JP2009055222A - Attack packet countermeasure system, attack packet countermeasure method, attack packet countermeasure device, and attack packet countermeasure program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To control communication from an attack source by a repeater closest to the attack source by uniquely specifying the attack source, even when a server is attacked via the repeater which rewrites the transmitted source information of a packet. <P>SOLUTION: The system is provided with a communication log storage means, having a plurality of repeaters which rewrite the transmitting source information of the received packet, and a management terminal which transmits a retrieval request to the repeater and stores a communication log that includes a transmitting source address before repeating, a transmitting source address, after repeating by the repeaters, and a destination address; an unauthorized terminal retrieval means for specifying an unauthorized terminal or a repeater at a transmitting origin of the retrieval request, by referring to the communication log storage means, when the retrieval request is input; and a function control means for inputting the retrieval request from the management terminal or other repeaters, outputting the retrieval request to the unauthorized terminal retrieval means, transmitting retrieval results to the management terminal or to other repeaters, when the unauthorized terminal is specified by the unauthorized terminal retrieval means, and transmitting the retrieval request to the repeater at the transmitting destination, when the repeater at the transmitting destination is specified by the unauthorized terminal retrieval means. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention uniquely identifies an attack source even when an attack to a server on a communication network is performed via a packet relay device that rewrites packet transmission source information, and attacks by a packet relay device nearest to the attack source. The present invention relates to an attack packet countermeasure system, an attack packet countermeasure method, an attack packet countermeasure apparatus, and an attack packet countermeasure program that control original communication.

In recent years, networks such as the Internet and Intranet have become indispensable as social infrastructure, and many companies conduct advertising activities through servers on the Internet, and many industrial activities such as sales and meetings of products etc. Is done through a server on the Internet.
On the other hand, there are many incidents that make it impossible to provide such services by making unauthorized access such as Dos attack (Denial of Service Attack) and DDos attack (Distributed Denial of Service attack) to servers on the Internet. Has become a social problem.

Such attacks on servers on the Internet are transmitted via proxy servers and packet relay devices that perform address translation (for example, relay devices having functions such as NAT (Network Address Translation) and NAPT (Network Address Port Translation)). If it is performed, the transmission source information is rewritten when the packet relay device relays communication.
For this reason, it is difficult to control the communication by uniquely identifying the attack source from the attacked side, especially when an attack is performed via multiple packet relay devices. First of all it was impossible to identify.

In addition, if the network is configured to operate in multiple networks using multiple packet relay devices, there is information about the network configuration against attacks from unauthorized terminals on the network. It is difficult to control from a device on another network that is not.
For example, it is usually a security practice to uniquely identify an attacking fraudulent terminal belonging to one organization's network on the Internet from a device belonging to another organization's network and control communication with the network device closest to the attacking source. From the point of view, the information on the network to be managed is never disclosed to another network, so it is virtually impossible.

Conventionally, the following method has been adopted for such a problem.
First, there is a method of identifying an unauthorized terminal by installing an IDS (Intrusion Detection System) for each network, collecting logs of each IDS in one place, and performing correlation analysis.
Secondly, there is a method for identifying an unauthorized terminal by using a network without using a proxy server and without performing address translation by a packet relay device so that packet transmission source information is not rewritten. It was.

However, according to the first method, since it is necessary to prepare a device for detecting an attack for each network, there is a problem in that costs are increased.
In addition, in the case of a large-scale network that is divided into a plurality of subnets, there is a problem that it is difficult to uniquely identify an attack source only by log correlation analysis.
In addition, collecting the logs in one place squeezed the disk.

In addition, since there is a limit to the IP addresses that can be assigned, the second method has a problem in that it cannot be handled as the network size increases.
In addition, the second method has a problem that the search range of the attack source is limited to a range in which the network configuration can be grasped.
Furthermore, since the method does not use a proxy server, there is a problem that various merits of the proxy server cannot be obtained.

Here, as a prior art regarding prevention of unauthorized access to a server on a network, for example, a method for preventing a distributed denial of service attack described in Patent Document 1 or a method for preventing a denial of service attack described in Patent Document 2 are cited. Can do.
According to these inventions, the agent program on the network device that detects the attack sends a copy of its program for controlling the attack packet toward the network device closer to the attack source, and traces back to the attack source little by little. It is possible to control attack packets.

However, in any of the inventions, when an attack is performed via a packet relay device that rewrites information of a transmission source, there is a case where the attack packet cannot be traced back and the attack packet cannot be appropriately controlled. was there.
That is, in such a conventional method, in the case of a flood type attack (for example, a SYN flood attack: an attack that attempts a large number of TCP connections that are not established), the attack source can be specified, but this is called a so-called blow-and-death system In the case of an attack, there was a problem that it could not be identified.
Further, even in the case of a Flood type attack, there is a possibility that an incorrect host (packet relay device) is detected as an attack source.

For such a problem, it is possible to avoid the attack by performing an operation that blocks all accesses from the packet relay device that rewrites the information of the transmission source.
However, when such an operation is performed, a new problem arises in that all normal communications from other terminals using the packet relay device that rewrites the information of the transmission source are also blocked.
Further, the inventions described in these patent documents have a problem that a dedicated device is required.

On the other hand, according to the network system and attack defense method described in Patent Document 3, the above-described invention in Patent Documents 1 and 2 is used by using a method in which all the devices on the network are centrally managed by one management device. It is possible to deal with the problem.
However, when all the devices on the network are centrally managed by one management device in this way, there is a problem that the entire system does not function if the management device stops.
In addition, in a network in which a plurality of different organizations are mixed, there is a problem that it is difficult to specify an attack source using a single management device.

Furthermore, examples of prior art relating to the present invention include a packet path tracking system described in Patent Document 4, a packet tracking method described in Patent Document 5, and a server protection network system described in Patent Document 6.
In Patent Documents 4 and 5, in a network having a relay device having a NAT function, a relay device that is a transfer source of illegal packets is specified based on log information at the time of transfer, and a search request for a sender terminal of illegal packets is made. It is described that the transmission source terminal is specified by sequentially transferring the search request information to the transfer source.
Further, Patent Document 6 performs control such as blocking of a packet from a transmission source terminal by transferring control request information specifying control of communication from the transmission source terminal of an illegal packet for each search result. It is described.

JP 2002-164938 A JP 2003-283571 A JP 2006-067078 A JP 2005-159936 A JP 2004-282364 A JP 2003-298628 A

However, the inventions described in Patent Documents 4 to 6 do not relay search request information and control request information of unauthorized terminals by using an agent program on the packet relay device, and search rules are assigned to each of the packet relay devices. The packet relay device could not be provided by the agent program.
For this reason, there has been a problem that fine control based on the request source address included in the search rule cannot be performed.

For example, because it is impossible to specify the number of search hops and control method (blocking, quarantine, bandwidth control, warning, etc.), flexible operation according to the network policy within the organization cannot be performed, and practical use There was a problem that was difficult.
In addition, it is difficult to control an attack from an unauthorized terminal on a network from a device on a separate network that does not have information about the network configuration, and flexible search processing and control processing for unauthorized terminals. Could not execute.

Furthermore, since these prior inventions do not relay search request information or control request information of unauthorized terminals using an agent program on the packet relay device, if the identification information (IP address, etc.) of the attack source is not known The countermeasure cannot be implemented, and the person who requests the countermeasure needs to disclose network information (IP address, etc.) to some extent, and it is difficult to maintain the anonymity of the network.
For example, it has been difficult to accurately identify an unauthorized terminal belonging to a network of a certain organization on the Internet from a device belonging to a network of another organization while maintaining anonymity.

Further, in the invention described in Patent Document 6, the control request information for communication from the unauthorized terminal is sequentially transferred back to the router closest to the unauthorized terminal (attack source) by going back the route through which the service request is sent. ing.
However, this method has a problem that the processing speed from search to control is slow.

Further, in the invention described in Patent Document 6, the information to be referred to and the mechanism to be used are not clear when specifying an unauthorized terminal, and the case where the packet is relayed by a proxy server or the like is not considered.
For this reason, for example, if access from a proxy server that rewrites information of a transmission source is blocked by the invention described in Patent Document 6, all normal communications from other terminals using this proxy server are blocked. there were.

  The present invention has been considered in view of the above circumstances. The agent program is stored and activated in the packet relay device, and the agent program is used to search for illegal terminal search information between the packet relay devices and from the unauthorized terminal. Measures against attack packets that can accurately identify the attack source and control unauthorized communications with the relay device closest to the attack source while maintaining network anonymity by relaying control request information for An object is to provide a system, an attack packet countermeasure method, an attack packet countermeasure apparatus, and an attack packet countermeasure program.

In order to achieve the above object, an attack packet countermeasure system of the present invention is an attack packet countermeasure system that identifies an unauthorized terminal that has made unauthorized access to a server via a relay device on a network, and transmits a received packet. One or more relay devices that rewrite original information, and a management terminal that transmits search request information for unauthorized terminals to one of the relay devices, and the relay device receives the source address before relaying of the received packet , A communication log storage unit that stores a communication log including a transmission source address and a destination address after relay, and a search request information input, the communication log storage unit is referred to, and an unauthorized terminal or a relay device that is a transmission destination of the search request information The search request information is input from the management terminal or other relay device and output to the illegal terminal search means. When an unauthorized terminal is identified, search result information is transmitted to the management terminal or other relay device, and when a transmission destination relay device is identified by the unauthorized terminal search means, search request information is transmitted to the transmission destination relay device. And a function control means.
The “address” can include information such as an IP address and information such as a port number as necessary.

According to the present invention, even when an attack on a server on the Internet is performed through a proxy server that rewrites packet transmission source information or a device that performs address conversion, it is possible to accurately identify the attack source. Become.
In addition, after specifying the attack source, it becomes possible to control unauthorized communication by the network device nearest to the attack source.

In addition, since such an unauthorized terminal search and control is executed by an agent program installed on the packet relay device, an attack from an unauthorized terminal existing on a network is used to obtain information on the network configuration. It is possible to control flexibly from a device on a separate network that does not have.
In other words, by linking this agent program and relaying unauthorized terminal search requests and control requests to the agent program, it is possible to control communication from unauthorized terminals pinpointing while maintaining network anonymity. It becomes possible.

