JP2009218825A - Network attack detection device and defense device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a network attack detection device and a defense device detecting network attack and avoiding an increase in delay time taken before a start of communication by a simple structure. <P>SOLUTION: The defense device 1 includes an incoming short packet counter section 12 counting the number of control packets sent from a specific client, an outgoing short packet counter section 13 counting the number of control packets sent to the specific client and a control section 14 detecting a network attack by the specific client based on a ratio of the counter value of the incoming short packet counter section 12 to that of the outgoing short packet counter section 13. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a network attack detection device and a defense device.

  In recent years, network attacks that interfere with services provided by servers on the Internet have become a problem. As this network attack, for example, there is a DDoS (Distributed Denial of Service) attack in which a malicious attacker transmits a large number of packets in an attempt to paralyze the server function.

FIG. 7 is a sequence diagram showing a normal connection establishment procedure of TCP (Transmission Control Protocol).
Normal connection establishment in TCP is performed by the following three-way handshake. First, when the client 22 accesses the server 23, the client 22 transmits a SYN packet to the server 23. Next, the server 23 returns a SYN-ACK packet that is a reception confirmation for the received SYN packet to the client 22. Finally, the client that has received the SYN-ACK packet transmits an ACK packet to the server 23. Thereby, the client 22 and the server 23 are in a communicable state.

FIG. 8 is a sequence diagram showing an outline of a SYN Flood attack, which is one of DDoS attacks.
The SYN Flood attack is an attack that exploits the 3-way handshake. The malicious client 22 transmits a large number of SYN packets in which the transmission source is spoofed to the server 23. The server 23 that has received the SYN packet transmits a SYN-ACK packet to the spoofed transmission source instead of the client 22 that has transmitted the SYN packet. However, since the transmission source is spoofed, an ACK packet is not returned to the server 23 from the transmission source. Eventually, the server 23 will not be able to accept TCP connection establishment requests because the number of TCP connection establishment requests exceeds the allowable amount. Therefore, the server 23 transmits an RST packet indicating that no further connection can be made as a response to the SYN packet to the source of the SYN packet. For this reason, access to the server 23 from a general user will be obstructed.

FIG. 9 is a sequence diagram showing an outline of attack patterns other than the attack shown in FIG.
In this attack pattern, the malicious client 22 transmits a SYN packet to the server 23, but does not return an ACK packet to the server 23 even if it receives a SYN-ACK packet for the SYN packet. For this reason, when the client 22 transmits a large number of SYN packets, the server 23 eventually cannot accept TCP connection establishment requests because the number of TCP connection establishment requests exceeds the allowable amount.

Conventional defense methods against such attacks include a method of detecting attack traffic by utilizing the fact that normal traffic arrival rate fluctuations can be modeled by a normal distribution (see Non-Patent Document 1, for example), and traffic statistics. An attack traffic detection method (for example, see Non-Patent Document 2) that uses wavelet transformation by using the characteristic of the image has been proposed.
Further, in the defense device described in Patent Document 1, a SYN packet from a client that is likely to attack is temporarily stored in the defense device, and after confirming the existence of the source address (client) of the SYN packet, the SYN packet To the destination address (server). Further, the defense device described in Patent Document 2 detects an attack from statistical information on the number of packets in the upstream direction and the number of packets in the downstream direction per unit time.
JP 2005-124055 A JP 2007-166154 A Yuichi Ohki et al., "DDoS Attack detection method using statistical properties of observed traffic" IEICE Technical Report IN2003-201, pp23-28, 2004 P. Shinde, et al., “Early DoS Attack Detection using Smoothened Time-Series and Wavelet Analysis,” IEEE 3rd International Symposium on Information Assurance and Security, 2007.

