JP2010239392A - System, device and program for controlling service disabling attack - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To detect service-disabling attacks, identify attack route, and control attacking source, without having to use a large number of machine resources and without degrading the detection accuracy. <P>SOLUTION: A system for controlling service disabling attack includes an exporter for inspecting a packet of a network of a monitoring object, generating and periodically summarizing attack information, including a destination IP address, the type of attack, and an upper router IP address to be transmitted to a collector, and receiving a control request from the collector to control a gateway device; and the collector for receiving the attack information to be stored by adding an IP address of the transmission-source exporter thereto, acquiring, from the attack information, the upper router IP address for an exporter including a given destination IP address in a network of a monitoring object, thereafter repeating a process of acquiring from the attack information, the upper router IP address for an adjacent exporter via an upper router, thereby generating a list of IP addresses of the exporter and the gateway device, and transmitting a control request. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a system, method, and program for controlling denial of service attacks in a network.

  In recent years, networks such as the Internet have become indispensable as social infrastructure, and many companies conduct advertising activities through servers on the Internet, and many industrial activities such as sales and meetings of products etc. Is done through the server on.

  On the other hand, there are many incidents where such services cannot be provided by unauthorized access to such servers on the Internet, such as DoS attacks (Denial of Service Attack) and DDoS attacks (Distributed Denial of Service Attack). Has become a social problem. DoS attacks are indistinguishable from normal access, and there is a high possibility that the source IP address is spoofed, making it difficult to cut off the attack from the original.

Conventionally, the following measures have been taken against the above problems.
a. An IDS (Intrusion Detection System) is installed for each network, logs of each IDS are collected in one place, correlation analysis is performed, and an unauthorized terminal is identified and dealt with (see, for example, Patent Document 1).
b. Correspond using IP traceback technology that makes it possible to track which path the packet has taken when an attack is detected by recording the characteristics of the packet passing through the network (for example, patent document) 2).
c. Handles packets exchanged by applications on the network as communication flows (flows), obtains flow-related information from network devices such as routers, and supports flow-based traffic analysis technology that analyzes and manages the entire network To do.

  In addition, patent documents 1-4 are known in relation to the said technique.

JP 2004-220373 A Japanese Patent Laid-Open No. 2003-298652 JP 2008-193538 A JP 2002-164938 A

However, the methods a, b, and c have the following problems.
a. Although detection accuracy is high, many machine resources (CPU, memory, etc.) are required to detect attacks quickly in a large-scale network environment.
In addition, a high level of skill is required to analyze the log and identify the communication path of the IP spoofed packet.
b. Attack path of a flood-based DoS attack that blocks the use of services by sending a large amount of data and compressing the network bandwidth due to the nature of identifying the attack path by analyzing a large amount of collected data Although it is suitable for identification, it is not suitable for specifying the attack path of a blow-through DoS attack that stops the service at once with a software vulnerability. That is, although there is a merit that the communication path of the IP spoofed packet can be easily traced compared to a, the detection accuracy is inferior to a.
In addition, since it is introduced on the gateway device, the gateway device is modified. Compared to a and c, the processing load on the gateway device is higher and requires more machine resources.
c. Due to the nature of sampling (thinning out) and analyzing packets flowing on the network, the characteristics of the attack become difficult to see, and as with b, it is not possible to detect a single-death DoS attack and specify the attack path. In other words, compared to a and b, there is an advantage that an attack can be detected without requiring many machine resources even in a large-scale network environment, but the detection accuracy is inferior to a and b.
In addition, there is a problem that high skills are required to analyze the collected information and identify the attack source and attack path of a DDoS attack performed from multiple locations.

  In other words, both are pros and cons, and do not require a lot of machine resources (CPU, memory, disk, etc.) and special skills, so it is possible to accurately detect DoS attacks and identify attack routes, and control attacks from the beginning. I can't do it.

  The present invention has been made in view of the above-mentioned problems, and its purpose is to enable DoS attack detection and attack path identification without requiring many machine resources and special skills, and to control the attack from the beginning. It is to provide a denial of service attack control system, apparatus and program.

  A denial-of-service attack control system according to the present invention is a denial-of-service attack control system comprising an exporter and a collector connected to a network, wherein the exporter is a packet that matches a predetermined attack type in a monitored network. A packet inspection unit that detects the packet, and generates attack information including the destination IP address of the detected packet, the type of matched attack, and the IP address of the gateway device closer to the attack source, and is periodically aggregated to the collector An attack information management unit for transmitting, and a control unit for receiving a control request for the gateway device from the collector and controlling the gateway device, wherein the collector receives the aggregated attack information from the exporter, Add the IP address of the source exporter and store it as attack information For the exporter including the given destination IP address in the monitored network and the corresponding gateway device closer to the attack source, the IP address is obtained after acquiring the IP address of the gateway device closer to the attack source from the stored attack information. A list of IP addresses of the exporter and the gateway device is obtained by repeating the process of acquiring the IP address of the corresponding gateway device closer to the attack source from the stored attack information for the adjacent exporter via the acquired gateway device. An attack information search unit to be generated; and a control unit that transmits a control request for the gateway device to the exporter using the list.

  The exporter according to the present invention is an exporter used in a denial-of-service attack control system including an exporter and a collector connected to a network, and detects a packet that matches a predetermined attack type in a monitored network. Attack that generates a packet inspection unit and attack information including the destination IP address of the detected packet, the type of matched attack, and the IP address of the gateway device closer to the attack source, and periodically aggregates and sends to the collector An information management unit; and a control unit that receives a control request for the gateway device from the collector and controls the gateway device.