Hereinafter, a preferred embodiment of an attack packet countermeasure system according to the present invention will be described with reference to the drawings.
It should be noted that the attack packet countermeasure system of the present invention shown in the following embodiment is operated by a computer controlled by a program. The CPU of the computer sends a command to each component of the computer based on the program and performs predetermined processing necessary for the operation of the packet relay device, for example, relay processing of search request / control request for illegal terminal, search result / control The result is returned. Thus, each processing and operation in the attack packet countermeasure system of the present invention can be realized by specific means in which the program and the computer cooperate.

The program is stored in advance in a recording medium such as a ROM and a RAM, and is executed by causing the computer to read the program from a recording medium mounted on the computer. For example, the program may be read by the computer via a communication line.
Further, the recording medium for storing the program can be constituted by, for example, a semiconductor memory, a magnetic disk, an optical disk, or any other recording means that can be read by any computer.

[First embodiment]
First, the structure of 1st embodiment of this invention is demonstrated with reference to FIGS. FIG. 1 is a block diagram showing the configuration (IP network) of the attack packet countermeasure system of this embodiment. FIG. 2 is a block diagram showing a configuration (overlay network) of the system. FIG. 3 is a block diagram showing the configuration of the packet relay apparatus in the system. FIG. 4 is a diagram showing a record layout of the communication log storage unit in the system. FIG. 5 is a diagram showing a data configuration of a table in the search rule DB in the same system. FIG. 6 is a diagram showing a record layout of the search cache DB in the same system. FIG. 7 is a diagram showing a data configuration of a table in the control rule DB in the system. FIG. 8 is a block diagram showing the configuration of the management terminal in the system.

[Attack packet countermeasure system]
As shown in FIG. 1, the attack packet countermeasure system of this embodiment includes a packet relay device 10 (packet relay device 10a (relay router a (with NAPT)), packet relay device 10b (proxy server), A packet relay device 10c (relay router b (with NAPT)) and a management terminal 20 are included.
Moreover, in the example of the figure, it is assumed that the target server 30 is under attack such as Dos by the unauthorized terminal 40 via the network.
FIG. 2 shows a connection method according to the purpose of the service or application in the apparatus of FIG.

[Packet relay apparatus 10]
The packet relay device 10 is a device that relays packets transmitted from the unauthorized terminal 40 to the target server 30. In the example of FIG. 1, the relay router a (with NAPT), the proxy server, and the relay router b (with NAPT) Is shown as
The relay router a is a device that performs a NAPT, and when performing communication from the network to which the proxy server belongs to the network to which the management terminal 20 belongs, the network of the management terminal 20 to which the transmission terminal information in the packet header belongs. Side address information (including the port number; the same applies hereinafter).

The proxy server is a device that relays access from the unauthorized terminal 40 to the target server 30.
The relay router b is a device that performs NAPT, and when performing communication from the network to which the unauthorized terminal 40 belongs to the network to which the proxy server belongs, the network side to which the proxy server has its own transmission source information in the packet header To address information.

  As shown in FIG. 3, an agent program is installed in the packet relay device 10, and by starting this agent program, the communication log storage unit 11, the search rule DB 12, the search cache are included in the packet relay device 10. A DB 13, a control rule DB 14, an agent function control unit 15, an unauthorized terminal search unit 16, and an unauthorized terminal control unit 17 are configured. The communication log storage unit 11, the search rule DB 12, the search cache DB 13, and the control rule DB 14 may be configured on a storage device that is externally connected to the packet relay device 10.

  When the agent program is executed in the packet relay device 10, the standby port number, the upstream node list, the downstream node list, the priority, and the cache data holding period are input as setting parameters in advance before the execution of the agent program. 10 is stored in parameter storage means (not shown) so that it can be read by the CPU during execution of the agent program.

  The standby port number is a sub-address provided under the IP address for simultaneous connection with a plurality of partners.

  The upstream node list is storage means for registering the IP address and port number of one or more other packet relay apparatuses 10 to which the packet relay apparatus 10 is connected at the time of activation. Hereinafter, the packet relay apparatus 10 registered in the upstream node list is referred to as an upstream node.

  When the agent program is activated in the packet relay device 10, a connection unit (not shown) in the packet relay device 10 establishes a connection with another packet relay device 10 registered in the upstream node list in advance, The packet relay apparatus 10 is notified of its node information (standby IP address, port number, priority, etc.) at regular intervals.

The downstream node list is storage means for registering node information notified from other packet relay apparatuses 10 at regular intervals. When the packet relay device 10 receives node information from another packet relay device 10, it adds this to the downstream node list. Hereinafter, the packet relay device 10 registered in the downstream node list is referred to as a downstream node.
The packet relay apparatus 10 discards the corresponding node information from the downstream node list when the connection with the downstream node is disconnected or when the node information is not notified from the downstream node for a certain period.

The priority is for determining the order of the packet relay device 10 that relays the search request when the packet relay device 10 relays a search request for an unauthorized terminal and a plurality of pieces of node information are registered in the downstream node list. Information.
The packet relay apparatus 10 relays the search request only to the downstream node in order to prevent a search request loop. At this time, the search request is relayed to the packet relay apparatus 10 having a higher priority.

  The cache data retention period is a period during which the packet relay apparatus 10 stores the search cache in the search cache DB 13. The unauthorized terminal search unit 16 deletes the search cache from the search cache DB 13 when the search cache stored in the search cache DB 13 has passed this cache data retention period from the search cache update time.

  As will be described later, this search cache includes, for example, a search ID, a search target IP address, a search target port number, a victim terminal IP address, a victim terminal port number, a protocol number, session information (at the start of a session, Time from session start to session end), search cache update time, IP address of packet relay device nearest to unauthorized terminal, standby port number of agent program operating on packet relay device nearest to unauthorized terminal, executable control It can be information including a command, its options (multiple sets can be registered), and a terminal node ID.

[Communication log storage unit 11]
The communication log storage unit 11 stores a log of communication performed by the packet relay device 10.
This communication log includes a transmission source IP address before relay (before address conversion; the same applies hereinafter), a transmission source port number before relay, a transmission source IP address after relay (after address conversion; the same applies hereinafter), Includes information such as source port number, destination IP address (endpoint IP address), destination port number (endpoint port number), protocol number, session information (session start time, time from session start to end) It is preferable to use it.
Note that the communication log storage unit 11 can be a text file or the like that stores the log, or a relational DB, and the storage format is not particularly limited as long as the communication log can be stored.

[Search rule DB 12]
The search rule DB 12 stores a search rule table in which conditions for determining whether or not the unauthorized terminal search unit 16 executes search processing are defined. The unauthorized terminal search unit 16 determines whether to perform a search based on the search rules recorded in the search rule table.
The search rule in the search rule DB 12 can be changed as necessary by the unauthorized terminal search unit 16 based on a search rule change request from the agent function control unit 15. Further, the search rule can be directly changed by the agent function control unit 15.

As shown in FIG. 5, the search rule includes columns for a search rule ID, a search source, the number of search hops, and remarks.
The search rule ID is identification information for uniquely specifying the search rule.
The search source is an address of a network to which the packet relay apparatus 10 accepts a search request. When a search request is received from the management terminal 20 or another packet relay apparatus 10 in this network, the unauthorized terminal search unit 16 A search by is performed.

In the search source of the figure, the number after the slash indicates the number of bytes used for address matching, and the number of bytes after the slash from the left of the search source address is used for matching. These addresses that are the same are determined to match.
The number of search hops is a value indicating how many nodes ahead the search is performed.
The comment is comment information for the search rule.

[Search cache DB 13]
The search cache DB 13 stores a search cache. As shown in FIG. 6, the record layout of the search cache DB 13 includes, for example, a search ID, a search target IP address, a search target port number, a victim terminal IP address, a victim terminal port number, a protocol number, session information ( Session start time, time until session end), search cache update time, standby port number of the agent program running on the packet relay device closest to the unauthorized terminal, executable control command and its options (each can be registered multiple times), end It can be a node ID or the like.

  The search cache DB 13 is referred to by the unauthorized terminal search unit 16 based on the search ID in the search request information, and when search result information based on the search request information having the same content is stored, the subsequent search processing is executed. The search result information is output as a search execution result by the unauthorized terminal search unit 16.

[Control Rule DB 14]
The control rule DB 14 stores a control rule table that records a control rule for communication from an unauthorized terminal executed by the unauthorized terminal control unit 17 based on an unauthorized terminal control request. The unauthorized terminal control unit 17 executes a control process for communication from an unauthorized terminal based on the control rules recorded in the control rule table.
The control rule in the control rule DB 14 can be changed as necessary by the unauthorized terminal control unit 17 based on a control rule change request from the agent function control unit 15. Further, the control rule can be directly changed by the agent function control unit 15.

As shown in FIG. 7, this control rule has columns of rule ID, control source, control type, control command, control command option, and remarks.
The control rule ID is identification information for uniquely specifying the control rule.
The control source is an address of a network to which the packet relay apparatus 10 receives a control request. When the control request is received from another packet relay apparatus 10 or the management terminal 20 in the network, the unauthorized terminal control unit 17 Control by is performed.

  In the control source in the figure, the numerical value after the slash indicates the number of bytes used for address matching, and the number of bytes after the slash from the left of the control source address is used for matching. These addresses that are the same are determined to match.

The control type is a value indicating which method is used to control communication. In the example of the figure, 0 is a warning, 1 is bandwidth control, 2 is a quarantine, and 3 is blocked. When the control rule is specified, the unauthorized terminal control unit 17 executes control corresponding to the control type in the control rule for communication from the unauthorized terminal.
The control command is a command for causing a network device adjacent to the unauthorized terminal to control communication from the unauthorized terminal.

Control command options are information related to control command options (control command specifications, etc.). For example, a specific protocol or port number is recorded as a control command option to control only communications using these. Is possible. It is also possible to record the control time so that only that time can be controlled.
The comment is comment information for the control rule.

[Agent function control unit 15]
Upon receiving the unauthorized terminal search request information from the management terminal 20 or another packet relay device 10, the agent function control unit 15 outputs the search request information to the unauthorized terminal search unit 16, and sends the retrieved information to the unauthorized terminal search unit 16. A search process or the like is executed to identify

Further, the agent function control unit 15 causes the unauthorized terminal search unit 16 to execute a search process for identifying an unauthorized terminal. As a result, if an unauthorized terminal is not identified, the agent function control unit 15 relays search request information closer to the attack source. Transmit to device 10.
Further, the agent function control unit 15 specifies the unauthorized terminal search unit 16 to specify the unauthorized terminal, and when the search result information is input from the unauthorized terminal search unit 16 or the search result information of the unauthorized terminal from another packet relay device 10. When received, the search result information is transmitted to another packet relay apparatus 10 or the management terminal 20 along the reverse route of the search request information.
At this time, the agent function control unit 15 can refer to the search route list in the search request information and trace the relay route in reverse.

