JP2007251282A - Attack detecting apparatus, attack detection method, and attack detection program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To early detect a network attack and to provide useful detected information even when many unspecified attack sources exist. <P>SOLUTION: The attack detecting apparatus is configured in such a way that a statistic data acquisition section acquires a DNS query from an apparatus for handling a DNS query request and a statistic data log generating section generates statistic data logs classified for each monitoring domain or each sub domain included in each of the monitoring domains designated in set information. Then an attack judgment section executes attack start judgment/attack end judgment on the basis of an attack start/end condition designated by the set information, and an attack information notice section transmits a judgment result to an attack countermeasure apparatus such as a firewall. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an attack detection device, an attack detection method, and an attack detection program for detecting a network attack on a server device on a network by a terminal device connected to the network, and in particular, can detect a network attack at an early stage and perform an attack. The present invention relates to an attack detection device, an attack detection method, and an attack detection program that can provide useful detection information even when the number of sources is unspecified.

  In recent years, a DoS (Denial of Services) attack is known in which a service provided by a server on the Internet is blocked by transmitting a large amount of illegal data. In particular, a distributed DoS (Distributed Denial of Service) attack by an unspecified number of terminals infected with a bot which is a kind of computer virus frequently occurs and becomes a problem.

  In addition, when a DNS (Domain Name System) server that performs domain name resolution becomes the target of a DoS attack or a DDoS attack, it becomes impossible to resolve the host name of a zone under the management of the DNS server. There is a concern that the range of influence of network attacks will become very large.

  As a countermeasure against these network attacks, a general method is to detect the attack source based on the statistics of the data packets exchanged between the attack destination and the attack source terminal, and take countermeasures for each detected attack source. Yes (see, for example, Patent Document 1).

JP 2005-229234 A

  However, the conventional techniques such as Patent Document 1 detect an attack only after a large number of packets are transmitted to a server that is a target of a network attack, and there is a problem that the attack cannot be detected at an early stage. . That is, when an attack is detected using the above-described conventional technology, there is a possibility that the communication path has already overflowed due to attack packets, and there is a risk that countermeasures against attacks will not be in time.

  In particular, as described above, when a DNS server is paralyzed due to a network attack, damage caused by the attack is widespread, and thus it is required to detect a network attack against the DNS server as soon as possible.

  Furthermore, the conventional method of detecting the attack source of the network attack has a problem that it does not exhibit a sufficient effect for the DDoS attack in which the attack source is an unspecified number. This is because even if all of a large number of attack sources can be identified, it is practically difficult to take measures to block packets from each attack source.

  Therefore, how to realize an attack detection method that can detect network attacks at an early stage and provide useful detection information even when the number of attack sources is unspecified. It has become a challenge.

  The present invention has been made to solve the above-described problems caused by the prior art, and can detect network attacks at an early stage and can be useful detection information even when the number of attack sources is unspecified. It is an object to provide an attack detection device, an attack detection method, and an attack detection program.

  In order to solve the above-described problems and achieve the object, the invention according to claim 1 is an attack detection device for detecting a network attack on a server device on the network by a terminal device connected to the network, Statistics acquisition means for acquiring statistics relating to DNS query requests that circulate above, attack determination means for determining presence / absence of a network attack based on the statistics acquired by the statistics acquisition means, and the attack determination means is a network attack If it is determined, the attack notification means for notifying a predetermined attack countermeasure device of the attack information representing the content of the network attack is provided.

  Further, in the invention according to claim 2, in the above invention, the statistical acquisition means passes through a DNS server device that resolves a domain name or a cache server device that caches information acquired from the DNS server device. It is characterized by obtaining statistics about a specific domain regarding a query request.

  The invention according to claim 3 is the above invention, wherein the statistics acquisition means includes an inquiry destination domain included in the DNS query request based on a list in which an inquiry destination domain name to be statistically specified can be arbitrarily specified. It is characterized by obtaining statistics including ranking by name.

  According to a fourth aspect of the present invention, in the above invention, the statistics acquisition unit is configured to request the DNS query based on a list in which subdomain names constituting a query destination domain name to be statistically specified can be arbitrarily specified. The statistics including the ranking for each sub-domain name constituting the inquiry destination domain name included in is acquired.

  The invention according to claim 5 is characterized in that, in the above-mentioned invention, the statistics acquisition means acquires statistics including a ranking for each request source address included in the DNS query request.