  The collector according to the present invention is a collector used in a denial-of-service attack control system comprising an exporter and a collector connected to a network, the destination IP address of a packet that matches a predetermined attack type, and a matching attack The attack information management unit that receives attack information including the IP address of the gateway device closer to the attack source from the exporter, adds the IP address of the source exporter, and stores it as attack information, and the given destination IP For the exporter including the address in the network to be monitored, after acquiring the IP address of the corresponding gateway device closer to the attack source from the stored attack information, the exporter adjacent through the gateway device that acquired the IP address, Corresponding closer to the attack source By repeating the process of acquiring the IP address of the gateway device from the stored attack information, an attack information search unit that generates a list of IP addresses of the exporter and the gateway device, and control of the gateway device to the exporter using the list A control unit that transmits the request.

The first effect is that a DoS attack can be detected and an attack route can be accurately identified without requiring a lot of machine resources, and the attack can be controlled from the beginning.
The reason is that the problem of the massive consumption of resources in the signature method used to accurately identify the DoS attack is solved by devising the system configuration and data structure as follows.
・ Attack information is managed using three tables (temporary attack information table, attack information table, attack information management table), a retention period is provided for the data in the table, and the data is divided into two stages from the exporter to the collector By consolidating data in time and deleting unnecessary data from each table after data transfer and aggregation, resource consumption of the exporter and collector is suppressed.
-Reduce the consumption of machine resources per unit by making the exporter independent from the gateway device and by sharing the roles with the exporter and collector.
-To reduce the load on the CPU, configure the packet inspection unit in the exporter so that it can be distributed to multiple hosts.

The second effect is that it is possible to specify the attack path of a one-shot DoS attack.
The reason is that the signature management table is devised so that the threshold value of the signature can be set to 1 even in the case of a blow-through DoS attack.

The third effect is that the processing load of the gateway device can be suppressed.
The reason is that the exporter and collector, which are the core parts of the present invention, are independent of the gateway device.

The fourth effect is that no special skill is required to specify the attack source of a DDoS attack that is performed from a plurality of locations.
The reason is that the data structure of the table of the exporter and the collector is devised, and the attack source can be easily identified by searching the attack information management table of the collector.

  When the present invention is applied to a network business such as an ISP (Internet Service Provider), it is possible to provide a network environment that allows the business operator to use it with peace of mind by a general user. It also leads to a reduction in operating costs on the operator side.

It is a block diagram which shows the structure of the network in which this invention was introduced, an exporter, and a collector. It is a time chart which shows the operation | movement at the time of the attack information storage of Example 1 of this invention. It is a time chart which shows the operation | movement at the time of attack origin control of Example 1 of this invention. It is a figure which shows the usage image of an attack route list, a route search waiting list, and a route search result list. It is a flowchart which shows the process sequence of an attack information search part. It is a block diagram which shows the network structure of Example 2 of this invention.

  Hereinafter, embodiments of the present invention will be described in detail.

<Configuration of Example>
FIG. 1 is a block diagram showing the configuration of a network, an exporter, and a collector in which the present invention is introduced. As shown in FIG. 1, an exporter 101, an exporter 107, an exporter 108, and a collector 106, which are devices into which an exporter program and a collector program are respectively installed, are arranged on a management target network. These exporters and collectors are linked, and the log information collected by the exporters is collected and managed by the collector, thereby solving the above-mentioned problems.

An outline of each device shown in FIG. 1 is shown below.
Exporter 101: A device that has introduced the exporter program.
Unauthorized terminal 102: A device that has performed a DoS attack (UDP Flood) on the server 105.
Router A103: A device that relays communication between the network to which the unauthorized terminal 102 belongs and the network to which the router B104 belongs.
Router B104: A device that relays communication between the network to which the server 105 belongs and the network to which the router A103 belongs.
Server 105: A device that provides a service.
Collector 106: An apparatus in which the collector program is introduced.
Exporter 107... Device that has introduced the exporter program.
Exporter 108: A device in which the exporter program is introduced.

First, an exporter, which is one of the components constituting the core of the present invention, will be described with reference to FIG.
The exporter periodically checks the attack information temporary table in the attack information management DB with the packet inspection unit 202 having a function of inspecting the received packet based on the signature management table, and deletes the time-out data, or The attack information temporary table management unit 203 having a function to transfer to the attack information table in the attack information management DB, and the data detected as an attack by the packet inspection unit 202 are stored in the attack information temporary table in the attack information management DB And an attack information table management unit 204 having a function of referring to data in the attack information table in the attack information management DB and aggregating data periodically transmitted to the collector, and an adjacent gateway device based on the control rule table Packets received by controlling the attack source control unit 205 having the function of controlling the packet inspection unit 202 A function to perform inspection, a function to control the attack information temporary table management unit 203 and the attack information table management unit 204 to periodically transmit data collected to the collector, and an attack source control unit in response to a device control request from the collector This is an apparatus having an exporter function control unit 201 having a function of controlling 205 and a function of updating each table and setting on the exporter in response to an instruction from the collector.
In one embodiment, the exporter is constructed by reading an exporter program for realizing the functions of the above-described units into a computer.

  In this specification, “transcribe” means, for example, that when data is to be transferred from the attack information temporary table to the attack information table, not only the same data as the data is added to the attack information table. Although it involves deleting the data from the temporary attack information table, it is simply described as “transcribe”.