When the agent function control unit 15 receives the control request information of the unauthorized terminal from the management terminal 20, the agent function control unit 15 outputs the control request information to the unauthorized terminal control unit 17 and performs various processes for controlling communication from the unauthorized terminal. Is executed.
At this time, the agent function control unit 15 refers to the search cache DB 13 using the search ID included in the control request information, and confirms whether the corresponding search cache is stored.

If it is stored, the packet relay device 10 closest to the unauthorized terminal is identified based on the search path list in the search cache, and the control request information of the unauthorized terminal is transmitted to the packet relay device 10 nearest to the unauthorized terminal.
Further, the agent function control unit 15 controls the communication from the unauthorized terminal to the unauthorized terminal control unit 17 based on the control request information when the packet relay apparatus 10 is identified as the nearest unauthorized terminal. Is executed.

  Furthermore, when the control result information is input from the unauthorized terminal control unit 17, the agent function control unit 15 transmits the control result information to the packet relay apparatus 10 that is the transmission source of the control request information. When the agent function control unit 15 receives the control result information of the unauthorized terminal from the other packet relay apparatus 10, the agent function control unit 15 transmits the control result information to the management terminal 20.

[Unauthorized terminal search unit 16]
When the illegal terminal search unit 16 inputs the search request information of the illegal terminal transmitted from the other packet relay apparatus 10 or the management terminal 20 to the packet relay apparatus 10, the illegal terminal search unit 16 in the packet relay apparatus 10 based on the search request information. The search rule DB 12, the search cache DB 13, and the communication log storage unit 11 are referred to search for an unauthorized terminal.

When an unauthorized terminal is specified by this unauthorized terminal search, the search result information is transmitted by the agent function control unit 15 following the search request information transmission path in reverse. At this time, the agent function control unit 15 can identify the transmission source of the search request information based on the search route list in the search request information or the search result information.
Further, when the unauthorized terminal search unit 16 cannot identify the unauthorized terminal by searching for the unauthorized terminal, the packet relay apparatus 10 closer to the attack source (the highest priority among the packet relay apparatuses 10 in the downstream node list). The search request information for unauthorized terminals is sent to.

Specifically, the unauthorized terminal search unit 16 executes the following processing.
First, when the search request information from another packet relay device 10 or the management terminal 20 is input, the unauthorized terminal search unit 16 sets the search rule DB 12 using the IP address of the request source included in the search request information packet as a key. The search rule that matches the IP address of the transmission source and the address of the “search source” network in the search rule table is specified.

At this time, the number of bytes corresponding to the numerical value after the slash from the left of the “search source” network address in the search rule table is used for matching as the IP address of the transmission source.
Then, as a result of checking all search rules in the search rule table by the unauthorized terminal search unit 16, if the IP address of the transmission source does not match the network address of the search source of any rule, the search is performed by the agent function control unit 15. An error is returned to the sender as result information.

On the other hand, if the search rule that matches the IP address of the transmission source and the address of the network of the search source can be specified, the unauthorized terminal search unit 16 decrements the number of search hops included in the search request information.
When the number of search hops of the specified search rule in the search rule DB 12 is smaller than the number of search hops before decrement in the search request information, the unauthorized terminal search unit 16 specifies the number of search hops included in the search request information. Replace with the number of search hops in the rule.

When the number of search hops included in the search request information is decremented, if the number of search hops after decrement becomes 0 or less, the unauthorized terminal search unit 16 aborts the search, and the agent function control unit 15 searches the search result information. Return an error to the sender.
On the other hand, when the number of search hops included in the search request information is decremented, if the number of search hops after decrement is not less than or equal to 0, the unauthorized terminal search unit 16 refers to the communication log storage unit 11 and (Illegal terminal 40 or packet relay device 10) is specified.

At this time, the unauthorized terminal search unit 16 identifies the information processing apparatus of “transmission source IP address before relay (before address conversion)” in the communication log as an attack source.
If the identified attack source is present in the downstream node list, the attack source is the packet relay device 10, and therefore the unauthorized terminal search unit 16 determines that the unauthorized terminal 40 has not yet been identified, and the agent function control unit 15 relays the search request information to the identified attack source based on the information of the downstream node list.
On the other hand, if the identified attack source does not exist in the downstream node list, the unauthorized terminal search unit 16 determines that the unauthorized terminal 40 has been identified, and the agent function control unit 15 generates search result information, and the search result Send information to the sender of search request information.

When there is a network that does not allow the search, the search by the packet relay device 10 can be controlled not to be performed by reducing the number of search hops of the search rule.
For example, when a network to be protected (such as a confidential area that does not need to be controlled) exists adjacent to a certain packet relay device 10, the search for the network can be performed by setting the number of search hops of the packet relay device 10 to 0. It is possible to prevent this from happening.

[Unauthorized terminal control unit 17]
When the unauthorized terminal control unit 17 inputs the control request information of the unauthorized terminal from the management terminal 20 or another packet relay device 10, the unauthorized terminal control unit 17 refers to the control code included in the packet of the control request information and identifies the type of the packet To do.
That is, based on this control code, it is identified whether the control request information is transmitted from the management terminal 20 or transmitted from another packet relay apparatus 10.

Then, when the control request information is transmitted from another packet relay device 10, the unauthorized terminal control unit 17 executes a control command based on the control request information and restricts communication from the unauthorized terminal 40. To do.
On the other hand, when the control request information is transmitted from the management terminal 20, the unauthorized terminal control unit 17 transmits the control request information of the unauthorized terminal to the packet relay apparatus 10 nearest to the unauthorized terminal by the agent function control unit 15. And relay.

In restricting communication from the unauthorized terminal 40, the unauthorized terminal control unit 17 executes the following processing.
First, the unauthorized terminal control unit 17 refers to the control rule table by using the IP address of the request source included in the packet of the control request information as a key, the IP address of the transmission source, and the “control source” network in the control rule table Specify the control rule that matches the address.
At this time, the number of bytes corresponding to the numerical value after the slash from the left of the network address of the “control source” in the control rule table is used for matching as the IP address of the transmission source.

  If all the control rules in the control rule table are confirmed by the unauthorized terminal control unit 17 and the IP address of the control source does not match the network address of the control source of any rule, the control is performed by the agent function control unit 15 An error is returned to the sender as result information.

Further, when the unauthorized terminal control unit 17 can identify a control rule that matches the IP address of the transmission source and the address of the network of the control source, the unauthorized terminal control unit 17 controls the control type in the identified control rule and the control included in the control request information. Determine if type matches.
If they do not match, the agent function control unit 15 returns an error as control result information to the transmission source.

  On the other hand, when the control type in the identified control rule matches the control type included in the control request information, the unauthorized terminal control unit 17 determines the control command in the control rule as the control command specified by the control request information. This is executed as an option to control communication from the unauthorized terminal 40.

[Management terminal 20]
When the management terminal 20 monitors the target server 30 and detects an attack on the target server 30 by the unauthorized terminal 40, the management terminal 20 transmits search request information to the packet relay apparatus 10 to identify the unauthorized terminal 40 by the packet relay apparatus 10. Information processing apparatus.
The management terminal 20 is an information processing apparatus that transmits control request information to the packet relay apparatus 10 adjacent to the unauthorized terminal 40 and causes the packet relay apparatus 10 to control communication from the unauthorized terminal 40.
As shown in FIG. 8, the management terminal 20 includes a monitoring unit 21, a search request unit 22, and a control request unit 23.

The monitoring means 21 detects an attack on the target server 30 by various conventionally known methods. When an attack is detected, search request information for the unauthorized terminal 40 including attack packet information is generated and output to the search request means 22.
The attack packet information can be, for example, the IP address of the victim terminal, the port number of the victim terminal, the protocol number, the time of attack, and the like.

Also, the attack detection method by the monitoring means 21 is not particularly limited. For example, a signature-based detection method for detecting an illegal process registered in advance or an illegal operation to detect an unknown attack. There is a way to detect.
Moreover, when the target server 30 detects an attack, it is also possible to detect the attack based on the alert notification (email, SNMP trap, syslog transfer) received from the target server 30.

  When the search request means 22 receives search request information including attack packet information from the monitoring means 21, the search request means 22 generates search request information using the attack packet information, and this is used as the nearest packet relay device 10 (in FIG. 1). Is transmitted to the relay router a) or the like.

  When the search request information from the packet relay device 10 is input, the control request means 23 creates control request information based on the search result information, and uses this control request information as the nearest packet relay device 10 (the relay router in FIG. 1). a) and so on.

The target server 30 is an information processing apparatus that provides some service, and is attacked by the unauthorized terminal 40.
The unauthorized terminal 40 is an information processing device that attacks the target server 30.

[Outline of illegal terminal search processing procedure]
Next, an outline of the illegal terminal search processing procedure in the attack packet countermeasure system of this embodiment will be described with reference to FIG. FIG. 3 is an operation procedure diagram showing a procedure for searching for unauthorized terminals in the system.
In the packet relay device 10a, the packet relay device 10b, and the packet relay device 10c, a communication log storage unit 11, a search rule DB 12, a search cache DB 13, a control rule DB 14, an agent function control unit 15, which are configured by starting an agent program, The unauthorized terminal search unit 16 and the unauthorized terminal control unit 17 are collectively referred to as agent 1, agent 2, and agent 3, respectively.

First, the management terminal 20 detects an attack on the target server 30, generates a search request 101 for the unauthorized terminal 40, and transmits this to the agent 1 on the packet relay device 10a that is considered to be the transfer source of the attack packet ( Step 10).
The packet relay device 10a that is considered to be the forwarding source of the attack packet can be identified based on the forwarding source included in the alert notification, for example.

  As shown in FIG. 10, the search request 101 of search request information transmitted from the management terminal 20 includes, for example, a control code indicating that the search request is not relayed, a search ID, an IP address of a search target terminal, Search target terminal port number, victim terminal IP address, victim terminal port number, protocol number, time of attack, request content (warning, blocking, bandwidth control, quarantine, etc. (with priority information, The number of search hops, a search route list, and the like can be included.