  The invention according to claim 6 is that, in the above invention, the attack determination means is a network attack when the number of times that the statistical value of the DNS query request exceeds a predetermined threshold reaches a predetermined number. It is characterized by determining.

  In the invention according to claim 7, in the above invention, the number of times that the statistical value of the DNS query request falls below a predetermined threshold after the attack determination means determines that the attack is a network attack reaches a predetermined number. In this case, it is determined that the network attack has ended.

  The invention according to claim 8 is characterized in that, in the above-mentioned invention, the statistics acquisition means sets a response to the DNS query request as a statistics acquisition target in addition to the DNS query request.

  The invention according to claim 9 is an attack detection method for detecting a network attack on a server device on the network by a terminal device connected to the network, and obtains statistics on a DNS query request distributed on the network. A statistics acquisition step, an attack determination step for determining presence / absence of a network attack based on the statistics acquired by the statistics acquisition step, and a content of the network attack when the attack determination step is determined to be a network attack And an attack notification step of notifying a predetermined attack countermeasure device of attack information representing the above.

  The invention according to claim 10 is an attack detection program for detecting a network attack on a server device on the network by a terminal device connected to the network, and obtains statistics about a DNS query request distributed on the network. Statistics acquisition procedure, an attack determination procedure for determining the presence or absence of a network attack based on the statistics acquired by the statistics acquisition procedure, and a content of the network attack when the attack determination procedure is determined to be a network attack It is characterized by causing a computer to execute an attack notification procedure for notifying a predetermined attack countermeasure device of attack information representing

  According to the invention of claim 1, 9 or 10, when statistics about a DNS query request distributed on the network are acquired, the presence / absence of a network attack is determined based on the acquired statistics, and the network attack is determined Since the attack information indicating the contents of the network attack is configured to be notified to a predetermined attack countermeasure device, the network when the attacker or attack program requests name resolution of this server in an attempt to attack a specific server device. Since an attack can be detected, a network attack can be detected early. In addition, it is possible to efficiently detect not only an attack on a normal server device such as an HTTP server but also a direct attack on a DNS server device.

  Further, according to the invention of claim 2, statistics about a specific domain are acquired with respect to a DNS query request passing through a DNS server that performs domain name resolution or a cache server that caches information acquired from the DNS server. Since it comprised so, there exists an effect that a network attack can be detected efficiently in the network position in which the DNS server apparatus and cache server apparatus which perform a name resolution process are installed.

  According to the invention of claim 3, the statistics including the ranking for each inquiry destination domain name included in the DNS query request is acquired based on a list that can arbitrarily specify the inquiry destination domain name to be statistics. Since it is configured as described above, it is possible to provide useful detection information even when the attack source is an unspecified number by accurately grasping which domain the server device belongs to as an attack target. Play. In addition, by using a list in which statistical objects are specified, there is an effect that a domain that is a target of statistics can be easily changed.

  According to the invention of claim 4, the sub domain constituting the query destination domain name included in the DNS query request is based on a list in which sub domain names constituting the query destination domain name to be statistically specified can be arbitrarily specified. Since it is configured to obtain statistics including ranking for each domain name, it provides useful detection information even when the number of attack sources is unspecified by narrowing down the attack target domain in detail. There is an effect that can be. In addition, by using a list in which statistical objects are specified, it is possible to easily change a subdomain to be a statistical target.

  Further, according to the invention of claim 5, since the statistics including the ranking for each request source address included in the DNS query request is acquired, it is possible to accurately grasp the attack source address. Play.

  According to the sixth aspect of the present invention, when the number of times that the DNS query request statistic value exceeds a predetermined threshold reaches a predetermined number, the network attack is determined to be started. It is possible to reduce the processing load related to attack detection by detecting the above by a simple process.

  According to the invention of claim 7, it is determined that the network attack has ended when the number of times that the DNS query request statistical value has fallen below a predetermined threshold has reached a predetermined number after determining that it is a network attack. Thus, the processing load related to the attack detection can be reduced by detecting the end of the network attack by a simple process.

  According to the invention of claim 8, since the response to the DNS query request in addition to the DNS query request is set as the acquisition target of the statistics, there is a difference between the number of the DNS query request and the response. The network attack can be efficiently detected.

