmissions is 5 by default. Since a packet from a normal host attempting reconnection has registered an entry in the passage setting table 220, the packet passes through the packet filter circuit unit 200 and is sent to the protection target 300 (step S207). When 3WayHandshake is completed between the normal host and the protection target, a connection can be established (from step S208 to step S209).

  FIG. 4 is a diagram conceptually showing a passage setting table of the packet processing device according to Embodiment 1 of the present invention. The passage setting table registers header information including at least transmission source information in an entry. In the figure, an example in which the search target parameter is only the source IP address is shown, but the header information from the MAC header to the TCP header can be configured singly or in combination. As other header information, a destination MAC address, a source MAC address, an ether type, a TOS field, fragment information, a protocol number, a destination IP address, a source port number, a destination port number, and the like may be used. Action indicates the processing when an entry is hit. Here, since it is a table for setting passage, ACTION is set to “pass”. However, not only simple passage but also various internal processing blocks in the packet processing device can be designated and transmitted.

  By the way, the number of entries in the passage setting table 220 is finite. Therefore, when all entries are consumed with the additional information, a process of overwriting from the old entry is required. In addition to overwriting entries, it is possible to have an aging timer for each entry and delete registration information after a certain period of time. It is also possible to initialize a single entry or the entire table by notifying a clear signal from the defense target 300.

[Embodiment 2]
FIG. 5 is a diagram showing a configuration of the packet processing apparatus according to Embodiment 2 of the present invention. The packet processing device 101 shown in FIG. 5 is different from the packet processing device 100 according to the first embodiment in that a packet flow rate monitoring unit 260 is added in the packet filter circuit unit 201. The other configuration of the packet processing apparatus 101 is the same as that of the packet processing apparatus 100 according to the first embodiment, and a description thereof will be omitted.

  The packet flow rate monitoring unit 260 monitors the amount of packets transmitted from the packet receiving unit 110 to the packet filter circuit unit 201 and is less than a predetermined threshold set so that the flow rate does not exceed the limit of the processing capability of the protection target 300. It is determined whether or not.

  When the packet flow rate is less than a predetermined threshold, the packet flow monitoring unit 260 notifies the passage determining unit 210 of a passage instruction signal. When a passage instruction signal is input, the passage determination unit 210 passes all received packets without searching the passage setting table. As a method for monitoring the packet flow rate, a method for monitoring the number of packets per unit time or the amount of data (byte number) per unit time, or a packet buffer for temporarily storing packets to be processed by the defense target 300 For example, a method for monitoring the amount of packet retention may be used.

  The packet flow rate threshold value may be set in advance, or the protection target 300 may be provided with a function of monitoring the CPU load so that the threshold value can be dynamically controlled from the protection target. Good. When the packet flow monitoring unit 260 determines that a packet that exceeds the packet processing capability of the protection target 300 has flowed, the passage determination unit 210 searches the passage setting table 220. When there is no matching entry in the passage setting table, the SYNACK proxy response unit 230 sends a SYNACK packet as a proxy response to the SYN packet, and passes the packet having the source information of the ACK packet for the one to which the ACK packet is returned. Let With the above configuration, when the processing limit of the packet processing device 101 is not exceeded, all packets are allowed to pass, and when a SynFlood attack exceeding the processing limit of the packet processing device 101 is received, the system of the defense target 300 is prevented from being down. can do.

  The setting information registered in the passage setting table 220 may be initialized by using a passage instruction signal output from the packet flow rate monitoring unit 260 in addition to the method of initializing at power-on. Further, it may be initialized by an instruction from the software of the defense target 300.

  FIG. 6 is a flowchart showing a processing procedure of the packet processing device according to the second embodiment of the present invention. First, when the packet receiving unit 110 receives a packet (step S301), the packet flow rate monitoring unit 260 of the packet filter circuit unit 201 determines whether or not the flow rate of the packet transmitted from the packet receiving unit is less than a predetermined threshold value. Analysis is performed (step S302). If the packet flow rate is less than the threshold value, the received packet is passed (step S303).

  If the packet flow rate exceeds the threshold value, then the passage determination unit 210 of the packet filter circuit unit 201 searches the passage setting table 220 (step S304) and determines whether there is a matching entry in the passage setting table 220. Is analyzed (step S305). If there is a matching entry, the received packet is passed (step S303). On the other hand, if there is no matching entry in the passage setting table 220, the received packet is discarded by the following processing procedure.

  The passage determination unit 210 analyzes whether or not the received packet is a TCP SYN packet (step S306). If the packet is a SYN packet, the passage determination unit 210 notifies the SYNACK proxy response unit 230 of the header information, The SYNACK proxy response unit 230 generates a SYNACK packet corresponding to the received SYN packet and transmits the SYNACK packet to the network (step S307).