The control code identifies the type of packet, and the control code in the search request 101 is set to indicate that the search request is not relayed.
The search ID is information for identifying a series of search requests. The same search ID is used in the control request information corresponding to the search request information.

The IP address of the search target terminal is the IP address of the packet relay apparatus on the side considered to be the attack source when viewed from the transmission source of the search request information.
The search target port number is the port number of the packet relay apparatus on the side considered to be the attack source when viewed from the transmission source of the search request information.
These IP addresses and port numbers can be acquired by various methods such as acquisition from the communication log storage unit 11 as well as acquisition source information included in the alert notification from the target server 30.

The IP address of the victim terminal is the IP address of the I / F on the attacked side of the target server 30.
The port number of the victim terminal is a standby port number of the service that has been attacked on the target server 30.
These IP addresses and port numbers are included in alert notifications from the target server 30 and can be acquired based on the notifications.

  It should be noted that the IP address of the victim terminal may be NATed. When the IP address of the victim terminal is NATed, it is possible to obtain an appropriate value as the IP address of the victim terminal by associating the global IP address with the private IP address.

The protocol number is the protocol number of the service under attack.
The time when the attack was received is the time when the attack was detected.
These are also included in the alert notification from the target server 30 and can be acquired based on this.

  The request content is information for specifying the control content of communication from an unauthorized terminal. For example, warning, blocking, bandwidth control, quarantine, and the like can be set, and a plurality can be designated. In addition, operation rule information specifying what kind of control is to be performed for what attack is created in advance and stored in the packet relay apparatus 10, and the request content is automatically based on this operation rule information. It is also possible to set.

Next, when the agent 1 on the packet relay device 10a receives the search request 101 from the management terminal 20, the agent 1 searches the search rule DB 12 based on the IP address of the transmission source and acquires the corresponding search rule.
Then, the agent 1 performs various determinations as to whether to execute a search process or return an error based on the search rule. The processing procedure shown in FIG. 9 shows a case where determination by each agent based on the search rule does not result in an error.

Next, the agent 1 on the packet relay device 10 a refers to the communication log in the communication log storage unit 11 and checks the transmission source of the packet that attacked the target server 30.
Specifically, the “source IP address before address conversion” in the communication log is referred to, and the information processing apparatus having this IP address is estimated as the source of the packet that attacked the target server 30.
In the case of the present embodiment illustrated in FIG. 1, the proxy server of the packet relay device 10 b is estimated as the source of the packet that attacked the target server 30.

Next, the agent 1 on the packet relay device 10a relays the search request 102 as search request information to the agent 2 on the packet relay device 10b (proxy server) (step 11).
At this time, the agent 1 creates a search request 102 using the search request 101 received from the management terminal 20, and transmits it to the packet relay apparatus 10b.

  The search request information search request 102 transmitted from the packet relay apparatus 10 includes, for example, a control code indicating a relayed search request, a search ID, an IP address of a search target terminal, as shown in FIG. Search target terminal port number, victim terminal IP address, victim terminal port number, protocol number, time of attack, request contents (warning, blocking, bandwidth control, quarantine, etc.), number of search hops, search route list And the like.

The control code in the search request 102 is set to indicate that the search request is relayed.
Of the information of the search request 102 described above, the same information as that in the search request 101 can be set for each information from the search ID to the request content. Note that the time of the attack can be updated by each packet relay device 10 based on the session information in the communication log storage unit 11.

The number of search hops includes the number after being decremented by the agent 1 on the packet relay apparatus 10a.
The search route list is a list that is created by additionally registering the IP address of the packet relay device 10 having the agent by each agent, and includes the IP address of the packet relay device 10 of the search route in order. .
This search path list is additionally registered by the agent function control unit 15 at a timing when a search request is received or when a search result is returned.

Next, the agent 2 on the packet relay device 10b that has received the search request information from the packet relay device 10a searches for the source of the attack packet, similarly to the case of the packet relay device 10a described above, and seems to be the source. The packet relay device 10c (relay router b) to be transmitted is specified. Then, the agent 2 relays the search request from the management terminal 20 to the agent 3 on the packet relay device 10c (step 12).
At this time, the search request 103 relayed from the packet relay apparatus 10b to the packet relay apparatus 10c can have the same data configuration as the search request 102 relayed from the packet relay apparatus 10a to the packet relay apparatus 10b. .

Next, the agent 3 on the packet relay device 10c searches for the source of the attack packet in the same manner as in the packet relay device 10a described above (step 13).
As a result of this search, when the unauthorized terminal 40 can be identified, the agent 3 acquires information on control commands that can be executed from the control rules registered in the control rule DB 14 in advance, and the unauthorized terminal 40 can be identified. And search result information including information on the control command that can be executed. Then, the search result information is transmitted to the management terminal 20 by tracing the relay route of the search request information in reverse.

Specifically, the agent 3 on the packet relay device 10c creates the search result 104 as search result information and transmits it to the packet relay device 10b (step 14).
As shown in FIG. 11, the search result 104 includes, for example, a control code indicating that the result is a relayed search request, a search ID, a terminal node ID, an IP address of the search target terminal, and a port of the search target terminal. Number, IP address of the victim terminal, port number of the victim terminal, protocol number, time of attack, request details (warning, blocking, bandwidth control, quarantine, etc. (multiple designation possible)), number of search hops, search route list, It can consist of a control command list, control command options, and result contents (code, message).

As described above, the control code in the search result 104 is set to indicate that it is a result for the relayed search request.
Further, the information from the search ID to the search route list among the information of the search result 104 can be set to the same information as in the search requests 102 and 103 except for the terminal node ID.
The terminal node ID indicates identification information that can uniquely identify the terminal to be controlled (illegal terminal 40) as viewed from the packet relay apparatus nearest to the unauthorized terminal. For example, the IP address, MAC address, terminal authentication ID, and the like Can be used.

  Then, the agent 3 of the packet relay device 10c adds a new record to the search cache DB 13. At this time, the IP address of the packet relay device 10 closest to the unauthorized terminal is set to the IP address of the packet relay device 10c, and the port number of the device 10 is set to the standby port number of the agent 3 program. Also, the terminal node ID is set to that of the identified unauthorized terminal 40. The search cache update time is set to the time for update. Other information can be set based on information included in the search request information.

Next, when the packet relay apparatus 10b receives the search result 104, the agent 2 on the packet relay apparatus 10b uses the packet relay apparatus 10a as the next relay destination of the search result information based on the search route list in the search result 104. Is identified.
Then, the agent 2 updates the record to the search cache DB 13 based on the search result 104.
At this time, the IP address and port number of the packet relay device 10 nearest to the unauthorized terminal in the search cache DB 13 can be set from the search route list in the search result 104.

Then, based on the search result 104, the search result 105 is created as search result information and transmitted to the packet relay apparatus 10a (step 15).
The data structure of the search result 105 can be the same as that of the search result 104.

Next, when the packet relay apparatus 10 a receives the search result 105, the agent 1 on the packet relay apparatus 10 a uses the management terminal 20 as the next relay destination of the search result information based on the search route list in the search result 105. Identify.
Then, the agent 1 updates the record to the search cache DB 13 based on the search result 105.
At this time, the IP address and port number of the packet relay apparatus 10 nearest to the unauthorized terminal in the search cache DB 13 can be set from the search route list in the search result 105.

Then, the agent 1 creates a search result 106 as search result information based on the search result 105, and transmits it to the management terminal 20 (step 16).
As shown in FIG. 11, this search result 106 includes, for example, a control code indicating that the result is a search request, a search result (code, message), a search ID, a control command list, and a control option list. Can do.

[Outline of unauthorized terminal control processing procedure]
Next, an outline of the control processing procedure of the unauthorized terminal in the attack packet countermeasure system of this embodiment will be described with reference to FIG. FIG. 3 is an operation procedure diagram showing the control processing procedure of the unauthorized terminal in the system.

First, when the management terminal 20 receives the search result 106 from the packet relay apparatus 10a, the control request unit 23 in the management terminal 20 displays a control command and its options that can be executed from the control command list and the control command option list in the search result 106. Select one.
This selection can be automated by defining (ruled) a selection criterion in advance and storing it in the packet relay apparatus 10.

Next, the control request unit 23 of the management terminal 20 creates a control request 111 based on the search result 106 and transmits it to the agent 1 on the packet relay apparatus 10a that is the transmission source of the search result 106 (step 20). ).
As shown in FIG. 13, the control request 111 includes, for example, a control code indicating that the request is a control request, a control ID (same as the search ID in the corresponding search request information), a control command, and a control command option. be able to.

Next, when the agent 1 on the packet relay device 10a receives the control request 111 from the management terminal 20, the agent 1 searches the search cache DB 13 based on the control ID in the control request 111, and the packet relay device 10c nearest to the attack source. The unauthorized terminal 40 is specified.
At this time, the agent 1 acquires from the search cache DB 13 the IP address of the packet relay device 10 closest to the unauthorized terminal, the standby port number of the agent program operating on the packet relay device 10 closest to the unauthorized terminal, and the terminal node ID. The packet relay device 10c and the unauthorized terminal 40 that are closest to the attack source can be specified.

Then, the agent 1 creates a control request 112 based on the information acquired from the search cache DB 13 and the control request 111, and transmits the control request 112 to the agent 3 on the packet relay device 10c closest to the unauthorized terminal (step 21). ).
As shown in FIG. 13, the control request 112 can be composed of, for example, a control code indicating a relayed control request, a terminal node ID, a control command, and a control command option.

Next, when the agent 3 on the packet relay device 10c receives the control request 112 from the packet relay device 10a, the agent 3 executes a control command for the unauthorized terminal 40 corresponding to the terminal node ID included in the control request 112. (Step 22).
Thereby, it is possible to control the communication from the unauthorized terminal 40 according to the control command, and it is possible to prevent subsequent attacks on the target server 30 by the unauthorized terminal 40.

Next, the agent 3 on the packet relay apparatus 10c creates a control result 113 including a control command execution result (code, message) as shown in FIG. Is transmitted to the agent 1 on the packet relay apparatus 10a (step 23).
Next, the agent 1 on the packet relay apparatus 10a transmits the control result 114 including the execution result (code, message) of the control command to the management terminal 20 that is the transmission source of the control request 111 (step 24).

Note that the configuration in which the search request and the control request are separated and the packet relay apparatus 10 executes the search process and the control process separately in this way allows flexible communication from unauthorized terminals according to the policy in the organization. This is to make it controllable.
In other words, by separating search requests and control requests, only one of these processes can be selected at these transmission sources, and only certain control requests can be executed in succession. Become.