  Hereinafter, embodiments of an attack detection method according to the present invention will be described in detail with reference to the accompanying drawings. In the following, a case will be described in which an attack detection apparatus to which such an attack technique is applied is connected to a DNS cache server apparatus to perform attack detection. The attack detection device may be connected to the DNS server device or directly connected to the network to detect the attack.

  First, features of the attack detection method according to the present invention will be described with reference to FIG. FIG. 1 is a diagram showing characteristics of an attack detection method according to the present invention. In the figure, an attack procedure when an unspecified number of attackers (for example, a terminal device infected with a virus) performs an attack to send a large amount of data packets to an attack target server (for example, an HTTP server). Shows about.

  As shown in the figure, when an attacker makes an attack on an attack target server, first, an DNS server is sent to the DNS server to acquire the address of the attack target server (FIG. 1). (See (1)). If the address of the attack target server is acquired from the DNS server (see (2) in FIG. 1), a large amount of data packets are transmitted to the attack target server at the acquired address (see (3) in FIG. 1). ).

  As described above, an attacker who performs a network attack generally takes a procedure of first performing name resolution by DNS to acquire an attack target address and then starting the attack using the acquired address. Is.

  However, the conventional attack detection method has a problem that the attack detection timing is delayed because the attack detection is performed when the attack on the attack target server is started (see (3) in FIG. 1). On the other hand, in the attack detection method according to the present invention, the attack detection is performed when the attacker requests name resolution by DNS in order to perform a network attack (see (1) in FIG. 1). It can be detected early.

  Next, an outline of an attack detection apparatus to which the attack detection method described in FIG. 1 is applied will be described with reference to FIG. FIG. 2 is a diagram illustrating an outline of the attack detection apparatus 10 according to the present embodiment. FIG. 2 shows the attack detection device 10 connected via the switch 102 to the cache server device 101 to which an unspecified number of attackers 104 request name resolution.

  As shown in FIG. 2, the attack detection apparatus 10 generates statistics about the DNS query request accepted by the cache server apparatus 101 (see (1) in FIG. 2). Then, when the statistics about the generated DNS query satisfy a predetermined condition, it is determined to be an attack (see (2) in FIG. 2 and paragraph 0051). Subsequently, the attack detection apparatus 10 notifies the firewall 103 of attack information indicating the start or end of the attack (see (3) in FIG. 2 and paragraph 0051).

  As described above, the attack detection apparatus 10 acquires statistics about the DNS query request, and determines whether or not there is an attack based on the acquired statistics. Accordingly, it is possible to detect a network attack at an early stage of the network attack, that is, at a stage where an attacker makes a name resolution request for performing a network attack. Further, even when a network attack targeting the cache server device 101 is performed, the attack detection can be reliably performed.

  In the figure, the cache server device 101 is illustrated as the connection destination of the attack detection device 10, but the connection destination may be a DNS server device (authoritative server). Further, the attack detection device 10 may be installed at a network position between the cache server device 101 and the attacker 104 or between the cache server device 101 and the DNS server device.

  In this embodiment, the attack detection device 10 is described as a device separate from the cache server device 101. However, the attack detection device 10 may be configured as a built-in device of the cache server device 101. Further, when the DNS server device is an attack detection target, the attack detection device 10 may be configured as a built-in device of the DNS server device.

  Next, the configuration of the attack detection apparatus 10 shown in FIG. 2 will be described with reference to FIG. FIG. 3 is a block diagram illustrating a configuration of the attack detection apparatus 10. As shown in the figure, the attack detection apparatus 10 includes a control unit 11, a storage unit 12, and a communication processing unit 13. The control unit 11 further includes a statistical data acquisition unit 11a, a statistical data log generation unit 11b, an attack determination unit 11c, and an attack information notification unit 11d. The storage unit 12 includes setting information 12a, Statistical data 12b and attack information 12c are stored.

  The control unit 11 acquires traffic related to the DNS query of the cache server apparatus 101 received via the switch 102, generates a statistical data log from the acquired traffic, and makes an attack determination based on the generated statistical data log. The processing unit performs a process of notifying the firewall 103 of attack information.

  The statistical data acquisition unit 11a is a processing unit that acquires traffic related to the DNS query via the communication processing unit 13 and performs processing for passing the acquired traffic as statistical data to the statistical data log generation unit 11b.