The exporter has the following setting parameters. That is, the following information is given to the exporter program as setting parameters.
Standby port number: The exporter has a function as a server for processing an apparatus control request from a collector and a setting change instruction, and therefore it is necessary to specify a standby port number.
Attack information temporary table check period: The attack information temporary table management unit 203 periodically checks the attack information temporary table (Table 3) based on this value, and the “threshold value of the signature management table (Table 1)” ”And“ inspection timeout ”columns, data is deleted or transferred to the attack information table (Table 4). The resource consumption of the exporter is reduced by deleting the referenced data from the temporary attack information table after posting.
Attack information temporary table registration number upper limit: The attack information table management unit 204, when registering data in the attack information temporary table, checks the number of entries in the attack information temporary table based on this value and reaches the upper limit. If the data has been registered, the data having the longest elapsed time since registration is confirmed, and the data is deleted or transferred to the attack information table based on the threshold of the signature management table and the column of the inspection timeout. By setting an upper limit for the number of registrations in the attack information temporary table and deleting the referenced data from the attack information temporary table after transcription, the resource consumption of the exporter is reduced.
Attack information table check interval... The exporter function control unit 201 controls the attack information table management unit 204 based on this value and aggregates the collected data temporally and periodically transmits it to the collector. Note that if a large value is set, attacks cannot be detected in real time.

  Hereinafter, the configuration of each table used in the exporter, that is, the signature management table, the control rule table, the attack information temporary table, and the attack information table will be described.

<Signature management table>
The exporter holds a signature management table as shown in Table 1, and has an authority that can be changed as necessary.

The meaning of each column of the signature management table is as follows.
ID: ID (identifier) for uniquely identifying the signature.
Identification name: Signature identification name.
Protocol: Protocol number to be inspected.
Rule: Inspection rule.
Threshold value ... The attack information temporary table management unit 203 and the attack information table management unit 204 refer to the attack counter column and this value in the corresponding row of the attack information temporary table when the attack information temporary table is updated. Check if it is greater than or equal to the value. If the attack counter is greater than or equal to the threshold, the corresponding line is transferred to the attack information table.
Inspection timeout (seconds) ... The attack information temporary table management unit 203 and the attack information table management unit 204 refer to the column of the registration time of the corresponding row of the attack information temporary table and this value when updating the attack information temporary table, When the time since registration has passed this value, it is confirmed whether or not the attack counter of the attack information temporary table is equal to or greater than the threshold value of the signature management table. If the attack counter is less than the threshold, the corresponding line is deleted from the attack information temporary table. On the other hand, if the attack counter is greater than or equal to the threshold, the corresponding line is transferred to the attack information table.
The time shown in each table is the number of seconds that have elapsed since Coordinated Universal Time (January 1, 1970 00:00:00).

  In the case of a single-death DoS attack, it is possible to detect by setting the signature threshold to 1.

<Control rule table>
The exporter holds a control rule table as shown in Table 2, and has an authority that can be changed as necessary.

The meaning of each column in the control rule table is as follows.
Rule ID: ID for uniquely identifying a control rule.
Control source: Network address that accepts control requests.
Control destination: Address of the control target gateway device.
Control type: A value indicating which method is used to control communication. In the illustrated example, 1 is a warning, 2 is a band control, and 4 is a cutoff.
Control command: A command for controlling adjacent gateway devices.
Control options: Information related to control command options (control command specifications).
Remarks: Comment information for control rules.

  When the exporter function control unit 201 receives a control request from the collector, first, the control rule table shown in Table 2 is referred to, and a matching control rule is specified using the IP address of the request source as a key.

  As a result of checking all the control rules, if the IP address of the request source does not match the control source of any rule, the control request is rejected and an error is returned as the control result. In addition, when the identified control rule does not match the control type specified in the control request, the control request is rejected and an error is returned as a control result. If a control rule matching the control source and the control type can be identified, the corresponding command is executed with the control option specified in the control request, and the adjacent gateway device is controlled.

<Attack information temporary table>
The exporter holds an attack information temporary table as shown in Table 3 in the attack information management DB, and has an authority that can be changed as necessary.

The meaning of each column of the attack information temporary table is as follows.
Destination IP: Destination IP address of the detected attack.
Signature ID: Signature ID of the signature management table corresponding to the detected attack.
Upper router IP: The IP address of the gateway device existing in the direction of the detected attack source (the IP address of the gateway device closer to the attack source). The packet inspection unit 202 obtains the received data by referring to the ARP table of the exporter using the transmission source MAC address of the data as a key.
Attack counter: A counter that indicates how many times the same destination IP, signature ID, and upper router IP have been attacked since the data was registered.
Registration time: Time when data was registered.

<Attack information table>
The exporter holds an attack information table as shown in Table 4 in the attack information management DB, and has an authority that can be changed as necessary.
Table 4 shows a data structure after the change from the attack information temporary table and aggregation (step 306 in FIG. 2).

The meaning of each column of the attack information table is as follows.
Destination IP: Destination IP address of the detected attack.
Signature ID: Signature ID of the signature management table corresponding to the detected attack.
Upper router IP: The IP address of the gateway device existing in the direction of the detected attack source (the IP address of the gateway device closer to the attack source). The packet inspection unit 202 obtains the received data by referring to the ARP table of the exporter using the transmission source MAC address of the data as a key.
Attack start time: Attack start time.
Attack end time: Attack end time. Time posted from the temporary attack information table.
Attack counter: A counter that indicates how many attacks of the same destination IP, signature ID, and upper router IP have occurred since the attack started.

  The exporter function control unit 201 periodically acquires data in the attack information table from the attack information table management unit 204 and transmits the data to the collector. When transmitting the data, the attack information table management unit 204 refers to the attack start time and the attack end time, aggregates the attack information, and then transmits the data. The attack information table management unit 204 deletes the data transmitted after the data transmission from the attack information table. This can reduce the resource consumption of the exporter.

  Assume that an exporter needs to be prepared for each network segment. When the exporter program is built by loading the exporter program into the computer, the exporter program can be installed on any device as long as it can monitor the communication of the corresponding network and can communicate with the collector. A plurality of exporter programs may be introduced. If the network bandwidth is squeezed by a DoS attack, communication between the device with the exporter program installed and the collector may be difficult. Therefore, a dedicated network may be constructed for communication between the apparatus in which the exporter program is introduced and the collector.