Note that communication between agents on each packet relay apparatus 10 is preferably encrypted using a public key cryptosystem to maintain confidentiality and integrity. Adjacent network devices are controlled by SNMP (Simple Network Management Protocol), NETCONF (Network
Configuration) This can be performed by a command (tool dedicated to the device) registered in advance such as a configuration protocol.

[Processing procedure by agent function control unit 15]
Next, the processing of the agent function control unit 15 will be described in detail with reference to FIG. FIG. 2 is a flowchart showing a processing procedure of the agent function control unit 15 in the packet relay apparatus 10 of the attack packet countermeasure system of the present embodiment.

First, the agent function control unit 15 inputs various processing request information transmitted from the external information processing apparatus to the packet relay apparatus 10 (step 30).
Then, the agent function control unit 15 determines whether the process request information is a search request, a control request, or an end request, and executes a process corresponding to each request.
The specific determination method is not particularly limited. However, the processing request information may be provided with a control code for identifying these, and the determination may be performed based on the control code.

Next, when the processing request information is search request information (Yes in step 31), the agent function control unit 15 has already received the same search request information using the search ID included in the search request information as a key. (Step 32).
The specific confirmation method is not particularly limited. For example, at the timing when the agent function control unit 15 determines that the search loop has not occurred (the timing of Yes in step 32), it is stored in a storage unit (not shown). The search ID included in the received search request information is stored as an identifier of the search request information being processed or processed, and stored in a storage means (not shown) and the search ID included in the newly received search request information. There is a method of collating a search ID to determine whether or not the same search request information is received.
If the same search request information has already been received, it is determined that a search loop has occurred, and an error is returned to the transmission source of the search request information (step 33).

  If the same search request information has not been received in the past, that is, if no search loop has occurred, the agent function control unit 15 causes the unauthorized terminal search unit 16 to perform a search request in order to cause the unauthorized terminal 40 to perform a search process. Information is output and a search is requested (step 34).

Then, the agent function control unit 15 inputs a search execution result from the unauthorized terminal search unit 16 (step 35).
If the search execution result indicates an error, the agent function control unit 15 returns error information to the transmission source of the search request information (No in step 36).

  On the other hand, if the search execution result does not indicate an error (Yes in step 36), the agent function control unit 15 causes the unauthorized terminal search unit 16 to execute the search cache in order to execute update processing of the search cache DB 13 based on the search execution result. Update request information is output, and an update of the DB is requested (step 37).

Next, the agent function control unit 15 adds the IP address and the standby port number of the packet relay apparatus 10 to the search route list included in the search request information, and updates the search request information (step 38). ).
Then, the agent function control unit 15 determines whether or not the search request information needs to be relayed (step 39).

At this time, the agent function control unit 15 confirms whether or not the attack source node ID specified by the search included in the search execution result exists in the downstream node list in the packet relay apparatus 10.
If the identified node ID of the attack source does not exist in the downstream node list, it is determined that the unauthorized terminal 40 has been identified, and it is determined that relaying is not necessary (No in step 39).

In this case, the agent function control unit 15 creates search result information (including that the attack source has been identified and an executable control command), and returns this to the transmission source of the search request information (step 33).
On the other hand, when the identified node ID of the attack source is present in the downstream node list, it is determined that the unauthorized terminal 40 has not yet been identified, and it is determined that relaying is necessary (Yes in step 39).

In this case, the agent function control unit 15 corrects the “requested attack time” in the search request information by replacing it with the session start time included in the search execution result (step 40).
Then, the agent function control unit 15 transmits the search request information to the packet relay device 10 of the downstream node in descending order of priority based on the downstream node list (step 41).
Next, when the search result information is received from the packet relay apparatus 10 of the downstream node (step 42), the agent function control unit 15 returns the search result information to the transmission source of the search request information (step 33).

Next, when the process request information is the control request information (Yes in Step 43), the agent function control unit 15 causes the unauthorized terminal control unit 17 to execute the control request information in order to execute the control process of communication from the unauthorized terminal 40. Is requested and control is requested (step 44).
Then, the agent function control unit 15 inputs a control execution result from the unauthorized terminal control unit 17 (step 45). This control execution result may include a control code, an end code (such as an error number), a message (such as successful), and the like.

Next, the agent function control unit 15 determines whether or not relaying of control request information is necessary (step 46).
At this time, the agent function control unit 15 indicates that the input control execution result does not indicate an error, and the control code in the control request information indicates that the control request is not relayed (directly from the management terminal). It is determined that relaying is necessary.

If the input control execution result does not indicate an error, and the control code in the control request information indicates that the control request is relayed, it is determined that relaying is not necessary.
When the input control execution result indicates an error, it is determined that relaying is not necessary.

If the agent function control unit 15 determines that relaying is necessary (Yes in step 46), the agent function control unit 15 transmits control request information to the packet relay device 10 closest to the unauthorized terminal 40 (step 47).
At this time, the agent function control unit 15 causes the illegal terminal search unit 16 to search the search cache DB 13 using the control ID (= search ID) in the control request information as a key, and the packet relay device nearest to the illegal terminal of the hit record And the standby port number of the agent program operating on the packet relay apparatus.
Then, the control request information is transmitted based on the acquired IP address and port number.

Further, the agent function control unit 15 receives the control result information from the packet relay device 10 nearest to the unauthorized terminal 40 (step 48), and transmits it to the transmission source of the control request information (in this case, the management terminal 20). (Step 49).
In addition, when the input control execution result does not indicate an error and the agent function control unit 15 determines that relaying is not necessary (No in step 46), the agent function control unit 15 transmits the control result information to the transmission source of the control request information (No. In this case, the packet is transmitted to the packet relay device 10) (step 49).

When the agent function control unit 15 determines that the input control execution result indicates an error and relay is not necessary (No in step 46), the control result indicating that the control process has an error. Information is returned to the transmission source of the control request information (step 49).
Furthermore, when the processing request is an end request (Yes in step 50), the agent function control unit 15 ends the processing.

[Processing Procedure by Unauthorized Terminal Search Unit 16]
Next, the process of the unauthorized terminal search unit 16 will be described in detail with reference to FIG. FIG. 3 is a flowchart showing the processing procedure of the unauthorized terminal search unit 16 in the packet relay device 10 of the attack packet countermeasure system of this embodiment.

First, the unauthorized terminal search unit 16 inputs search request information, search cache update request information, or end request information as processing request information from the agent function control unit 15 (step 60).
If the input processing request information is search request information (Yes in step 61), the unauthorized terminal search unit 16 searches the search rule DB 12 using the IP address of the request source in the search request information packet as a key. Identify search rules that match the "original" network address.

  Then, as a result of checking all search rules, if the IP address of the transmission source does not match the network address of the search source of any rule, the unauthorized terminal search unit 16 determines that the search is impossible (No in step 62). An error is returned to the agent function control unit 15 (step 68).

On the other hand, when the search rule can be identified, the unauthorized terminal search unit 16 decrements the number of search hops in the search request information. Next, when the number of search hops of the specified search rule in the search rule DB 12 is smaller than the number of search hops before decrement in the search request information, the unauthorized terminal search unit 16 determines the number of search hops in the search request information as the search rule. Replace with the number of search hops in DB12.
If the number of search hops after decrement becomes 0 or less (No in Step 63), the unauthorized terminal search unit 16 returns an error to the agent function control unit 15 (Step 68).

On the other hand, if the number of search hops after decrement is not less than or equal to 0 (Yes in step 63), the search cache DB 13 is searched using the search ID in the search request information as a key, and a search cache corresponding to the search ID exists. Confirm whether or not to do.
If the corresponding search cache exists and hits (No in step 64), a search execution result including that the search is successful is created based on this search cache, and this is output to the agent function control unit 15 (Step 68).
At this time, the search execution result includes the IP address of the packet relay device nearest to the unauthorized terminal in the search cache, the standby port number of the agent program operating on the same device, the executable control command and its options, the end node ID, etc. Is included.

If there is no corresponding search cache and no hit is found (Yes in step 64), the communication log storage unit 11 is referenced to detect the attack source (the unauthorized terminal 40 or the packet relay device 10) (step 65). ).
At this time, the unauthorized terminal search unit 16 receives the IP address of the search target terminal, the port number of the search target terminal, the IP address of the victim terminal, the port number of the victim terminal, the protocol number, and the attack included in the search request information. The corresponding communication log is identified by comparing the relay time with the post-relay source IP address, post-relay source port number, destination IP address, destination port number, protocol number, and session information included in the communication log. To do. Then, the information processing apparatus having the transmission source IP address before relaying the identified communication log is identified as the attack source (the unauthorized terminal 40 or the packet relay apparatus 10).
If the attack source cannot be detected (No in step 66), an error is returned to the agent function control unit 15 (step 68).

Next, if the attack source can be detected (Yes in step 66), the unauthorized terminal search unit 16 communicates the node ID of the attack source terminal and session information (session start time, time from session start to end). Obtained from the log storage unit 11. Further, the control rule DB 14 is searched using the requesting IP address in the search request information packet as a key, and a control command and a control option of a record matching the control source IP address are acquired (step 67).
Then, the unauthorized terminal search unit 16 sends the acquired information (node ID of the attack source terminal, session information, control command and control option) and the search execution result including the search success to the agent function control unit. 15 (step 68).

  On the other hand, when the input processing request information is search cache update request information (information having the same contents as the search request information except for the control code) (Yes in step 69), the unauthorized terminal search unit 16 uses the search request information. Then, the record is additionally updated in the search cache DB 13 (step 70).

  At this time, the unauthorized terminal searching unit 16 stores the search ID, the IP address to be searched, the port number to be searched, the IP address of the damaged terminal, the port number of the damaged terminal, the protocol number, and session information (session start) in the search cache DB 13. Record with time, time until session end) and search cache update time.

  Further, when the unauthorized terminal 40 can be identified and the cache update request information is input, the unauthorized terminal search unit 16 further adds the IP address of the packet relay device nearest to the unauthorized terminal, the unauthorized terminal, in addition to the above information. A record including a standby port number of an agent program operating on the latest packet relay device, executable control commands and their options (each can be registered in plural), a terminal node ID, and the like is added to the search cache DB 13.