  The statistical data log generation unit 11b is a processing unit that performs processing for generating a data log for a DNS query request addressed to a domain or subdomain to be logged based on the setting information 12a of the storage unit 12. Specifically, the statistical data log generation unit 11b uses the statistical data log 12b according to the conditions (for example, monitoring period, monitoring target IP address, monitoring item, etc.) for acquiring statistical data specified in the setting information 12a. Is generated. Detailed examples of the setting information 12a and the statistical data log 12b will be described later with reference to FIGS.

  The attack determination unit 11c reads the statistical data log 12b generated by the statistical data log generation unit 11b from the storage unit 12, and also sets the attack start determination condition or the attack end determination condition specified in the setting information 12a (for example, upper limit threshold, lower limit A processing unit that determines the start / end of an attack according to a threshold value). The attack determination unit 11c is also a processing unit that generates a determination result as attack information 12c. The attack information 12c generated by the attack determination unit 11c is notified to the firewall 103 by the attack information notification unit 11d.

  The attack information notification unit 11d reads the attack information 12c generated by the attack determination unit 11c from the storage unit 12, and performs a process of notifying the read attack information 12c to the firewall 103 via the communication processing unit 13. It is. Note that the firewall 103 notified of the attack information 12c from the attack information notification unit 11d performs processing such as attack defense start / defense cancellation.

  The storage unit 12 is a storage unit configured by a storage device such as a nonvolatile RAM (Random Access Memory) or a hard disk device, and stores setting information 12a, a statistical data log 12b, and attack information 12c.

  The setting information 12a is information including statistical data log acquisition conditions and attack start / end determination conditions, and these pieces of information are used by the statistical data log generation unit 11b or the attack determination unit 11c. Further, since the setting information 12a is configured as a list in a text format, for example, it is possible to easily specify or change the attack detection target and the attack detection condition according to the attack pattern. Here, a detailed example of the setting information 12a will be described with reference to FIG. FIG. 4 is a diagram illustrating an example of the setting information 12a.

  A reference numeral 41 in FIG. 4 is an example of specifying the generation cycle of the statistical data log. As indicated by 41 in FIG. 4, when the “monitoring period” is designated as “180 seconds”, the statistical data log generation unit 11 b determines the statistical data passed from the statistical data acquisition unit 11 a as needed. A statistical data log 12b is generated every 180 seconds.

  What is indicated by reference numeral 42 in FIG. 4 is a specification example for specifying a monitoring target. As indicated by 42 in FIG. 4, the number of “monitoring target IP addresses” is “1”, the “monitoring target IP address” is “1234 :: 128”, and the “monitoring target port” is “53”. When the fact is specified, the statistical data log generation unit 11b outputs the statistical data log 12b for the DNS query that satisfies the condition shown in 42 of FIG. 4 from the statistical data passed from the statistical data acquisition unit 11a as needed. Is generated.

  Reference numerals 43 and 44 in FIG. 4 show examples of specifying a monitoring domain and specifying an attack start / end determination condition. Note that the branch numbers (“_1” and “_2”) in 43 and 44 in FIG. 4 are numbers assigned to each monitoring domain, and branch numbers such as “monitoring item 1_1” and “monitoring item 1_2” are used. Thus, it is possible to specify a plurality of monitoring domains.

  As indicated by 43 in FIG. 4, when the “monitoring item 1_1” is designated as the domain “www.aaa.co.jp.”, the statistical data log generation unit 11b performs the domain “www. The DNS query related to “aaa.co.jp.” is the target of the statistical data log 12b. Further, by using the same branch number, the attack start / end determination conditions (for example, the upper threshold 1_1, the lower threshold 1_1, etc.) can be specified as different values for each monitoring domain.

  The “upper limit threshold” and the “number of consecutive excesses” are items used by the attack determination unit 11c as conditions for determining attack start. As indicated by 43 and 44 in FIG. 4, when the “upper limit threshold value” is “10000” and the “continuous excess count” is specified as “5”, the attack determination unit 11c sets each statistical data When the number of queries for the log 12b exceeds 10000 queries for 5 consecutive times, it is determined that an attack has started. If the “lower limit threshold” is “600” and the “continuous lowering count” is specified to be “5”, the attack determination unit 11c determines that the attack has started, and then determines each statistical data log 12b. If the number of queries falls below 600 consecutively for 5 times, it is determined that the attack has ended.