Next, a collector, which is another component constituting the core of the present invention, will be described with reference to FIG.
The collector has an attack information management unit 207 having a function of storing data periodically acquired from an exporter registered in the exporter information table in the attack information management table, and an attack having a function of searching for an attack source by referring to the attack information management table An information search unit 208, a function of controlling the attack information management unit 207 to store data periodically acquired from the exporter in an attack information management table, a function of controlling the attack information search unit 208 to identify an attack source, from the outside And a collector function control unit 206 having a function of controlling the attack source by controlling the attack information search unit 208 and the exporter, and a function of updating each table and setting on the exporter and collector. Device.
In one embodiment, the collector is constructed by reading a collector program for realizing the functions of the above-described units into a computer.

The collector also has the following setting parameters. That is, the following information is given as a setting parameter to the collector program.
Standby port number: Since it has a function as a server that processes attack information periodically transmitted from the exporter and control requests from the outside, it is necessary to specify the standby port number.

  The collector holds an attack information management table as shown in Table 5, and has an authority that can be changed as necessary.

The meaning of each column of the attack information management table is as follows.
Exporter IP: The IP address of the exporter from which the data was obtained.
Destination IP: Destination IP address of the detected attack.
Signature ID: Signature ID of the signature management table corresponding to the detected attack.
Upper router IP: IP address of the gateway device existing in the direction of the detected attack source (IP address of the gateway device closer to the attack source as seen from the exporter).
Attack start time: Attack start time.
Attack end time: Attack end time.
Attack counter: A counter that indicates how many attacks of the same destination IP, signature ID, and upper router IP have occurred since the attack started.

  The collector's attack information management unit 207 adds the IP address of the data acquisition source exporter to the attack information acquired from the exporter, and adds an entry to the attack information management table.

  The collector holds an exporter information table as shown in Table 6 and has an authority that can be changed as necessary.

The meaning of each column of the exporter information table is as follows.
ID: An ID that uniquely identifies the exporter.
Exporter IP: IP address of the exporter to be managed.
Administrator email address: Email address of the exporter administrator.
Monitored NW: Network address to be monitored.
Neighboring exporter information: Information obtained by connecting the IP address of the gateway device through which data is sent to the network monitored by the neighboring exporter and the ID of the neighboring exporter, separated by a colon. If there is more than one, describe them with commas. Used to specify the attack path.
Remarks: Comment information for the exporter.

  The collector receives attack information only from the exporters registered in the exporter information table.

When transmitting the aggregated data from the exporter to the collector, the data is compressed and transmitted so as not to compress the network bandwidth. Further, the communication between the exporter and the collector is encrypted using a public key cryptosystem to maintain confidentiality and integrity.
Control of adjacent gateway devices is performed using SNMP (Simple Network Management Protocol), NETCONF Configuration Protocol, pre-registered commands (device-specific tools), and the like.

<Operation of Example>
A procedure for aggregating attack information will be described with reference to FIG.

  The exporter function control unit 201 of the exporter that has received the communication from the unauthorized terminal 102 requests the packet inspection unit 202 to inspect the received packet (step 301).

Upon receiving the inspection request, the packet inspection unit 202 inspects whether the received packet is an attack based on the signature information table, and returns the inspection result to the exporter function control unit 201 (step 302). The inspection result is returned only when the received packet is an attack. The following information should be included in the test results.
-Destination IP address of the attack packet-Signature ID indicating the type of attack
-Upper router IP address-Attack packet reception time

The signature ID is obtained from the signature management table. The upper router IP obtains the received packet by referring to the ARP table of the exporter using the source MAC address of the received packet as a key.
In order to reduce the CPU load, the processing in the packet inspection unit 202 may be distributed to a plurality of hosts.

Upon receiving the inspection result from the packet inspection unit 202, the exporter function control unit 201 transmits an attack information registration request to the attack information table management unit 204 (step 303). The following information is included in the attack information registration request.
-Destination IP address of the attack packet-Signature ID indicating the type of attack
-Upper router IP address-Packet reception time

When the attack information table management unit 204 receives the attack information registration request (step 303) from the exporter function control unit 201, the attack information temporary management table is updated by the following procedure, and the registration result is returned to the exporter function control unit 201 (step). 304).
1. If the number of registered data in the attack information temporary table exceeds the maximum number of registered temporary attack information tables, check the data with the longest elapsed time since registration and check the threshold of the signature management table and the inspection timeout. Delete data or transfer to attack information table based on column.
2. Search the attack information temporary table using the attack packet destination IP, signature ID, and upper router IP as keys to check whether the same entry already exists.
3. If the same data is not registered, register new data and check the threshold values of the attack counter and signature management table. If the attack counter is equal to or greater than the threshold value as a result of the confirmation, the data is transferred to the information management table. If the attack counter is less than the threshold, do nothing.
4. If the same data has already been registered, refer to the registration time and the check timeout in the signature management table to check whether the registered data has timed out. Further, the threshold values of the attack counter and the signature management table are compared.
5. If the registered data has not timed out, the attack counter value of the registered data is incremented. As a result, if the attack counter is greater than or equal to the threshold, the data is transferred to the information management table. If the attack counter is less than the threshold, do nothing.
6. If the registered data has timed out and the attack counter is greater than or equal to the threshold, transfer the data to the information management table. If the registered data has timed out and the attack counter is less than the threshold, the corresponding data is deleted. Then, register new data in the same way as 3.

  For example, when UDP Flood is performed from the unauthorized terminal 102 to the server 105, data as shown in Table 7, Table 8, and Table 9 is registered in the attack information tables of the exporter 101, the exporter 107, and the exporter 108, respectively. .