However, in the techniques described in Non-Patent Document 1, Non-Patent Document 2 and Patent Document 2, since it is necessary to calculate the statistical properties of communication traffic, there is a problem that the processing of the defense device becomes complicated. is there. In the technique described in Patent Document 1, since the communication is started after the existence of the client is confirmed by transmitting a SYN-ACK packet, an increase in delay is caused in the communication start of a general user who is not an attacker. In addition, there is a problem that the configuration of the defense device becomes complicated.
The present invention has been made in view of the above points, and an object of the present invention is to detect a network attack with a simple configuration and to prevent an increase in delay time until the start of communication and a defense To provide an apparatus.

  SUMMARY An advantage of some aspects of the invention is that a first counter that counts the number of control packets transmitted from a specific client, and a transmission addressed to the specific client are provided. A second counter that counts the number of control packets, and detection means that detects a network attack by the specific client based on a ratio of the counter values of the first and second counters. This is a featured network attack detection device.

  According to another aspect of the present invention, in the network attack detection apparatus, the first and second counters identify a control packet based on a packet length.

  According to another aspect of the present invention, in the network attack detection apparatus, the first counter counts the total number of SYN packets and ACK packets, and the second counter calculates the number of SYN-ACK packets. The detecting means is characterized in that it detects a “SYN Flood attack” related to TCP when the ratio of the number of SYN-ACK packets to the total number of SYN packets and ACK packets is smaller than a predetermined value.

  Further, according to one aspect of the present invention, in the network attack detection device, the first counter counts the number of SYN packets, the second counter counts the number of SYN-ACK packets, The detecting means detects a “SYN Flood attack” related to TCP when the ratio of the number of SYN-ACK packets to the number of SYN packets is smaller than a predetermined value.

  Also, according to one aspect of the present invention, in the network attack detection device, the first counter counts the number of SYN packets and the number of ACK packets, and the detection unit includes the number of ACK packets with respect to the number of SYN packets. When the ratio of the numbers is smaller than a predetermined value, a “SYN Flood attack” related to TCP is detected.

  According to another aspect of the present invention, in the network attack detection apparatus, the first counter counts the total number of SYN packets and ACK packets, and the second counter calculates the number of SYN-ACK packets. The detecting means counts a “SYN Flood attack” related to TCP when the ratio of the number of SYN-ACK packets to the total number of SYN packets and ACK packets is larger than a predetermined value.

  Further, according to one aspect of the present invention, in the network attack detection apparatus, the first counter counts the number of ACK packets, the second counter counts the number of SYN-ACK packets, and detects the detection The means is characterized by detecting a “SYN Flood attack” related to TCP when the ratio of the number of ACK packets to the number of SYN-ACK packets is smaller than a predetermined value.

  According to another aspect of the present invention, there is provided the network attack detection apparatus described above and a bandwidth limiter that limits the bandwidth of a control packet whose source is a specific client in which a network attack is detected. It is a defensive device.

  In addition, according to an aspect of the present invention, in the defense device described above, the bandwidth limitation target is a SYN packet related to TCP.

  According to the present invention, since a network attack is detected based on the ratio between the number of control packets transmitted from a specific client and the number of control packets transmitted to the specific client, complicated processing is not required. This makes it possible to detect a network attack with a simple configuration. In addition, since there is no need to check the client, an increase in delay time until the start of communication can be avoided.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
FIG. 1 is a schematic view showing the arrangement position of the defense device 1 according to the embodiment of the present invention.
As shown in this figure, the client 2 and the server 3 are connected via a network. The defense device 1 is provided between the client 2 and the network. The defense device 1 is provided, for example, in a telecommunications carrier's office, and is connected to the client 2 and a subscriber line (such as an optical cable) in a one-to-one relationship. By connecting with the client 2 on a one-to-one basis, the defense device 1 can limit only packets from a specific client 2. The defense device 1 transmits the packet received from the client 2 to the server 3 via the network. Further, the defense device 1 transmits the packet received from the server 3 to the client 2 via the network.

  The server 3 is a server device to be protected. The client 2 is a device that can perform communication conforming to TCP (Transmission Control Protocol) such as a personal computer.