  Returning to the description of FIG. 3, the statistical data log 12b will be described. The statistical data log 12b is a statistical log related to a DNS query generated by the statistical data log generation unit 11b based on the designation of the setting information 12a. The statistical data log 12b is used when the attack determination unit 11c makes an attack start / end determination. Here, a detailed example of the statistical data log 12b will be described with reference to FIG. FIG. 5 is a diagram illustrating an example of the statistical data log 12b.

  As shown in FIG. 5, the statistical data log 12b includes information on the monitoring target (see 51 in FIG. 5), information on the number of queries for each monitoring domain (query domain) (see 52 and 53 in FIG. 5), and It contains information.

  In the example shown in the figure, “co.jp.” (see 51b in FIG. 5) is designated as the monitoring domain name, so that the query domain (“www. Statistical information on “aaa.co.jp.” (see 52a in FIG. 5) and “www.bbb.co.jp.” (see 53a in FIG. 5) is created.

  As shown by 51a in FIG. 5, the “monitor item number” is “1”. This is because the monitor item is the root domain (.) Or jp. This is used to designate a plurality of DNS query monitoring ranges such as a domain (jp.). Here, the usage example of this monitoring item is demonstrated using FIG. FIG. 6 is a diagram illustrating a usage example of the monitoring item.

  As shown in FIG. 6, the case where “co.jp.” is designated as the monitoring item 1, “jp.” Is designated as the monitoring item 2, and “.” Is designated as the monitoring item 3 in the setting information 12a will be described. In this case, if a query request whose inquiry domain (QNAME) is “www.aaa.co.jp.” exists in the statistical data, the monitoring item 1, the monitoring item 2, and the monitoring item 3 in the statistical data log 12b. The total number of queries for will be counted up.

  In this way, for each of a plurality of domain hierarchies, the DNS query request statistics are taken to narrow down the subdomains targeted for attack, or conversely, the DNS managing the subdomains targeted for attack. It is possible to specify a server. In addition, FIG. 6 shows the case where each domain hierarchy is directly specified, but if a predetermined domain hierarchy, for example, a domain “co.jp.” is specified, statistics for each subdomain under that domain hierarchy are also acquired. It is good to do.

  Returning to the description of FIG. 5, the ranking for each inquiry domain will be described. As shown in FIG. 5, in the statistical data log 12b, the query domains corresponding to the monitoring domain names are ranked in descending order of the number of queries, for example. Then, for each inquiry domain, ranking of the number of queries for each source IP address is further performed.

  For example, in the statistical data log 12b, the total number of queries for each domain (“3200” in the case of 52a in FIG. 5) is increased from the smaller to the smaller (for each domain (52a, 53a in FIG. 5). Ranking (see 52 and 53 in FIG. 5) is performed. Furthermore, in the ranking for each domain (see 52 and 53 in FIG. 5), the ranking of the number of queries for each source IP address (in the case of 52 in FIG. 5, “1256”, “823”,...). included.

  In this way, by ranking each inquiry domain, it becomes possible to specify the server that is the attack target or the zone including the server. Therefore, even if it is invalid to specify the source IP address because there are an unspecified number of attackers as in the DDoS attack, an efficient attack can be achieved by hierarchically specifying the attack destination domain. Detection can be performed.

  In addition, when the number of attackers such as a DoS attack is small by including the ranking of the source IP address in the ranking for each inquiry domain (that is, when it is effective to specify the source IP address), It can also be used for specifying the source IP address.

  Returning to the description of FIG. 3, the attack information 12c will be described. The attack information 12c is information indicating the start / end of attack generated by the attack determination unit 11c. The attack information 12c is notified to the firewall 103 by the attack information notification unit 11d. For example, the attack information 12c includes items such as the domain name and subdomain name detected as the attack destination, the number of DNS queries counted, the date and time, and the attack start / attack end classification.

  The communication processing unit 13 is a communication device that performs data transmission / reception processing such as accepting a DNS query request via the switch 102 or transmitting attack information to the firewall 103 via the network. In FIG. 13, a single communication processing unit 13 is provided, but a plurality of communication devices may be provided for the switch 102 and for the network.

  Next, a processing procedure performed in the attack detection apparatus 10 described with reference to FIGS. 3 to 6 will be described with reference to FIGS. 7 and 8. FIG. 7 is a flowchart showing a processing procedure of statistical data log generation processing. As shown in the figure, when the statistical data log generation unit 11b acquires a DNS packet (for example, a DNS query request) from the statistical data log acquisition unit 11a (step S101), the statistical data log generation unit 11b stores the setting information 12a. It is determined whether each DNS packet is a DNS packet to be monitored according to the designated condition (step S102).