  On the other hand, if the received packet is not a TCP SYN packet, the passage determination unit 210 further analyzes whether or not the received packet is a TCP ACK packet (step S308). If it is an ACK packet, the passage determining unit 210 registers the transmission source information of the received ACK packet in the passage setting table 220 (step S309). Here, an example in which the transmission source information is only the transmission source IP address is described. The passage determination unit 210 simultaneously notifies the connection disconnection unit 240 of the header information, and the connection disconnection unit 240 transmits an RST packet to the transmission source of the received ACK packet and disconnects the connection (step S310).

  After the transmission of the RST packet and when it is determined in step S308 that the packet is not an ACK packet, the passage determination unit 210 discards the received packet after transmitting the SYNACK packet in step S307 (step S311). After the above reception packet is passed or discarded, the packet processing ends (step S312).

[Embodiment 3]
FIG. 7 is a diagram showing the configuration of the packet processing apparatus according to Embodiment 3 of the present invention. Compared with the packet processing device 101 of the second embodiment, the packet processing device 102 shown in FIG. 7 includes a number calculation unit 270 inside the SYNACK proxy response unit 231 and the passage setting entry addition unit 251 of the packet filter circuit unit 202. The point that is added is different. The other configuration of the packet processing apparatus 102 is the same as that of the packet processing apparatus 101 according to the second embodiment, and a description thereof will be omitted.

  The number calculation unit 270 calculates a sequence number to be given to the SYNACK packet from the TCP flow information of the received packet. Here, the TCP flow information indicates a source IP address, a destination IP address, a source port number, a destination port number, and a TCP initial sequence number. For the calculation formula, a method using a hash function or a simple method of dividing and adding parameter values in units of bytes may be used.

  In the SYNACK proxy response unit 231 and the pass setting entry addition unit 251, the number calculation unit 270 calculates a number using the TCP flow information as a key with the same calculation formula. In the SYNACK proxy response unit 231, a number is calculated from the TCP flow information of the received SYN packet, and is sent as a sequence number of the SYNACK packet. The passage setting entry adding unit 251 calculates a number from the TCP flow information of the received ACK packet and compares it with the confirmation response number included in the header of the ACK packet. The TCP initial sequence number is the ACK packet sequence number-1. In a series of 3-way handshake processes, SYN packets, SYNACK packets, and ACK packets having the same TCP flow information are transmitted and received. Therefore, if the value obtained by adding 1 to the number calculated by the number calculation unit 270 from the TCP flow information of the ACK packet matches the acknowledgment number of the ACK packet, it can be authenticated as a normal 3-way Handshake packet. In the case of a forged ACK packet, the value +1 calculated by the number calculation unit 270 is different from the confirmation response number actually included in the TCP header of the ACK packet, so this is regarded as an illegal ACK packet, The received ACK packet is discarded.

  Next, FIG. 8 is a flowchart showing a processing procedure of the packet processing device according to the third embodiment of the present invention. First, when the packet receiving unit 110 receives a packet (step S401), the packet flow rate monitoring unit 260 of the packet filter circuit unit 202 analyzes whether or not the flow rate of the packet sent from the packet receiving unit is less than a predetermined threshold. (Step S402). If the packet flow rate is less than the threshold value, the received packet is passed (step S403).

  If the packet flow rate exceeds the threshold value, then the passage determination unit 210 of the packet filter circuit unit 202 searches the passage setting table 220 (step S404), and whether there is a matching entry in the passage setting table 220. This is analyzed (step S405). If there is a matching entry, the received packet is passed (step S403). On the other hand, if there is no matching entry in the passage setting table 220, the received packet is discarded by the following processing procedure.

  The passage determination unit 210 analyzes whether or not the received packet is a TCP SYN packet (step S406). If the packet is a SYN packet, the SYNACK proxy response unit 231 identifies the received SYN packet from the TCP flow information. The sequence number to be given to the SYNACK packet is calculated by the following formula (step S407). Then, using the calculated sequence number as the SYNACK sequence number, the SYNACK proxy response unit 231 generates a SYNACK packet corresponding to the received SYN packet and transmits it to the network (step S408).

  On the other hand, if the received packet is not a TCP SYN packet, the passage determination unit 210 further analyzes whether or not the received packet is a TCP ACK packet (step S409). If the packet is an ACK packet, the pass setting entry adding unit 251 calculates a number from the TCP flow information of the received ACK packet using a specific calculation formula (step S410). As this specific calculation formula, it is necessary to use the same calculation formula as the calculation in step S407.

  Next, the passage setting entry adding unit 251 confirms whether the value obtained by adding 1 to the calculated number matches the confirmation response number included in the TCP header of the actual ACK packet (step S411). If they match, the passage determination unit 210 registers the transmission source information of the received ACK packet in the passage setting table 220 (step S412). Here, an example in which the transmission source information is only the transmission source IP address is described. The passage determination unit 210 simultaneously notifies the connection disconnection unit 240 of the header information, and the connection disconnection unit 240 transmits an RST packet to the transmission source of the received ACK packet to disconnect the connection (step S413).