  In FIG. 1, one client 2 and one server 3 are shown, but a plurality of clients may exist. Hereinafter, the direction from the client 2 to the server 3 will be described as “uplink direction”, and the direction from the server 3 to the client 2 will be described as “downlink direction”.

  In this embodiment, the SYN Flood attack related to TCP is protected. First, the principle of the present invention will be described. In a normal connection establishment procedure in TCP, as shown in FIG. 7, the ratio of the number of SYN packets: the number of SYN-ACK packets: the number of ACK packets is 1: 1: 1. On the other hand, in the attack pattern of FIG. 8, the number of downlink SYN-ACK packets is smaller than the number of upstream SYN packets. Also, there are few uplink ACK packets. Based on this finding, several methods for determining SYN Flood attacks were conceived. Hereinafter, the SYN Flood attack is determined from the ratio of the number of uplink SYN packets to the number of downlink SYN-ACK packets. Alternatively, the SYN Flood attack is determined from the ratio between the number of uplink SYN packets and the number of uplink ACK packets.

  (Determination method 1) In this determination method, a SYN Flood attack is determined from the ratio of the total number A of uplink SYN packets and ACK packets to the number of downlink SYN-ACK packets B. In a normal connection establishment procedure in TCP, the ratio (B / A) of the number B of SYN-ACK packets to the total number A is 0.5, which is not an extremely small value. On the other hand, in the attack pattern of FIG. 8, B / A has a small value. The determination condition in this case is determined as a SYN Flood attack when B / A is smaller than a predetermined threshold. The predetermined threshold is a value smaller than 0.5.

  (Determination method 2) In this determination method, a SYN Flood attack is determined from the ratio of the number of SYN packets in the upstream direction and the number of SYN-ACK packets in the downstream direction. In a normal connection establishment procedure in TCP, the ratio (B / C) of the number of SYN-ACK packets B to the number of SYN packets C is 1, which is not an extremely small value. On the other hand, in the attack pattern of FIG. 8, B / C becomes a small value. The determination condition in this case is determined as a SYN Flood attack when B / C is smaller than a predetermined threshold. The predetermined threshold is a value smaller than 1.

  (Determination Method 3) In this determination method, a SYN Flood attack is determined from the ratio of the number of uplink SYN packets C and the number of uplink ACK packets D. In a normal connection establishment procedure in TCP, the ratio (D / C) of the number of ACK packets D to the number of SYN packets C is 1, which is not an extremely small value. On the other hand, in the attack pattern of FIG. 8, D / C becomes a small value. The determination condition in this case is determined as a SYN Flood attack when D / C is smaller than a predetermined threshold. The predetermined threshold is a value smaller than 1.

  In the attack pattern that does not transmit the ACK packet in FIG. 9, there are many uplink SYN packets, but there are few uplink ACK packets. Based on this knowledge, the SYN Flood attack can be determined by the following method.

  (Determination Method 4) In this determination method, a SYN Flood attack is determined from the ratio of the total number A of uplink SYN packets and ACK packets to the number of downlink SYN-ACK packets B. In the attack pattern of FIG. 9, the ratio (B / A) of the SYN-ACK packet number B to the total number A is 1. The determination condition in this case is determined as a SYN Flood attack when B / A is greater than a predetermined threshold. The predetermined threshold is a value greater than 0.5.

(Determination method 5) In this determination method, a SYN Flood attack is determined from the ratio of the number D of uplink ACK packets and the number B of SYN-ACK packets in the downlink direction. In a normal connection establishment procedure in TCP, the ratio (D / B) of the number of ACK packets D to the number of SYN-ACK packets B (D / B) is 1, which is not an extremely small value. On the other hand, in the attack pattern of FIG. 9, D / B becomes a small value. The determination condition in this case is determined as a SYN Flood attack when D / B is smaller than a predetermined threshold. The predetermined threshold is a value smaller than 1.
The attack pattern can also be determined by the determination method 3 described above. Each embodiment will be described below.