  When the DNS packet is a DNS packet to be monitored (step S102, Yes), the DNS packet is classified for each monitoring item (step S103), and the statistical data log 12b is generated (step S104). On the other hand, if it is determined in step S102 that the packet is not a DNS packet to be monitored (step S102, No), the processes in and after step S101 are repeated.

  FIG. 8 is a flowchart showing the procedure of the attack determination process and the attack information notification process. As shown in the figure, the attack determination unit 11c reads the statistical data log 12b from the storage unit 12 (step S201), and the number of DNS queries classified for each monitoring item exceeds the upper limit threshold continuously for a predetermined number of times. It is determined whether or not there is (step S202). If the determination condition of step S202 is satisfied (step S202, Yes), the attack information 12c indicating the start of the attack is generated, and the attack information notification unit 11d uses this attack information 12c (attack start) as a firewall. 103 is notified (step S203). In addition, when the determination condition of step S202 is not satisfied (step S202, No), the processing after step S201 is repeated.

  Subsequently, when the firewall 103 that has received the attack start notification makes a statistical data log acquisition request to the attack detection device 10, the attack information notification unit 11d stores the statistical data log 12b linked to the previously transmitted attack information 12c. After extracting, it notifies the firewall 103 (step S204). The firewall 103 that has received the statistical data log 12b starts defense processing after selecting necessary information from the previously received attack start notification and the statistical data log (step S301).

  In addition, the attack determination unit 11c that has completed the processing procedure of step S203 and step S204 continues the reading process of the statistical data log 12b to determine the end of the attack (step S205), and the monitoring item that has notified the attack start It is determined whether or not the number of DNS queries for has fallen below the lower limit threshold by a predetermined number of times (step S206). If the determination condition of step S206 is satisfied (step S206, Yes), the attack information 12c indicating the end of the attack is generated, and the attack information notifying unit 11d receives the attack information 12c (attack end). 103 is notified (step S207). In addition, the firewall 103 that has received the attack information 12c (attack end) performs a defense release process (step S302).

  Next, an example of the installation position of the attack detection device 10 will be described with reference to FIG. FIG. 9 is a diagram illustrating an example of an installation position of the attack detection apparatus 10. The installation position pattern A in FIG. 1, that is, the form in which the attack detection apparatus 10 is connected to the cache server apparatus 101 is as already described in FIG. However, the attack detection apparatus 10 according to the present embodiment has a main feature in that the statistics about the DNS query are obtained. As shown in the installation position pattern B, the attack detection apparatus 10 is connected to the DNS server apparatus. It doesn't matter. By doing in this way, it becomes possible to detect efficiently the DDoS attack which made the DNS server the attack object.

  Further, as shown in the installation position patterns A and B, the attack detection device 10 can be connected to the cache server device or the DNS server device, but it is not always necessary to directly connect to the server device. That is, the attack detection device 10 may be connected to the network (not shown) between the attack terminal and the cache server device shown in FIG. 1 or between the cache server device and the DNS server. .

  As described above, in the present embodiment, the statistical data acquisition unit acquires a DNS query from a device that handles a DNS query request, and the statistical data log generation unit performs the monitoring domain specified in the setting information, or the monitoring domain A statistical data log divided into subdomains included in is generated. The attack determination unit performs an attack start determination / attack end determination based on the attack start / end conditions specified in the setting information, and the attack information notification unit transmits the determination result to an attack countermeasure device such as a firewall. did. Therefore, since a network attack can be detected early when DNS query requests increase abnormally, it is possible to detect a network attack at an early stage, and since the attack destination is specified in a plurality of ranges such as a domain and a subdomain, there is no attack source. Useful detection information can be provided even when there is a large number and it is meaningless to specify the attack source.

  In the above-described embodiment, the case has been described in which the statistics about the DNS query request are taken. However, the statistics about the DNS query request and the response to the DNS query request may be taken. This makes it possible to perform an attack determination process such as determining an attack when an imbalance occurs between the number of DNS query request queries and the number of responses.

  Further, in the above-described embodiments, the attack detection device that implements the present invention has been described from the functional aspect. However, each function of the attack detection device may be realized by causing a computer such as a personal computer or a workstation to execute a program. it can.