Then, after updating the search cache DB 13, the unauthorized terminal search unit 16 returns an update execution result indicating whether or not the update is successful to the agent function control unit 15 (step 68).
Furthermore, when the input processing request information is end request information (Yes in step 71), the unauthorized terminal search unit 16 ends the processing.

[Processing Procedure by Unauthorized Terminal Control Unit 17]
Next, the processing of the unauthorized terminal control unit 17 will be described in detail with reference to FIG. FIG. 3 is a flowchart showing a processing procedure of the unauthorized terminal control unit 17 in the packet relay device 10 of the attack packet countermeasure system of the present embodiment.

First, the unauthorized terminal control unit 17 inputs control request information or end request information as processing request information from the agent function control unit 15 (step 80).
When the input processing request information is control request information (Yes in step 81), the unauthorized terminal control unit 17 searches the control rule DB 14 using the IP address of the request source in the control request information packet as a key. Identify the control rule that matches the "original" network address.

  Then, as a result of checking all the control rules, if the source IP address does not match the control source network address of any rule, the unauthorized terminal control unit 17 determines that control is not possible (No in step 82). An error is returned to the agent function control unit 15 (step 88).

  On the other hand, when the control rule can be identified (Yes in step 82), the unauthorized terminal control unit 17 determines whether the control request information is directly transmitted from the management terminal 20 or is relayed by the packet relay device 10. It is determined based on the control code whether it has been transmitted (step 83).

  When the control request information is transmitted directly from the management terminal 20 (No in step 83), the search cache DB 13 is searched using the control ID (= search ID) in the control request information as a key, and the corresponding search cache Is checked (step 84).

If the corresponding search cache does not exist (No in step 84), the unauthorized terminal control unit 17 returns an error to the agent function control unit 15 (step 88).
On the other hand, if there is a corresponding search cache (Yes in step 84), the unauthorized terminal control unit 17 sends control information (IP address of the packet relay device nearest to the unauthorized terminal, agent program running on the same device) from this search cache. Standby port number, executable control command and its options, control source, terminal node ID, etc.) are acquired (step 85).
Then, the unauthorized terminal control unit 17 returns the acquired control information to the agent function control unit 15 (step 88).

When the control request information is relayed and transmitted by the packet relay device 10 (Yes in step 83), the unauthorized terminal control unit 17 matches the control type in the control rule with the control type in the control request information. (Step 86).
If there is no match (No at step 86), the unauthorized terminal control unit 17 returns an error to the agent function control unit 15 (step 88).

On the other hand, if there is a match (Yes in step 86), the unauthorized terminal control unit 17 executes the control command in the control request information with the control option in the control request information (step 87).
Then, the unauthorized terminal control unit 17 returns the control execution result including the execution result of the control command to the agent function control unit 15 (step 88).
Furthermore, when the input process request information is end request information (Yes in step 89), the unauthorized terminal control unit 17 ends the process.

As described above, according to the attack packet countermeasure system of this embodiment, an unauthorized terminal belonging to a network of a certain organization is uniquely identified from a device belonging to a network of another organization while maintaining network anonymity. The communication from the unauthorized terminal can be controlled by the network device nearest to the unauthorized terminal.
In other words, in relaying a search result of an unauthorized terminal by a relay device, the anonymity of the network can be improved, and an unauthorized terminal of an attack source existing on a certain network can be transmitted on another network that does not know the network configuration. It can also be specified from the device.

  Further, according to the present invention, after identifying an unauthorized terminal, the search result is cached in the relay device, so that a control request can be transmitted directly to the packet relay device nearest to the unauthorized terminal. It is possible to speed up the processing up to. This “direct transmission” means that a control request is transmitted from the relay device nearest to the request source with the relay device closest to the unauthorized terminal as the destination.

[Second Embodiment]
Next, a second embodiment of the present invention will be described with reference to FIG. FIG. 4 is a diagram showing a data configuration of a table in the control rule DB in the attack packet countermeasure system of the present embodiment.
In the search processing by the attack packet countermeasure system of the first embodiment, as a result of the search request being relayed to a large number of packet relay devices 10 exceeding the number of search hops, the search processing is aborted and the unauthorized terminal 40 cannot be accurately identified. In some cases, for example, it may be desired to perform some control such as warning or bandwidth control for the administrator of the packet relay apparatus 10.

  In such a case, as shown in FIG. 17, adding the network address information of the control destination (information defining which network is used to control the unauthorized terminal) to the control rule table stored in the control rule DB 14 Thus, even when communication is interrupted before the unauthorized terminal 40 is identified and the unauthorized terminal 40 cannot be accurately identified, it becomes possible to perform control such as warning and bandwidth control for the administrator of the packet relay device 10, and more. It is possible to perform fine control.

  Therefore, the attack packet countermeasure system of this embodiment adds a column of “control destination” to the control rule table stored in the control rule DB 14 in the packet relay apparatus 10, and this point is different from the first embodiment. Is different. About another point, it is the same as that of 1st embodiment, The thing similar to FIG. 1 can also be used for the block diagram of this embodiment.

In addition to adding columns to the control rule table, it is also possible to add rules that block communication from unauthorized terminals.
For example, it is preferable to block only communication using a specific protocol or port number instead of blocking all communication from an unauthorized terminal by using an option of a control command. Further, such control by protocol and port number can be applied not only to a blocking rule but also to a band control rule.

[Third embodiment]
Next, a third embodiment of the present invention will be described with reference to FIG. FIG. 2 is a block diagram showing the configuration of the packet relay device in the attack packet countermeasure system of this embodiment.
This embodiment is different from the first embodiment in that the search time is shortened by notifying the upstream node of the access record of the specified unauthorized terminal 40 in the past several hours and storing it as a search cache. Different.
The other points are the same as in the first embodiment. As shown in FIG. 18, each configuration in the packet relay apparatus 10 is the same as that in the first embodiment, but the agent function control unit 15 and the unauthorized terminal search unit. 16 differs from the first embodiment in the following points.

  That is, when receiving the unauthorized terminal communication record information from the downstream node, the agent function control unit 15 according to the present embodiment outputs the unauthorized terminal communication record information to the unauthorized terminal search unit 16, and the unauthorized terminal search unit 16 uses this information. The search cache DB 13 is updated based on the above.

The details of the unauthorized terminal communication record information will be described later using a flowchart, but are created by the unauthorized terminal search unit 16 at a predetermined timing.
This illegal terminal communication record information includes control information (IP address of the packet relay device nearest to the illegal terminal, standby port number of the agent program operating on the same device, executable control command and its options, control source, terminal node ID. Etc.) and a list of communication records (IP address of transmission source (illegal terminal 40), port number of transmission source (illegal terminal 40), destination IP address, destination port number, protocol number, session information, etc.) Contains.

  The agent function control unit 15 then transmits the unauthorized terminal communication record information received from the downstream node to the upstream node. The upstream node is determined based on a predetermined priority from the upstream node list.

[Processing procedure by agent function control unit 15]
Next, the processing of the agent function control unit 15 will be described in detail with reference to FIG. FIG. 3 is a flowchart showing a processing procedure of the agent function control unit 15 in the packet relay apparatus 10 of the attack packet countermeasure system of this embodiment.

First, Steps 100 to 120 in FIG. 19 are the same as Steps 30 to 50 described with reference to FIG.
Next, the agent function control unit 15 confirms whether or not the processing request information transmitted from the external information processing apparatus to the packet relay apparatus 10 is an unauthorized terminal communication record (step 121). In this case as well as the search request information, it can be performed based on the control code in the processing request information.

When the processing request information is an unauthorized terminal communication record (Yes in Step 121), the agent function control unit 15 outputs search cache update request information including the unauthorized terminal communication record to the unauthorized terminal search unit 16 to search the search cache. A request is made to update the DB 13 (step 122).
If the processing request information is not an unauthorized terminal communication record (No in step 121), the agent function control unit 15 checks whether or not the processing request information has been input from the outside for a certain period of time and whether or not a timeout has occurred (step 123).

If there is no input of processing request information from the outside for a certain period of time and a timeout occurs (Yes in step 123), the agent function control unit 15 requests the unauthorized terminal search unit 16 to create an unauthorized terminal communication record. Communication record creation request information is output (step 124).
In addition, the agent function control unit 15 inputs the unauthorized terminal communication record from the unauthorized terminal search unit 16 (step 125), and when the unauthorized terminal communication record is not empty, transmits the unauthorized terminal communication record to the upstream node. (Step 126).

[Processing Procedure by Unauthorized Terminal Search Unit 16]
Next, the process of the unauthorized terminal search unit 16 will be described in detail with reference to FIG. FIG. 3 is a flowchart showing the processing procedure of the unauthorized terminal search unit 16 in the packet relay device 10 of the attack packet countermeasure system of this embodiment.

First, Steps 130 to 139 and 147 in FIG. 20 are the same as Steps 60 to 69 and 71 described with reference to FIG. 15.
If the input processing request information is search cache update request information (Yes in step 139), the unauthorized terminal search unit 16 of the present embodiment determines whether or not the search cache update request information includes an unauthorized terminal communication record. Is confirmed (step 140).

When the unauthorized terminal communication record is included (Yes in Step 140), the unauthorized terminal search unit 16 compares the unauthorized terminal communication record information with the log in the communication log storage unit 11, and determines whether there is a match. Confirm.
At this time, the unauthorized terminal search unit 16 sends the IP address of the transmission source (illegal terminal 40), the port number of the transmission source (illegal terminal 40), the destination IP address, the destination port number, and the protocol number in the unauthorized terminal communication record information. , Session information is a source IP address before relay (before address conversion, the same applies hereinafter), source port number before relay, destination IP address, destination port number, protocol number, session information in the communication log storage unit 11. To see if a match exists.

  If it exists, a search cache is generated using the control information in the matching record of unauthorized terminal communication record information and information such as the IP address of the transmission source (illegal terminal 40) (step 141), The record in the search cache DB 13 is updated (step 142), and the update execution result is returned to the agent function control unit 15 (step 138).

If the input processing request information is communication log search request information (Yes in step 143), the unauthorized terminal search unit 16 refers to the search cache DB 13 and determines the terminal node ID and session information from the latest search cache record. Is acquired (step 144).
Then, the communication log storage unit 11 is searched using these pieces of information as a key, the corresponding log is acquired, and a communication record list of the unauthorized terminal is created (step 145).

  Further, the unauthorized terminal search unit 16 acquires control information corresponding to the terminal node ID from the latest search cache record (step 146), and from this control information and the unauthorized terminal communication record list, the unauthorized terminal communication record. Information is created and output to the agent function control unit 15 (step 138).