[First Embodiment]
The present embodiment is an embodiment of the determination method 1 or 4. In this embodiment, short packets are counted as means for counting control packets (such as SYN packets, ACK packets, and SYN-ACK packets). A short packet is a packet having a size smaller than a predetermined value set in advance. This utilizes the fact that the packet length of the control packet is relatively short, and the packet length of the data traffic is relatively long, and the probability of becoming the same as the packet length of the control packet is extremely low. Control packets exist in addition to SYN packets, ACK packets, and SYN-ACK packets. However, when there is a SYN Flood attack, the tendency of determination method 1 or determination method 4 becomes strong, and therefore, an upstream short packet and a downlink packet are transmitted. It can be determined by the ratio of short packets in the direction. The control packet is 64 bytes without a VLAN (Virtual LAN) tag or the like.

FIG. 2 is a block diagram illustrating a configuration of the defense device 1 according to the first embodiment.
The defense device 1 includes a first network interface unit 11, an uplink short packet counter unit 12 (first counter), a downlink short packet counter unit 13 (second counter), a control unit 14 (detection means), The distribution unit 15, the bandwidth limiting unit 16, the integration unit 17, and the second network interface unit 18 are configured. The defense device 1 according to the present embodiment calculates the number of short packets in the uplink direction and the number of short packets in the downlink direction, and determines whether the attack is a network attack based on the ratio thereof.

  The first network interface unit 11 receives a packet transmitted from the client 2 and outputs the received packet to the uplink short packet counter unit 12. Further, the packet addressed to the client 2 is transmitted to the client 2.

  The upstream short packet counter unit 12 counts the number of short packets input per unit time, and outputs the counted value (N1) to the control unit 14. The uplink short packet counter unit 12 outputs the input packet to the distribution unit 15.

  The second network interface unit 18 receives a packet addressed to the client 2 from the server 3 and outputs the received packet to the downlink short packet counter unit 13. Further, the second network interface unit 18 transmits the uplink packet input from the integration unit 17 to the server 3 via the network.

  The downlink short packet counter unit 13 counts the number of short packets input per unit time, and outputs the counted value (N2) to the control unit 14. The downlink short packet counter unit 13 outputs the input packet to the first network interface unit 11.

  The control unit 14 detects a network attack based on the counter value N1 input from the uplink short packet counter unit 12 and the counter value N2 input from the downlink short packet counter unit 13. If the control unit 14 determines that there is a network attack, the control unit 14 controls the band limiting unit 16 to limit the bandwidth of the short packets in the uplink direction. Details thereof will be described later.

  The distribution unit 15 classifies the packet input from the uplink short packet counter unit 12 into a SYN packet and other packets. In addition, the distribution unit 15 outputs the SYN packet to the band limiting unit 16 and the other packets to the integration unit 17. The band limiting unit 16 outputs the input SYN packet to the integration unit 17. At that time, the passing amount of the SYN packet is limited based on the control signal from the control unit 14.

  The integration unit 17 integrates the traffic of the SYN packet input from the bandwidth limiting unit 16 and the traffic of the other packet input from the distribution unit 15 and outputs the integrated traffic to the second network interface unit 18.

FIG. 3 is a sequence diagram illustrating an example of the flow of defense processing in the control unit 14 of the present embodiment.
The control unit 14 sets a threshold value X for detecting a network attack before starting the defense process (step S1). The threshold value X is a value input to the defense device 1 by an operator or the like. Next, the control part 14 acquires a counter value (step S2). In the present embodiment, the control unit 14 acquires N1 from the uplink short packet counter unit 12 and N2 from the downlink short packet counter unit 13 as counter values. N1 corresponds to the total number A of SYN packets and ACK packets. N2 corresponds to the number B of SYN-ACK packets.