  The exporter function control unit 201 requests the attack information table management unit 205 to collect attack information according to the setting of the attack information table check interval (step 305). The attack information table management unit 205 refers to the destination IP, signature ID, upper router IP, attack start time, attack end time, and attack counter of the attack information table and aggregates the data temporally to the exporter function control unit 201. The aggregation result is returned (step 306).

  For example, if there is a line where the destination IP, signature ID, and upper router IP are the same and the attack start time, attack end time, and attack counter are 1190800396, 1190900496, 100 and 1190800496, 1190900596, 100, respectively, the attack starts The time, attack end time, and attack counter are set to 1190800396, 1190900596, 200, and are collected into one data. That is, the attack start time is the earlier time of the two, the attack end time is the later of the two, and the attack counter is the sum of both. After aggregation, the attack information table management unit 205 deletes the data of the aggregation source from the attack information table.

  The exporter function control unit 201 transmits the aggregated attack information received from the attack information table management unit 205 to the collector function control unit 206 (step 307).

  The collector function control unit 206 requests the attack information management unit 207 to store the attack information received from the exporter function control unit 201 in the attack information management table (step 308). The storage request includes the attack information received from the exporter function control unit 201 and the IP address of the exporter from which the attack information is obtained.

  The attack information management unit 207 returns the storage result of the attack information to the collector function control unit 206 (step 309).

  Table 11 shows an example in which the attack information table (reposted in Table 10) of the exporter 101 shown in Table 7 is collected in the collector. The attack start time is the earliest time, the attack end time is the latest time, and the attack counter is the total value including the attack information omitted from Table 10.

  As in the above procedure, data required for specifying the attack path of DoS attacks is managed using three tables, and a retention period is provided for the data in the table, and the data is aggregated from the exporter to the collector in two stages. As a result, consumption of resources (memory, disk) of the exporter and collector can be suppressed. In addition, it is considered that the consumption of machine resources (CPU, memory, disk) can be suppressed by making the exporter independent from the gateway device and providing the exporter and the collector to share roles.

  Next, the control procedure of the attack source (illegal terminal 102) will be described with reference to FIG.

The collector function control unit 206 requests the attack information inspection unit 208 to search for an attack source at an arbitrary timing or periodically (step 401). The search request includes the following information:
・ Search period (search start time and search end time)
-Destination IP address-Signature ID

  The collector function control unit 206 designates the IP address of the server 105 as the destination IP address and 1 as the signature ID, and requests the attack information search unit 208 to search for an attack path.

The attack information search unit 208 receives a request from the collector function control unit 206, and specifies an attack path in a direction opposite to the attack direction. The attack information search unit 208 searches for an attack path using the following three lists. The usage image of each list is shown in FIG.
Attack route list: A list that stores attack route information (data that combines the IP address of the exporter on the attack route and the IP address of the gateway device closer to the attack source) obtained by attack route search.
Route search waiting list: A list for storing an attack route list waiting for search processing for which an attack route search has not been completed. The attack route is searched until this list is empty.
Route search result list: A list that stores the attack route list for which the attack route search has been completed. Reference is made when the attack information search unit 208 returns the attack path search result to the collector function control unit 206.

The attack route search procedure will be described with reference to FIG.
1. Using the search period, destination IP address, and signature ID included in the search request as keys, refer to the attack start time, destination IP, and signature ID columns in the attack information management table to extract the corresponding row (step 501) .
2. The information acquired in step 1 is sorted in descending order of attack start time, and information (Table 12) is obtained by deleting the duplicated exporter IP, destination IP, signature ID, and upper router IP. Table 12 shows the search result of the attack information table of the collector when an attack is made from the unauthorized terminal 102 to the server 105.

3. Referring to the column of the monitoring target NW in the exporter information table, identify the exporter that exists in the same network as the destination IP address included in the search request, and acquire the IP address of the identified exporter.
4. Using the IP address of the exporter acquired in step 3 as a key, refer to the exporter IP column of the information acquired in step 2 and check whether the corresponding row (attack information necessary for route search) exists. If the corresponding line does not exist, the process proceeds to step 5. If the corresponding line exists, the process proceeds to step 6 (step 502).
5. The process is aborted, and the above route search result list is returned to the collector function control unit 206 as a search result (step 503).
6. Route search is performed for all applicable lines. If the route search processing has been completed for all the corresponding lines, the procedure proceeds to step 7. If not, the procedure proceeds to procedure a (step 504).
7. The attack route information stored in the route search result list as a search result is returned to the collector function control unit 206 (step 503).

Create an attack route list, register the pair of exporter IP and upper router IP of the corresponding line at the end of the created attack route list, and register the created attack route list at the end of the route search wait list (step 505).
b. If the route search wait list is empty, go to step 6. If not, go to the route search wait list from the end in order, acquire the attack route list, and go to step A (step 506).

A. Using the exporter IP at the end of the attack path list as a key, refer to the column of the exporter IP in the exporter information table and acquire the information of the corresponding exporter (step 507).
B. Using the upper router IP at the end of the attack path list as a key, refer to the column of adjacent exporter information in the information acquired in step A and try to acquire the ID of the adjacent exporter. If the ID corresponding to the upper router IP at the end of the attack route list can be obtained, go to step C. If not, the entry currently referenced from the route search wait list to the route search result list (attack route list) To step b (step 508).
C. Using the ID of the adjacent exporter acquired in Procedure B as a key, refer to the ID and exporter IP column of the exporter information table to acquire the IP address of the adjacent exporter (step 509).
D. Using the IP address of the adjacent exporter obtained in step C as a key, refer to the exporter IP column of the information obtained in step 2 and check whether there is a matching row. If there is a matching line, go to step E. If there is no matching line, it is judged that there is no attack information from the adjacent exporter, and is currently referred to the path search result list from the path search waiting list. Move the entry (attack route list) and proceed to step b (step 510).
E. It is confirmed whether or not there are a plurality of matching lines. If there are no more than one, go to step i, and if there are more than one, go to step F (step 511).
F. Validate and register the route information for all matched lines. Proceed to procedure i when processing the last matched line, or proceed to procedure I when processing a line other than the last (step 512).

i. Check whether the upper router IP of the matched line matches the upper router IP at the end of the attack path list currently referenced. If there is a match, the currently referred entry (attack route list) is moved from the route search waiting list to the route search result list, and the procedure goes to step b. If not, the procedure goes to procedure ii (step 516).
ii. Add the pair of the exporter IP and the upper router IP of the matched line to the currently referenced attack path list and proceed to step b (step 517).