As described above, according to the attack packet countermeasure system of this embodiment, at a predetermined timing, an access record of the past several hours by an unauthorized terminal is notified from the downstream node to the upstream node, and is used as a search cache in each packet relay device. It can be saved.
For this reason, it is possible to shorten the search time.

[Fourth embodiment]
Next, a fourth embodiment of the present invention will be described with reference to FIG. FIG. 2 is a block diagram showing the configuration of the packet relay device in the attack packet countermeasure system of this embodiment.

In each of the above embodiments, since the communication from the unauthorized terminal is flexibly controlled according to the policy in the organization, the management terminal is configured to separately transmit the unauthorized terminal search request and the control request, but the unauthorized terminal can be identified. At this stage, it is possible to control communication from an unauthorized terminal according to the control rule.
This embodiment is different from the first embodiment in that the communication from the unauthorized terminal is controlled at the stage where the unauthorized terminal can be specified by the packet relay device.
The other points are the same as in the first embodiment. As shown in FIG. 21, the configuration of the packet relay apparatus 10 is the same as in the first embodiment. However, the agent function control unit 15 and the unauthorized terminal control unit 17 differs from the first embodiment in the following points.

That is, when the processing request information is search request information, the agent function control unit 15 of the present embodiment makes a search request to the unauthorized terminal search unit 16 and does not need to relay the search request information based on the search result. In other words, when it is determined that the unauthorized terminal 40 has been identified, the unauthorized terminal control unit 17 is requested to perform control.
Unlike the first embodiment, the unauthorized terminal control unit 17 does not relay the control request information, executes the requested control, and returns the control execution result to the agent function control unit 15.

[Processing procedure by agent function control unit 15]
Next, the processing of the agent function control unit 15 will be described in detail with reference to FIG. FIG. 3 is a flowchart showing a processing procedure of the agent function control unit 15 in the packet relay apparatus 10 of the attack packet countermeasure system of this embodiment.

First, Steps 150 to 162 in FIG. 22 are the same as Steps 30 to 42 described with reference to FIG. On the other hand, the agent function control unit 15 of the present embodiment does not perform the processing of steps 43 to 49 in FIG.
If the agent function control unit 15 of the present embodiment determines that the unauthorized terminal 40 has been identified in step 159 (that is, if relaying is not required), the agent function control unit 15 next selects a control method (step 163).

  At this time, the agent function control unit 15 acquires the request contents in the search request information in descending order of priority, and sets the control rule DB 14 based on the acquired request contents and the IP address of the transmission source of the search request information packet. By searching, control commands and control options can be obtained automatically.

Then, the agent function control unit 15 outputs the node ID, control command, and control option of the unauthorized terminal 40 to the unauthorized terminal control unit 17, and requests control of communication from the unauthorized terminal 40 (step 164).
When the agent function control unit 15 inputs the control execution result from the unauthorized terminal control unit 17 (step 165), the agent function control unit 15 generates control result information based on the control execution result and transmits it to the transmission source of the search request information (step 153). .

[Processing Procedure by Unauthorized Terminal Control Unit 17]
Next, the processing of the unauthorized terminal control unit 17 will be described in detail with reference to FIG. FIG. 3 is a flowchart showing a processing procedure of the unauthorized terminal control unit 17 in the packet relay device 10 of the attack packet countermeasure system of the present embodiment.

In this embodiment, since control request information is not relayed, each step shown in FIG. 23 excludes processing related to relay in FIG.
That is, FIG. 23 is obtained by removing steps 83 to 85 in FIG. 16. In step 172 (corresponding to step 82 in FIG. 16), the control rule is specified by the unauthorized terminal control unit 17 and it is determined that acceptance is possible. In such a case, it is determined whether or not control is possible (step 173). Other steps are the same as those in FIG.

As described above, according to the attack packet countermeasure system of this embodiment, an unauthorized terminal can be searched and identified, and at the same time, communication from the unauthorized terminal can be controlled by the packet relay device according to the control rule. it can.
For this reason, it is possible to quickly control communication from an unauthorized terminal.

It goes without saying that the present invention is not limited to the above embodiment, and that various modifications can be made within the scope of the present invention.
For example, in the above embodiment, the agent program is activated on the packet relay device to configure the agent. However, as long as the communication log on the packet relay device can be referred to and the packet relay device can be controlled, You can start it on any host.

Further, in order to speed up the search process, it is possible to distribute the illegal terminal search process by the packet relay device to one or more other terminals having sufficient resources.
Furthermore, it is possible to change the attack packet countermeasure system in each of the above embodiments as appropriate.

  The present invention can be suitably used in a network business such as ISP (Internet Service Provider). As a result, the provider side can provide a network environment that can be used with peace of mind by general users, and the provider side can also reduce the operation cost.

It is a block diagram which shows the structure (IP network) of the attack packet countermeasure system of 1st embodiment of this invention. It is a block diagram which shows the structure (overlay network) of the attack packet countermeasure system of 1st embodiment of this invention. It is a block diagram which shows the structure of the packet relay apparatus in the attack packet countermeasure system of 1st embodiment of this invention. It is a figure which shows the record layout of the communication log memory | storage part in the attack packet countermeasure system of 1st embodiment of this invention. It is a figure which shows the data structure of the table in search rule DB in the attack packet countermeasure system of 1st embodiment of this invention. It is a figure which shows the record layout of search cache DB in the attack packet countermeasure system of 1st embodiment of this invention. It is a figure which shows the data structure of the table in control rule DB in the attack packet countermeasure system of 1st embodiment of this invention. It is a block diagram which shows the structure of the management terminal in the attack packet countermeasure system of 1st embodiment of this invention. It is an operation | movement procedure figure which shows the search process procedure of the unauthorized terminal in the attack packet countermeasure system of 1st embodiment of this invention. It is a figure which shows the data structure of the search request in the attack packet countermeasure system of 1st embodiment of this invention. It is a figure which shows the data structure of the search result in the attack packet countermeasure system of 1st embodiment of this invention. It is an operation | movement procedure figure which shows the control processing procedure of the unauthorized terminal in the attack packet countermeasure system of 1st embodiment of this invention. It is a figure which shows the data structure of the control request and control result in the attack packet countermeasure system of 1st embodiment of this invention. It is a flowchart which shows the process sequence of the agent function control part in the attack packet countermeasure system of 1st embodiment of this invention. It is a flowchart which shows the process sequence of the unauthorized terminal search part in the attack packet countermeasure system of 1st embodiment of this invention. It is a flowchart which shows the process sequence of the unauthorized terminal control part in the attack packet countermeasure system of 1st embodiment of this invention. It is a figure which shows the data structure of the table in control rule DB in the attack packet countermeasure system of 2nd embodiment of this invention. It is a block diagram which shows the structure of the packet relay apparatus in the attack packet countermeasure system of 3rd embodiment of this invention. It is a flowchart which shows the process sequence of the agent function control part in the attack packet countermeasure system of 3rd embodiment of this invention. It is a flowchart which shows the process sequence of the unauthorized terminal search part in the attack packet countermeasure system of 3rd embodiment of this invention. It is a block diagram which shows the structure of the packet relay apparatus in the attack packet countermeasure system of 4th embodiment of this invention. It is a flowchart which shows the process sequence of the agent function control part in the attack packet countermeasure system of 4th embodiment of this invention. It is a flowchart which shows the process sequence of the unauthorized terminal control part in the attack packet countermeasure system of 4th embodiment of this invention.

Explanation of symbols

10 (10a, 10b, 10c) Packet relay device 11 Communication log storage unit 12 Search rule DB
13 Search cache DB
14 Control rule DB
DESCRIPTION OF SYMBOLS 15 Agent function control part 16 Unauthorized terminal search part 17 Unauthorized terminal control part 20 Management terminal 21 Monitoring means 22 Search request means 23 Control request means 30 Target server 40 Unauthorized terminal

Claims (25)