  After the transmission of the RST packet and when the value obtained by adding 1 to the calculated number in step S411 does not match the confirmation response number included in the TCP header of the actual ACK packet, it is determined that the packet is not an ACK packet in the analysis of step S409 If so, after transmitting a SYNACK packet in step S408, the passage determination unit 210 discards the received packet (step S414). After passing or discarding the received packet, the packet processing ends (step S415).

  The packet filter circuit and the packet filter method described above are useful in terminal devices connected to an open network, such as network home appliances and mobile terminals having a network interface, and relay devices such as routers and firewalls. Further, since the amount of memory can be reduced as compared with the prior art, the incorporation in a semiconductor chip is useful for reducing the cost in manufacturing the semiconductor chip.

  In the present invention, since only the packet from the transmission source host that sends back the ACK response to the SYNACK packet that has responded as a proxy is passed, the packet from the attack source host that sends only the SYN packet can be discarded. A packet filter circuit and a packet filter method that have the effect of allowing only an access packet to pass and omit unnecessary processing related to unauthorized access, etc., and allow the packet to pass based on header information registered in the passage setting table Etc. are useful.

The figure which shows the structure of the packet processing apparatus in Embodiment 1 of this invention. The flowchart which shows the process sequence of the packet processing apparatus in Embodiment 1 of this invention. The sequence chart which shows the operation example of the packet processing apparatus in Embodiment 1 of this invention The figure which shows notionally the passage setting table of the packet processing apparatus in Embodiment 1 of this invention The figure which shows the structure of the packet processing apparatus in Embodiment 2 of this invention. The flowchart which shows the process sequence of the packet processing apparatus in Embodiment 2 of this invention. The figure which shows the structure of the packet processing apparatus in Embodiment 3 of this invention. The flowchart which shows the process sequence of the packet processing apparatus in Embodiment 3 of this invention. Sequence chart explaining the operation of the conventional TCP Proxy

Explanation of symbols

100, 101, 102 Packet processing device 110 Packet receiving unit 120 Packet transmitting unit 200, 201, 202 Filter function unit 210 Passing judgment unit 220 Passing setting table 230, 231 SYNACK proxy response unit 240 Connection disconnecting unit 250, 251 Passing setting entry addition Unit 260 packet flow rate monitoring unit 270 number calculation unit 300 protection target

Claims (6)

A packet filter circuit that allows packets to pass based on header information registered in the passage setting table,
A passage determination means for referring to the passage setting table to determine whether or not to allow the packet to pass;
When the packet determined not to pass is a SYN packet, a SYNACK proxy response means for proxy response of a SYNACK packet for the SYN packet;
When the packet determined not to pass is an ACK packet, passage setting entry adding means for adding header information of the ACK packet to the entry of the passage setting table;
When the pass setting entry adding means adds an entry, a connection disconnecting means for notifying a connection disconnection to the transmission source of the ACK packet;
A packet filter circuit comprising: A packet flow rate monitoring means for monitoring whether the packet flow rate is less than a predetermined threshold;
The packet filter circuit according to claim 1, wherein when the packet flow rate is less than the threshold, the passage determination unit passes all packets. Number calculation means for calculating a 32-bit number based on a predetermined calculation formula using TCP flow information as a key,
The SYNACK proxy response means transmits a SYNACK packet to which the number calculated by the number calculation means is assigned as a sequence number from the TCP flow information of the received SYN packet,
The passage setting entry adding unit is configured such that a value obtained by adding 1 to the number calculated by the number calculating unit from the TCP flow information of the received ACK packet matches an acknowledgment number included in the TCP header of the received ACK packet. 3. The packet filter circuit according to claim 1, wherein only the ACK packet is registered in the passage setting table. A packet filtering method for passing a packet based on header information registered in a passage setting table,
A passage determination step of referring to the passage setting table to determine whether or not to allow the packet to pass;
When the packet determined not to pass is a SYN packet, a SYNACK proxy response step of proxying a SYNACK packet for the SYN packet;
A pass setting entry adding step of adding header information of the ACK packet to the entry of the pass setting table when the packet determined not to pass is an ACK packet;
When adding an entry in the passing setting entry adding step, a connection disconnecting step for notifying the transmission source of the ACK packet of a connection disconnection;
A packet filtering method comprising:   The packet filtering method according to claim 4, wherein when the packet flow rate is less than a predetermined threshold, the passage determination step allows all packets to pass. The SYNACK proxy response step transmits a SYNACK packet with a 32-bit number calculated as a sequence number calculated based on a predetermined calculation formula using the TCP flow information of the received SYN packet as a key,
In the pass setting entry adding step, a value obtained by adding 1 to a 32-bit number calculated based on a predetermined calculation formula using the TCP flow information of the received ACK packet as a key is included in the TCP header of the received ACK packet. The packet filter method according to claim 4 or 5, wherein the ACK packet is registered in the passage setting table only when it matches with an acknowledgment number.

Images