  Subsequently, the control unit 14 performs network attack determination (step S3). In the present embodiment, the control unit 14 calculates the ratio (N2 / N1) of N2 to N1, and compares the calculated value with the threshold value X. In the case of the determination method 1, the threshold value X is 0.5−α. In this case, the control unit 14 determines that the attack is a network attack when N2 / N1 is smaller than the threshold value X. In the case of the determination method 4, the threshold value X is 0.5 + β. In this case, the control unit 14 determines that the attack is a network attack when N2 / N1 is larger than the threshold value X. α and β are positive constants determined in advance. As the determination method, either determination method 1 or determination method 4 may be used. Or you may perform determination using both.

  If it is determined that the attack is a network attack, the control unit 14 controls the bandwidth limiting unit 16 to limit the bandwidth of the SYN packet (step S4). At this time, the control unit 14 designates the maximum number of packets. Based on the control signal from the control unit 14, the band limiting unit 16 allows only the SYN packet having the maximum number of packets per unit time to pass through the integration unit 17. Here, for example, the control unit 14 outputs a control signal to the band limiting unit 16 with the maximum number of packets set to N2 × a. a is a constant of 1 or more. Since the maximum number of packets is based on the value of N2, it changes every unit time.

  On the other hand, if it is determined that the network attack has not occurred, the control unit 14 determines whether or not the bandwidth limiter 16 has already been set (step S5). If the band limitation has not been set, the process proceeds to step S2. On the other hand, when the band limitation has been set, the control unit 14 releases the band limitation of the band limitation unit 16 (step S6), and proceeds to step S2.

  Thus, according to the present embodiment, the defense device 1 detects a network attack based on the ratio of the number of short packets in the upstream direction and the number of short packets in the downstream direction per unit time. There is no need to do. Thereby, a network attack can be detected with a simple device configuration. Moreover, since it is not necessary for the defense device 1 to confirm the presence of the client, there is no delay increase in the communication start of general users. Further, when a network attack is detected, the defense device 1 can suppress attacks on the server 3 by limiting the number of uplink SYN packets per unit time.

[Second Embodiment]
The second embodiment of the present invention is an embodiment of determination method 1 or determination method 4. In the first embodiment, the network attack is detected by using the number of short packets in the uplink direction and the number of short packets in the downlink direction per unit time. In this embodiment, the SYN packet and the ACK packet per unit time are used. The total number and the number of SYN-ACK packets are calculated, and a network attack is detected using the calculated values.

FIG. 4 is a block diagram showing a configuration of the defense device 5 in the present embodiment.
The defense device 5 includes a first network interface unit 51, a SYN / ACK counter unit 52 (first counter), a SYN-ACK counter unit 53 (second counter), and a control unit 54 (detection means). A distribution unit 55, a bandwidth limiting unit 56, an integration unit 57, and a second network interface unit 58.

  The SYN / ACK counter unit 52 counts the total number of SYN packets and ACK packets per unit time received from the client 2 via the first network interface unit 51, and sends the counted value (N51) to the control unit 54. Output. Further, the SYN / ACK counter unit 52 outputs the input packet to the distribution unit 55.

  The SYN-ACK counter unit 53 counts the number of SYN-ACK packets received from the network via the second network interface unit 58 per unit time, and outputs the counted value (N52) to the control unit 54. Further, the SYN-ACK counter unit 53 outputs the input packet to the first network interface unit 51.

  The control unit 54 detects a network attack based on the counter value N51 input from the SYN / ACK counter unit 52 and the counter value N52 input from the SYN-ACK counter unit 53. Specifically, the control unit 54 calculates the ratio of N52 to N51 (N52 / N51). N51 corresponds to the total number A of SYN packets and ACK packets. N52 corresponds to the number B of SYN-ACK packets. Then, in the determination method 1, the control unit 54 determines that the attack is a network attack when the value of N52 / N51 is smaller than “0.5−α”. In the determination method 4, the control unit 54 determines that the attack is a network attack when the value of N52 / N51 is greater than “0.5 + β”. As the determination method, either determination method 1 or determination method 4 may be used. Or you may perform determination using both. Since other configurations are the same as those of the first embodiment, the description thereof is omitted.