An attack packet countermeasure system for identifying an unauthorized terminal that has made unauthorized access to a server via a relay device on a network,
One or more relay devices for rewriting the source information of the received packet;
A management terminal that transmits search request information of unauthorized terminals to any of the relay devices,
The relay device is
A communication log storage means for storing a communication log including a source address before relaying, a source address after relaying, and a destination address of the received packet;
When the search request information is input, an unauthorized terminal search unit that identifies an unauthorized terminal or a relay device that is a transmission destination of the search request information with reference to the communication log storage unit;
Search request information is input from the management terminal or another relay device and output to the unauthorized terminal search means. When an unauthorized terminal is specified by the unauthorized terminal search means, search result information is sent to the management terminal or other And a function control means for transmitting the search request information to the transmission destination relay apparatus when the transmission destination relay apparatus is specified by the unauthorized terminal search means. Attack packet countermeasure system. The relay device is
Comprising a search rule storage unit for storing one or more network addresses to receive search requests;
In the case where the unauthorized terminal search means determines whether or not the transmission source address of the search request information matches any network address that is the target of receiving the search request in the search rule storage unit. 2. The attack packet according to claim 1, further comprising: specifying an unauthorized terminal or a relay device as a transmission destination of the search request information, and outputting a search execution result indicating an error to the function control unit when they do not match. Countermeasure system. The search request information includes the number of search hops,
The unauthorized terminal search means decrements the number of search hops when the transmission source address of the search request information matches any one of network addresses to which the search request is received in the search rule storage unit. When the number of subsequent search hops is not 0 or less, the search execution result indicating an error when the unauthorized terminal or the relay device that is the transmission destination of the search request information is specified and the number of search hops after decrement is 0 or less The attack packet countermeasure system according to claim 2, wherein the attack packet countermeasure system is output to the function control means. In the search rule storage unit, the number of search hops is stored in advance in association with a target network address for receiving the search request,
When the number of search hops corresponding to the network address to which the matched search request is received in the search rule storage unit is smaller than the number of search hops before decrement in the search request information, the unauthorized terminal search means 4. The attack packet countermeasure system according to claim 3, wherein the number of search hops before decrement in the request information is replaced with the number of search hops corresponding to a target network address for receiving the matched search request in the search rule storage unit. . When the unauthorized terminal search means identifies an unauthorized terminal, the function control means uses the relay device as the nearest relay device of the unauthorized terminal, and the address of the nearest relay device and the identified unauthorized terminal. The attack packet countermeasure system according to any one of claims 1 to 4, wherein search result information including a node ID is transmitted to the management terminal or the other relay device. The management terminal is
Upon receipt of the search result information from any of the relay devices, the control request means for creating control request information for controlling communication from the unauthorized terminal and returning to the relay device,
The relay device is
Search cache storage means for storing a search cache including all or part of the search result information;
When the control request information is input, the search cache storage unit is referred to, the search result information corresponding to the control request information is used to identify the nearest relay device to the unauthorized terminal, and the relay device is the nearest relay device. If not, the function control means causes the control request information to be transmitted to the nearest relay device, and when the relay device is the nearest relay device, the search result information corresponding to the control request information causes the fraud 6. An attack according to claim 5, further comprising: an unauthorized terminal control unit that specifies a node ID of the terminal, executes a control command included in the control request information, and controls communication from the unauthorized terminal. Packet protection system. The relay device is
A control rule storage unit that stores one or more network addresses to receive control requests;
In the case where the unauthorized terminal control means determines whether or not the source address of the control request information matches any network address to which the control request is received in the control rule storage unit. The attack packet according to claim 6, wherein the control request information is transmitted or communication from the unauthorized terminal is controlled, and if they do not match, a control execution result indicating an error is output to the function control means. Countermeasure system.   8. The attack packet countermeasure system according to claim 7, wherein the control rule storage unit stores one or more control destination network addresses. The unauthorized terminal search means creates an unauthorized terminal communication record list based on the information stored in the communication log storage means and the search cache storage means, and outputs the communication record list to the function control means,
The attack packet countermeasure system according to any one of claims 6 to 8, wherein the function control unit transmits the communication record list to a relay device that is a transmission source of the search request. An attack packet countermeasure system for identifying an unauthorized terminal that has made unauthorized access to a server via a relay device on a network,
One or more relay devices for rewriting the source information of the received packet;
A management terminal that transmits search request information of unauthorized terminals to any of the relay devices,
The relay device is
A communication log storage means for storing a communication log including a source address before relaying, a source address after relaying, and a destination address of the received packet;
When the search request information is input, an unauthorized terminal search unit that identifies an unauthorized terminal or a relay device that is a transmission destination of the search request information with reference to the communication log storage unit;
Inputs search request information from the management terminal or other relay device and outputs it to the unauthorized terminal search means, and outputs search result information to the unauthorized terminal control means when an unauthorized terminal is specified by the unauthorized terminal search means A function control unit that transmits the search request information to the transmission destination relay device when the transmission destination relay device is specified by the unauthorized terminal search unit;
An unauthorized terminal control that identifies a relay device nearest to the unauthorized terminal and the node ID of the unauthorized terminal from the retrieved result information, executes a control command included in the retrieved result information, and controls communication from the unauthorized terminal An attack packet countermeasure system characterized by comprising: means. A management terminal that sends an unauthorized terminal that has made unauthorized access to a server via one or more relay devices that rewrites the transmission source information of the received packet to any of the relay devices; An attack packet countermeasure method specified by using
The relay device is
Store the communication log including the source address before relay, the source address after relay, and the destination address of the received packet,
When the search request information is input, refer to the communication log to identify an unauthorized terminal or a relay device that is the transmission destination of the search request information.
When the unauthorized terminal is identified, search result information is transmitted to the management terminal or the other relay device,
An attack packet countermeasure method, comprising: transmitting the search request information to the transmission destination relay device when the transmission destination relay device is identified. The relay device is
Store a search rule that stores one or more network addresses to receive search requests,
Determining whether or not the source address of the search request information matches any network address of the target for receiving the search request in the search rule;
If they match, identify the unauthorized terminal or the relay device that is the transmission destination of the search request information,
The attack packet countermeasure method according to claim 11, wherein, if they do not match, a search execution result indicating an error is output. When the relay device identifies an unauthorized terminal, the relay device is regarded as the nearest relay device of the unauthorized terminal, and the search result information including the address of the nearest relay device and the node ID of the identified unauthorized terminal is managed. The attack packet countermeasure method according to claim 11 or 12, wherein the attack packet is transmitted to a terminal or the other relay device. The management terminal is
Upon receiving the search result information from any of the relay devices, create control request information for controlling communication from the unauthorized terminal, and reply to the relay device,
The relay device is
Storing a search cache including all or part of the search result information;
Entering the control request information, referring to the search result information, from the search result information corresponding to the control request information, identify the nearest relay device to the unauthorized terminal,
If the relay device is not the nearest relay device, send the control request information to the nearest relay device,
When the relay device is the latest relay device, the node ID of the unauthorized terminal is identified from the search result information corresponding to the control request information, the control command included in the control request information is executed, The attack packet countermeasure method according to claim 13, wherein communication from an unauthorized terminal is controlled, and control result information is transmitted to the management terminal or a relay device that is the transmission source of the control request. The relay device is
Storing a control rule that includes one or more network addresses to receive control requests;
Determining whether or not the transmission source address of the control request information matches any network address to which the control request is received in the control rule storage unit;
If they match, control transmission of the control request information or communication from the unauthorized terminal,
15. The attack packet countermeasure method according to claim 14, wherein a control execution result indicating an error is output when they do not match. Measures against attack packets that have the function of rewriting the source information of received packets and that identify unauthorized terminals that have made unauthorized access to the server based on unauthorized terminal search request information transmitted from the management terminal via the network A device,
A communication log storage means for storing a communication log including a source address before relaying, a source address after relaying, and a destination address of the received packet;
When the search request information is input, an unauthorized terminal search unit that identifies an unauthorized terminal or a relay device that is a transmission destination of the search request information with reference to the communication log storage unit;
Search request information is input from the management terminal or another relay device and output to the unauthorized terminal search means. When an unauthorized terminal is specified by the unauthorized terminal search means, search result information is sent to the management terminal or other And a function control means for transmitting the search request information to the transmission destination relay apparatus when the transmission destination relay apparatus is specified by the unauthorized terminal search means. Attack packet countermeasure device. The attack packet countermeasure device according to claim 16,
A search rule storage unit for storing one or more network addresses to receive search requests;
In the case where the unauthorized terminal search means determines whether or not the transmission source address of the search request information matches any network address that is the target of receiving the search request in the search rule storage unit. An attack packet countermeasure device characterized by identifying the unauthorized terminal or a relay device as a transmission destination of the search request information, and outputting a search execution result indicating an error to the function control means when they do not match. When the unauthorized terminal search means identifies an unauthorized terminal, the function control means uses the relay device as the nearest relay device of the unauthorized terminal, and the address of the nearest relay device and the identified unauthorized terminal. The attack packet countermeasure device according to claim 16 or 17, wherein search result information including a node ID is transmitted to the management terminal or the other relay device. Search cache storage means for storing a search cache including all or part of the search result information;
When control request information for controlling communication from the unauthorized terminal corresponding to the search result information is input from the management terminal, the search cache storage unit is referred to and the search result information corresponding to the control request information is used. When the relay device nearest to the unauthorized terminal is identified and the relay device is not the nearest relay device, the function control means causes the control request information to be transmitted to the nearest relay device, and the relay device The node ID of the unauthorized terminal is identified from the search result information corresponding to the control request information, the control command included in the control request information is executed, and communication from the unauthorized terminal is performed. And an unauthorized terminal control means for controlling and transmitting control result information to the management terminal or the relay device that is the transmission source of the control request. The attack packet countermeasure device according to claim 18. The attack packet countermeasure device according to claim 19,
A control rule storage unit that stores one or more network addresses to receive control requests;
In the case where the unauthorized terminal control means determines whether or not the source address of the control request information matches any network address to which the control request is received in the control rule storage unit. The attack packet countermeasure apparatus characterized in that the control request information is transmitted or the communication from the unauthorized terminal is controlled, and if they do not match, a control execution result indicating an error is output to the function control means. Attack that causes a relay device that has a function to rewrite the source information of received packets to identify an unauthorized terminal that has made unauthorized access to the server based on the unauthorized terminal search request information transmitted from the management terminal via the network A packet countermeasure program,
The relay device;
A communication log storage means for storing a communication log including a source address before relaying, a source address after relaying, and a destination address of a received packet;
When the search request information is input, an unauthorized terminal search unit that identifies an unauthorized terminal or a relay device to which the search request information is transmitted with reference to the communication log storage unit, and
Search request information is input from the management terminal or another relay device and output to the unauthorized terminal search means. When an unauthorized terminal is specified by the unauthorized terminal search means, search result information is sent to the management terminal or other Attack packet countermeasure program for functioning as a function control unit that transmits to a relay device and transmits the search request information to the destination relay device when the destination relay device is specified by the unauthorized terminal search unit . The relay device;
Function as a search rule storage unit that stores one or more network addresses to receive search requests;
When the fraudulent terminal search means determines whether or not the transmission source address of the search request information matches any network address that is the target of receiving the search request in the search rule storage unit. The attack according to claim 21, for identifying the unauthorized terminal or the relay device that is the transmission destination of the search request information, and causing the function control means to output a search execution result indicating an error if they do not match. Packet countermeasure program. When an unauthorized terminal is identified by the unauthorized terminal search means, the function control means uses the relay device as the nearest relay device of the unauthorized terminal, the address of the nearest relay device, and the identified unauthorized terminal The attack packet countermeasure program according to claim 21 or 22, for causing the search result information including a node ID to be transmitted to the management terminal or the other relay device. The relay device;
Search cache storage means for storing a search cache including all or part of the search result information; and
When control request information for controlling communication from the unauthorized terminal corresponding to the search result information is input from the management terminal, the search cache storage unit is referred to and the search result information corresponding to the control request information is used. When the relay device nearest to the unauthorized terminal is identified and the relay device is not the nearest relay device, the function control unit transmits the control request information to the nearest relay device, and the relay device The node ID of the unauthorized terminal is identified from the search result information corresponding to the control request information, the control command included in the control request information is executed, and communication from the unauthorized terminal is performed. 3. An unauthorized terminal control means for controlling and transmitting control result information to the management terminal or a relay apparatus that is a transmission source of the control request. 3. The attack packet countermeasure program according to 3. The relay device;
Function as a control rule storage unit that stores one or more network addresses to receive control requests,
In the case where the unauthorized terminal control means determines whether or not the transmission source address of the control request information matches any network address of the target that receives the control request in the control rule storage unit. The control request information is transmitted or the communication from the unauthorized terminal is controlled, and if they do not match, a control execution result indicating an error is output to the function control means. Attack packet countermeasure program.

Images