  In other words, the various processing procedures described above can be realized by executing a program prepared in advance on a computer. These programs can be distributed via a network such as the Internet. Further, these programs can be recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD, and can be executed by being read from the recording medium by the computer.

  As described above, the attack detection device, the attack detection method, and the attack detection program according to the present invention are useful for early detection of a network attack, and particularly when there are an unspecified number of attackers such as a DDoS attack, It is suitable for attack detection in the case where a network attack targeting a DNS-related device such as a DNS server device or a cache server device is performed.

It is a figure which shows the characteristic of the attack detection method which concerns on this invention. It is a figure which shows the outline | summary of the attack detection apparatus which concerns on a present Example. It is a block diagram which shows the structure of an attack detection apparatus. It is a figure which shows an example of setting information. It is a figure which shows an example of a statistical data log. It is a figure which shows the usage example of a monitoring item. It is a flowchart which shows the process sequence of a statistical data log production | generation process. It is a flowchart which shows the process sequence of an attack determination process and an attack information notification process. It is a figure which shows the example of the installation position of an attack detection apparatus.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Attack detection apparatus 11 Control part 11a Statistical data acquisition part 11b Statistical data log generation part 11c Attack determination part 11d Attack information notification part 12 Memory | storage part 12a Setting information 12b Statistical data log 12c Attack information 13 Communication processing part 101 Cache server apparatus 102 SW (switch)
103 FireWall (Firewall)
104 Attacker

Claims (10)

An attack detection device for detecting a network attack on a server device on the network by a terminal device connected to the network,
Statistics acquisition means for acquiring statistics relating to DNS query requests distributed on the network;
Attack determination means for determining the presence or absence of a network attack based on the statistics acquired by the statistics acquisition means;
An attack detection device comprising: attack notification means for notifying a predetermined attack countermeasure device of attack information representing the content of the network attack when the attack determination means determines that the attack is a network attack .   The statistics acquisition means acquires statistics about a specific domain with respect to a DNS query request that passes through a DNS server that performs domain name resolution or a cache server that caches information acquired from the DNS server. The attack detection device according to claim 1.   The statistics acquisition means acquires statistics including a ranking for each inquiry destination domain name included in the DNS query request based on a list in which an inquiry destination domain name to be statistically specified can be arbitrarily specified. The attack detection apparatus according to claim 1 or 2.   The statistic acquisition unit is configured to obtain, for each subdomain name constituting the inquiry domain name included in the DNS query request, based on a list in which the subdomain name constituting the inquiry destination domain name to be statistically specified can be arbitrarily specified. The attack detection apparatus according to claim 3, wherein statistics including ranking are acquired.   The attack detection apparatus according to claim 1, wherein the statistics acquisition unit acquires statistics including a ranking for each request source address included in the DNS query request.   The said attack determination means determines that it is a network attack, when the frequency | count that the statistical value of the said DNS query request exceeded the predetermined threshold reaches predetermined number, The network attack of any one of Claims 1-5 characterized by the above-mentioned. The attack detection device according to one.   The attack determination means determines that the network attack has ended when the number of times that the statistical value of the DNS query request has fallen below a predetermined threshold reaches a predetermined number after determining that the attack is a network attack. The attack detection device according to claim 6.   The attack detection apparatus according to claim 1, wherein the statistics acquisition unit sets a response to the DNS query request in addition to the DNS query request as a statistics acquisition target. An attack detection method for detecting a network attack on a server device on the network by a terminal device connected to the network,
A statistics acquisition step of acquiring statistics relating to a DNS query request distributed on the network;
An attack determination step of determining the presence or absence of a network attack based on the statistics acquired by the statistics acquisition step;
An attack detection method comprising: an attack notification step of notifying a predetermined attack countermeasure device of attack information representing the content of the network attack when the attack determination step is determined to be a network attack . An attack detection program for detecting a network attack on a server device on the network by a terminal device connected to the network,
A statistics acquisition procedure for acquiring statistics on DNS query requests distributed on the network;
An attack determination procedure for determining the presence or absence of a network attack based on the statistics acquired by the statistics acquisition procedure;
An attack characterized by causing a computer to execute an attack notification procedure for notifying a predetermined attack countermeasure device of attack information indicating the content of the network attack when the attack determination procedure is determined to be a network attack. Detection program.

Images