  Thus, according to the present embodiment, a network attack is detected based on the ratio of the total number of SYN packets and ACK packets per unit time and the number of SYN-ACK packets. This enables more accurate network attack detection and suppression.

[Third Embodiment]
The third embodiment of the present invention is an embodiment of the determination method 2 or the determination method 5. In the second embodiment, the SYN packet and the ACK packet are counted without being distinguished, but in the present embodiment, the SYN packet and the ACK packet are counted separately.

FIG. 5 is a block diagram showing the configuration of the defense device 6 in the present embodiment.
The protection device 6 includes a first network interface unit 61, a SYN / ACK-specific counter unit 62 (first counter), a SYN-ACK counter unit 63 (second counter), and a control unit 64 (detection means). A distribution unit 65, a band limiting unit 66, an integration unit 67, and a second network interface unit 68.

  The SYN / ACK-specific counter unit 62 counts the number of SYN packets and ACK packets received from the client 2 via the first network interface unit 61 per unit time, and the value obtained by counting the SYN packets (N61). A value (N63) obtained by counting the ACK packets is output to the control unit 64. Also, the SYN / ACK-specific counter unit 62 outputs the input packet to the distribution unit 65.

  The control unit 64 has a counter value N62 that is a count value per unit time of the counter value N61, the counter value N63, and the SYN-ACK packet input from the SYN-ACK counter unit 63. Detect network attacks based on Specifically, the control unit 64 calculates the ratio of N62 to N61 (N62 / N61) and the ratio of N62 to N63 (N63 / N62). N61 corresponds to the number C of SYN packets. N62 corresponds to the number B of SYN-ACK packets. N63 corresponds to the number D of ACK packets.

  In the determination method 2, the control unit 64 determines that the attack is a network attack when the value of N62 / N61 is smaller than “1-γ”. In the determination method 5, the control unit 64 determines that the attack is a network attack when the value of N63 / N62 is smaller than “1-γ”. γ is a predetermined positive constant. As the determination method, either determination method 2 or determination method 5 may be used. Or you may perform determination using both. Since other configurations are the same as those of the second embodiment, description thereof is omitted.

  Thus, according to the present embodiment, the number of SYN packets and ACK packets per unit time is counted separately, and a network attack is detected based on the values. This makes it possible to detect network attacks more accurately.

[Fourth Embodiment]
The fourth embodiment of the present invention is an embodiment of the determination method 3. In this embodiment, a network attack is detected based on the number of SYN packets and ACK packets per unit time.

FIG. 6 is a block diagram showing a configuration of the defense device 7 in the present embodiment.
The defense device 7 includes a first network interface unit 71, a SYN / ACK-specific counter unit 72 (first counter), a control unit 74 (detection means), a distribution unit 75, and a band limiting unit 76. Part 77 and a second network interface part 78.

  Based on the counter value N71 that is the number of SYN packets per unit time input from the SYN / ACK-specific counter unit 72 and the counter value N72 that is the number of ACK packets per unit time, the control unit 74 performs a network attack. To detect. Specifically, the control unit 74 calculates the ratio of N72 to N71 (N72 / N71). N71 corresponds to the number C of SYN packets. N72 corresponds to the number D of ACK packets. And the control part 74 determines with it being a network attack, when the value of N72 / N71 is less than "1-gamma". Since other configurations are the same as those of the third embodiment, description thereof is omitted.

  Thus, according to this embodiment, a network attack is detected based on the number of SYN packets and ACK packets per unit time. This makes it possible to detect a network attack with a simpler configuration.

  The embodiments of the present invention have been described in detail above with reference to the drawings. However, the specific configuration is not limited to the above-described one, and various design changes and the like can be made without departing from the scope of the present invention. Is possible.

  For example, in the present embodiment, the defense devices 1, 5, 6, and 7 are provided so as to be in a one-to-one relationship with the client 2. However, a single defense device 1, 5, 6, and 7 is provided for a plurality of clients 2. May be. In that case, the defense devices 1, 5, 6, and 7 detect a network attack for each client 2. When a network attack is detected, the bandwidth is limited only to the SYN packet from the client 2 where the network attack is detected. At this time, the defense devices 1, 5, 6, and 7 are provided as many as the number of clients 2 to which each unit other than the control units 14, 54, 64, 74 is connected.