I. Check if the upper router IP of the matched line matches the upper router IP at the end of the attack path list currently referenced. If they match, go to Procedure F, otherwise go to Procedure II (Step 513).
II. Create a copy of the currently referenced attack path list, and add the pair of exporter IP and upper router IP of the matched line to the end of the copied attack path list (step 514).
III. The copied attack route list is added to the end of the route search waiting list, and the process proceeds to step F (step 515).

For example, when UDP flooding is performed from the unauthorized terminal 102 to the server 105, attack route search processing is performed in the following order.
[Step 1] → [Step 2] → [Step 3] → [Step 4] → [Step 5] → [Step 6] → [Step a] → [Step b] → [Step A] → [Step B] → [Step C] → [Step D] → [Step E] → [Step i] → [Step ii] → [Step b] → [Step A] → [Step B] → [Step C] → [Step D] → [Procedure E] → [Procedure i] → [Procedure ii] → [Procedure b] → [Procedure A] → [Procedure B] → [Procedure b] → [Procedure 6] → [Procedure 7]

  Since the attack route search processing is independent of processing, the processing may be distributed to a plurality of hosts for efficiency. In order to improve the efficiency of the search process, the search result of the attack route may be stored.

The attack information inspection unit 208 returns the search result created in the above procedure to the collector function control unit 206 (step 402). The search information includes the following information:
-Number of attack routes-Search result list: Multiple attack route information that combines route size and route list (IP address of exporter on route and IP address of gateway device closer to attack source)

  For example, when UDP Flood is performed from the unauthorized terminal 102 to the server 105, the number of attack routes is 1, and the search result list (route size and route list) is as shown in Table 13.

  The collector function control unit 206 traces each route list in the search result list in order from the end, and acquires the IP address of the exporter that makes the control request and the IP address of the gateway device closer to the attack source.

  In the case of the example of Table 13, the collector function control unit 206 refers to the IP address of the exporter 101 acquired first, and acquires the control rule table of the exporter 101 as necessary (if it has already been acquired, do not acquire it) ). Since the control rule acquired from the exporter 101 cannot control the IP address (forged IP) of the unauthorized terminal 102 that is not a router, the collector function control unit 206 refers to the next entry in the route list.

The collector function control unit 206 refers to the IP address of the exporter 107 acquired next, and acquires the control rule table of the exporter 107 as necessary (not acquired if already acquired). Since the control rule acquired from the exporter 107 can control the router A103, the collector function control unit 206 requests the exporter function control unit 201 of the exporter 107 to control the gateway device router A103 closer to the attack source (step 403). The control request includes the following information:
-Requester's IP address-IP address of the router to be controlled-Signature ID indicating the type of attack received
• Control type • List of control commands and control options corresponding to the control type

  Specify the IP address of the collector as the requesting IP address, or the IP address of the host that requested the collector to control the attack. The IP address of the router A103 acquired from the route list is designated as the IP address of the router to be controlled. The control type specifies the communication control method. For example, 1 is designated to give a warning to the exporter administrator, 2 is designated for bandwidth control, and 4 is designated for blocking. The control command and control option are determined by referring to the control rule table of the exporter to which control is requested using the specified control type as a key.

Upon receiving the control request, the exporter function control unit 201 instructs the attack source control unit 205 to control the attack source (step 404). The control instruction includes the following information.
-Requester's IP address-IP address of the router to be controlled-Signature ID indicating the type of attack received
-Control commands-Control options

The attack source control unit 205 that has received the control request refers to the control rule table and tries to control the corresponding gateway device. Then, the control result is returned to the exporter function control unit 201 (step 405).
The exporter function control unit 201 that has received the control result confirms whether the control is successful. If the control is successful, the control result is relayed to the collector function control unit 206 (step 406). Even when the control fails and when there is no other control type to execute, the control result is relayed to the collector function control unit 206. If the control fails and there is another control type to be executed, the attack source control unit 205 is again instructed to control the attack source.

  According to the first embodiment of the present invention, even when the IP address of the attack source is spoofed, the gateway device (router A103) nearest to the attack source is identified, and communication from the attack source (illegal terminal 102) is performed. Since it can be efficiently controlled by the nearest gateway device (router A103), it can be said that the present invention is also effective for DoS attacks in which the IP address of the attack source is spoofed.

  Next, a second embodiment of the present invention will be described. In the first embodiment, the case where the DoS attack is executed from a single direction has been described. However, the DoS attack may be executed simultaneously from a plurality of directions. It will be described below that the present invention is effective even when DoS attacks are performed simultaneously from a plurality of directions.

FIG. 6 shows a network configuration according to the second embodiment of the present invention. The outline of each device shown in FIG. 6 is described below. The exporter 109, the router C110, the unauthorized terminal 111, and the unauthorized terminal 112 are added to the configuration shown in FIG.
Exporter 101: A device that has introduced the exporter program.
Unauthorized terminal 102: A device that has performed a DoS attack (UDP Flood) on the server 105.
Router A103: A device that relays communication between the network to which the unauthorized terminal 102 belongs and the network to which the router B104 belongs.
Router B104: A device that relays communication between the network to which the server 105 belongs and the network to which the router A103 belongs.
Server 105: A device that provides a service.
Collector 106: An apparatus in which the collector program is introduced.
Exporter 107... Device that has introduced the exporter program.
Exporter 108: A device in which the exporter program is introduced.
Exporter 109: A device in which the exporter program is introduced.
Router C110: A device that relays communication between the network to which the server 105 belongs and the network to which the unauthorized terminal 111 belongs.
Unauthorized terminal 111: A device that has performed a DoS attack (UDP Flood) on the server 105.
Unauthorized terminal 112: A device that has performed a DoS attack (UDP Flood) on the server 105.

  Aggregation of attack information is the same as in the first embodiment, and is omitted, and the control procedure of the attack source (the unauthorized terminal 102, the unauthorized terminal 111, and the unauthorized terminal 112) is described with reference to FIG.

The collector function control unit 206 requests the attack information inspection unit 208 to search for an attack source at an arbitrary timing or periodically (step 401). The search request includes the following information:
・ Search period (search start time and search end time)
-Destination IP address-Signature ID

The collector function control unit 206 designates the IP address of the server 105 as the destination IP address and 1 as the signature ID, and requests the attack information search unit 208 to search for an attack path.
The attack information search unit 208 receives a request from the collector function control unit 206, and specifies an attack path in a direction opposite to the attack direction.

  The attack route search procedure is the same as that in the first embodiment, but the attack information extracted from the attack information management table in step 501 in FIG. Table 14 shows a search result of the attack information table of the collector when an attack is performed on the server 105 from the unauthorized terminal 102 and the unauthorized terminal 111.

When UDP flooding is performed from the unauthorized terminal 102, the unauthorized terminal 111, and the unauthorized terminal 112 to the server 105, attack route search processing is performed in the following order.
[Step 1] → [Step 2] → [Step 3] → [Step 4] → [Step 5] → [Step 6] → [Step a] → [Step b] → [Step A] → [Step B] → [Step C] → [Step D] → [Step E] → [Step F] → [Step I] → [Step II] → [Step III] → [Step F] → [Step i] → [Step ii] → [Step b] → [Step A] → [Step B] → [Step b] → [Step A] → [Step B] → [Step b] → [Step 6] → [Step a] → [Step b] → [Step A] → [Step B] → [Step C] → [Step D] → [Step E] → [Step i] → [Step ii] → [Step b] → [Step A] → [Step B] → [Step C] → [Step D] → [Step E] → [Step i] → [Step ii] → [Step b] → [Step A] → [Step B] → [Step b] → [Step 6] → [Step 7]

The attack information inspection unit 208 returns the search result created in the above procedure to the collector function control unit 206 (step 402). The search information includes the following information:
-Number of attack routes-Search result list: Multiple attack route information that combines route size and route list (IP address of exporter on route and IP address of gateway device closer to attack source)

  When UDP flood is performed from the unauthorized terminal 102, the unauthorized terminal 111, and the unauthorized terminal 112 to the server 105, the number of attack routes is 3, and the search result list (route size and route list) is as shown in Table 15, Table 16, and Table 17. become.

  The collector function control unit 206 traces each route list in the search result list in order from the end, and acquires the IP address of the exporter that makes the control request and the IP address of the gateway device closer to the attack source.

  In the case of the example in Table 15, the collector function control unit 206 refers to the IP address of the exporter 101 acquired first, and acquires the control rule table of the exporter 101 as necessary (if it has already been acquired, do not acquire it) ). Since the control rule acquired from the exporter 101 cannot control the IP address (forged IP) of the unauthorized terminal 102 that is not a router, the collector function control unit 206 refers to the next entry in the route list.

The collector function control unit 206 refers to the IP address of the exporter 107 acquired next, and acquires the control rule table of the exporter 107 as necessary (not acquired if already acquired). Since the control rule acquired from the exporter 107 can control the router A103, the collector function control unit 206 requests the exporter function control unit 201 of the exporter 107 to control the gateway device router A103 closer to the attack source (step 403). The control request includes the following information:
-Requester's IP address-IP address of the router to be controlled-Signature ID indicating the type of attack received
• Control type • List of control commands and control options corresponding to the control type

  Specify the IP address of the collector as the requesting IP address, or the IP address of the host that requested the collector to control the attack. The IP address of the router A103 acquired from the route list is designated as the IP address of the router to be controlled. The control type specifies the communication control method. For example, specify 1 if you want to alert the exporter administrator, 2 if you want to perform bandwidth control, and 4 if you want to block. The control command and control option are determined by referring to the control rule table of the exporter to which control is requested using the specified control type as a key.

Upon receiving the control request, the exporter function control unit 201 instructs the attack source control unit 205 to control the attack source (step 404). The control instruction includes the following information.
-Requester's IP address-IP address of the router to be controlled-Signature ID indicating the type of attack received
-Control commands-Control options

The attack source control unit 205 that has received the control request refers to the control rule table and tries to control the corresponding gateway device. Then, the control result is returned to the exporter function control unit 201 (step 405).
The exporter function control unit 201 that has received the control result confirms whether the control is successful. If the control is successful, the control result is relayed to the collector function control unit 206 (step 406). Even when the control fails and when there is no other control type to execute, the control result is relayed to the collector function control unit 206. If the control fails and there is another control type to be executed, the attack source control unit 205 is again instructed to control the attack source.

  Similarly, an attack on the server 105 from the unauthorized terminal 111 and the unauthorized terminal 112 can be controlled by the router C110 closest to the attack source.

  According to the second embodiment of the present invention, even when a DoS attack is executed simultaneously from a plurality of directions, the gateway device (router A103, router C110) nearest to the attack source is identified, and the attack source (the unauthorized terminal 102, the unauthorized terminal 111, Since communication from an unauthorized terminal 112) can be efficiently controlled by the gateway device (router A103, router C110) closest to the attack source, the present invention is effective against DDoS attacks in which DoS attacks are executed simultaneously from multiple directions. But it can be said that it is effective.