  In the above-described embodiment, the defense devices 1, 5, 6, and 7 are installed between the user terminal 2 and the network, but may be installed between the server 3 and the network. At this time, the defense devices 1, 5, 6, and 7 perform defense processing for all packets transmitted to the server 3.

It is the schematic which shows the arrangement position of the defense apparatus by 1st Embodiment. It is a block diagram which shows the structure of the defense apparatus in this embodiment. It is a sequence diagram which shows an example of the flow of a process in the control part of this embodiment. It is a block diagram which shows the structure of the defense apparatus in 2nd Embodiment. It is a block diagram which shows the structure of the defense apparatus in 3rd Embodiment. It is a block diagram which shows the structure of the defense apparatus in 4th Embodiment. It is a sequence diagram which shows the normal connection establishment means of TCP. It is a sequence diagram which shows the outline | summary of the SYN Flood attack which is one of the DDos attacks. It is a sequence diagram which shows the outline | summary of the SYN Flood attack which is one of the DDos attacks.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1,5,6,7 ... Defense apparatus 2,22 ... Client 3,23 ... Server 11,51,61,71 ... First network interface part 12 ... Uplink short packet counter part 13 ... Downlink short packet counter part 14, 54, 64, 74 ... control unit 15, 55, 56, 66, 76 ... distribution unit 16, 56, 66, 76 ... band limiting unit 17, 57, 67, 77 ... integration unit 18, 58, 68, 78 ... first 2 network interface unit 52... SYN / ACK counter unit 53, 63... SYN-ACK counter unit 62, 72.

Claims (9)

A first counter for counting the number of control packets transmitted from a specific client;
A second counter for counting the number of control packets transmitted to the specific client;
Detecting means for detecting a network attack by the specific client based on a ratio of the counter values of the first and second counters;
A network attack detection apparatus comprising:   The network attack detection apparatus according to claim 1, wherein the first and second counters identify a control packet based on a packet length. The first counter counts the total number of SYN packets and ACK packets,
The second counter counts the number of SYN-ACK packets,
The detection unit detects a “SYN Flood attack” related to TCP when the ratio of the number of SYN-ACK packets to the total number of SYN packets and ACK packets is smaller than a predetermined value. The described network attack detection device. The first counter counts the number of SYN packets,
The second counter counts the number of SYN-ACK packets,
2. The network attack according to claim 1, wherein the detection unit detects a “SYN Flood attack” related to TCP when a ratio of the number of SYN-ACK packets to the number of SYN packets is smaller than a predetermined value. Detection device. The first counter counts the number of SYN packets and the number of ACK packets,
2. The network attack detection device according to claim 1, wherein the detection unit detects a “SYN Flood attack” related to TCP when a ratio of the number of ACK packets to the number of SYN packets is smaller than a predetermined value. . The first counter counts the total number of SYN packets and ACK packets,
The second counter counts the number of SYN-ACK packets,
The detection unit detects a “SYN Flood attack” related to TCP when the ratio of the number of SYN-ACK packets to the total number of SYN packets and ACK packets is larger than a predetermined value. The described network attack detection device. The first counter counts the number of ACK packets;
The second counter counts the number of SYN-ACK packets,
2. The network attack according to claim 1, wherein the detection unit detects a “SYN Flood attack” related to TCP when a ratio of the number of ACK packets to the number of SYN-ACK packets is smaller than a predetermined value. Detection device. The network attack detection device according to any one of claims 1 to 7,
A bandwidth limiter that limits the bandwidth of control packets originating from a specific client in which a network attack is detected;
A defensive device comprising:   The defense apparatus according to claim 8, wherein the bandwidth restriction target is a SYN packet related to TCP.

Images