  The present invention can be applied to a network facility used in a network business such as an ISP (Internet Service Provider).

  101, 107, 108 ... Exporter 106 ... Collector 201 ... Exporter function control unit 202 ... Packet inspection unit 203 ... Attack information temporary table management unit 204 ... Attack information table management unit 205 ..Attack source control unit 206... Collector function control unit 207... Attack information management unit 208.

Claims (9)

A denial of service attack control system comprising an exporter and a collector connected to a network,
The exporter is
A packet inspection unit for detecting a packet that matches a predetermined attack type in the monitored network;
An attack information management unit that generates the attack information including the destination IP address of the detected packet, the type of matched attack, and the IP address of the gateway device closer to the attack source, and periodically aggregates and transmits to the collector;
A control unit that receives a control request for the gateway device from the collector and controls the gateway device;
With
The collector is
An attack information management unit that receives the aggregated attack information from the exporter, adds an IP address of a transmission source exporter, and stores it as attack information;
For the exporter that includes the given destination IP address in the monitored network, after obtaining the IP address of the corresponding gateway device closer to the attack source from the stored attack information, via the gateway device that obtained the IP address An attack information search unit that generates a list of IP addresses of the exporter and the gateway device by repeating the process of obtaining the IP address of the gateway device that is closer to the attack source corresponding to the adjacent exporter from the stored attack information; ,
A control unit that transmits a control request for the gateway device to the exporter using the list;
A denial of service attack control system. The attack information generated by the attack information management unit of the exporter includes the time when the attack information was generated and the number of detected packets,
The attack information management unit of the exporter includes an attack information temporary table and an attack information table, stores the generated attack information in the attack information temporary table, and stores the attack information stored in the attack information temporary table for a certain period of time. When the time included in the attack information has passed a predetermined period and the number of packets included in the attack information is less than a predetermined threshold for each type of attack Deletes the attack information from the attack information temporary table. If the attack information is equal to or greater than the threshold, the attack information is transferred to the attack information table, deleted from the attack information temporary table, and transferred to the attack information table. The attack information is periodically collected and transmitted to the collector, then the attack information is deleted from the attack information table,
The attack information management unit of the collector includes an attack information management table that receives the aggregated attack information from the exporter, adds an IP address of a transmission source exporter, and stores it as attack information. Denial of service attack control system. The attack information generated by the attack information management unit of the exporter includes the time when the attack information was generated and the number of detected packets,
The attack information management unit of the exporter calculates the sum of the earliest time, the latest time, and the number of packets for the attack information with the same destination IP address, matched attack type, and IP address of the gateway device closer to the attack source. The denial-of-service attack control system according to claim 1 or 2, wherein the system is periodically aggregated and transmitted to the collector. The attack information generated by the attack information management unit of the exporter includes the number of detected packets,
The denial of service attack control according to claim 1, wherein the attack information management unit of the exporter periodically aggregates and transmits to the collector attack information whose number of packets is equal to or greater than a predetermined threshold for each type of attack. system. The attack information generated by the attack information management unit of the exporter includes the time when the attack information was generated,
The denial-of-service attack control system according to claim 1, wherein the attack information management unit of the exporter periodically deletes the attack information whose time has passed a predetermined period. The exporter used in a denial of service attack control system comprising an exporter and a collector connected to a network,
A packet inspection unit for detecting a packet that matches a predetermined attack type in the monitored network;
An attack information management unit that generates the attack information including the destination IP address of the detected packet, the type of matched attack, and the IP address of the gateway device closer to the attack source, and periodically aggregates and transmits to the collector;
A control unit that receives a control request for the gateway device from the collector and controls the gateway device;
Exporter with The collector used in a denial of service attack control system comprising an exporter and a collector connected to a network,
Attack information including the destination IP address of the packet that matches the predetermined attack type, the matched attack type, and the IP address of the gateway device closer to the attack source is received from the exporter, and the IP address of the source exporter is received. An attack information management unit for adding and storing as attack information;
For the exporter that includes the given destination IP address in the monitored network, after obtaining the IP address of the corresponding gateway device closer to the attack source from the stored attack information, via the gateway device that obtained the IP address An attack information search unit that generates a list of IP addresses of the exporter and the gateway device by repeating the process of obtaining the IP address of the gateway device that is closer to the attack source corresponding to the adjacent exporter from the stored attack information; ,
A control unit that transmits a control request for the gateway device to the exporter using the list;
With a collector. The exporter computer used in a denial of service attack control system comprising an exporter and a collector connected to a network,
A function for detecting a packet that matches a predetermined attack type in the monitored network;
A function of generating attack information including a destination IP address of the detected packet, a matched attack type, and an IP address of a gateway device closer to the attack source, and periodically aggregating and transmitting to the collector;
A function of receiving a control request for the gateway device from the collector and controlling the gateway device;
A program to realize The collector computer used in a denial of service attack control system comprising an exporter and a collector connected to a network;
Attack information including the destination IP address of the packet that matches the predetermined attack type, the matched attack type, and the IP address of the gateway device closer to the attack source is received from the exporter, and the IP address of the source exporter is received. A function to add and store as attack information,
For the exporter that includes the given destination IP address in the monitored network, after obtaining the IP address of the corresponding gateway device closer to the attack source from the stored attack information, via the gateway device that obtained the IP address A function of generating a list of IP addresses of the exporter and the gateway device by repeating the process of acquiring the corresponding IP address of the gateway device closer to the attack source from the stored attack information for the adjacent exporter;
A function of transmitting a control request for the gateway device to the exporter using the list;
A program to realize

Images