JP2011055299A - Service protecting system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To protect a server from an attack even if an attacker is located in the same subnet as the server, continue a service to users other than the attacker, and prevent stop of the service due to the attack. <P>SOLUTION: A service providing means for providing a service to a user is protected by a connection means for changing addresses of a data link layer and a network layer; an information transmitting means for changing an information transmission path; an attack detecting means; an offence means; a decoy means; a path change command transmitting means: and an offence control means. Attacks from the outside of the subnet to which the service providing means belongs, are centralized to the offence means by path change, and internal attacks are centralized to the decoy means. The signals from which attack signals are removed are supplied to the service providing means, to continue the service even under the attack. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a service protection system that protects a service from an attack signal by an attacker on the network to a server that provides the service on the network, and allows the service to continue even under an attack.

  Attacks via the Internet are frequently occurring on servers that provide services on the Internet. Attackers have various intentions to attack, and various software called attack tools used by attackers. Among them, there is a distributed denial of service attack (abbreviated as DDoS attack) in which multiple client computers infected with malware such as computer viruses access a specific server in a short time in a large amount. is there. Due to the DDoS attack from the attacker against the targeted server (hereinafter, the target server), normal services from the server to users other than the attacker cannot be performed.

  For example, as an attack against a Web server, (1) a thin message that prompts a large amount of TCP connection preparation processing to the attack destination server by sending a large amount of syn packets indicating TCP connection calls to the attack destination. Flood (syn flood) attack, (2) TCP connection that only performs a large amount of TCP connection and does not actually communicate anything, so that the attack destination server simply wastes resources by maintaining the TCP connection Flood (TCP Connection flood) attack, (3) In addition to sending the actual HTTP GET command, a large amount of processing to make the Web server respond to the content is executed, in addition to the load on the server itself, HTTP get flood (HTTP GET flood) that wastes bandwidth in the direction toward the Internet side of the line to which is connected And the like are known attack. Also, UDP flood (UDP flood) that creates a large number of unnecessary IP packets that are unrelated to actual communication, and fills the Internet connection line of the attack destination by reaching a large amount of IP packets to a specific attack destination. Attacks or ICMP flood attacks are also known.

  Also, with malware called a bot, an attacker can remotely control a client computer loaded with the bot. For this reason, it is not necessary for the attacker to attack the attack target server directly, and the bot under the control of the attacker only has to issue an attack command to a plurality of client computers loaded. Since it is possible to command multiple bots to attack a specific server at a specific time, for example, attacking a server of an organization at a certain time, It is also possible to command another server belonging to the organization to attack.

  In general, in information communication, based on the network structure design policy (hereinafter abbreviated as OSI) established by the International Organization for Standardization (ISO) to implement data communication between different models, the functions that communication devices should have are hierarchically structured. In many cases, the function is realized in accordance with the model divided into two. In OSI, communication functions are arranged in order from the lower layer: physical layer (L1), data link layer (L2), network layer (L3), transport layer (L4), session layer (L5), presentation layer (L6), application layer ( In the Internet, Ethernet (registered trademark) is used for the second lower data link layer, and the Internet protocol (hereinafter abbreviated as IP) is used for the third network layer. There are many cases. In the Internet, switching is performed by referring to an address called a MAC (Media Access Control address) address in the data link layer as a switching means for relaying a signal from a transmission source to a reception destination. Switching is performed by referring to the address. That is, the switching means reads the destination address included in the header that is the head of the incoming packet signal for each incoming packet, and determines the transfer destination of the packet signal by referring to a predetermined route table. The network layer switching means is called a router, and the routing table is also called a routing table. Since the router performs this forwarding operation on all incoming packets, for example, if a large amount of access arrives at the switching means at once, such as a DDoS attack from an attacker, the above processing will not be in time, and the attacker It is possible that signals from other users may be lost.

  In general, on the server side that is the target of an attack, a defense method according to the form of the attack has been proposed. However, in the DDoS attack, the traffic generation capability directed to the attack is large, and therefore, the attack traffic larger than the bandwidth of the line connected to the server often occurs. In that case, since most of the signals from the Internet to the server are lost due to packet collision, signals from users other than the attacker hardly reach the server. That is, a large amount of attack traffic is used to cause congestion on the communication line from the attack source to the target server, and prevent smooth communication by users other than the attacker. As countermeasures against DDoS attacks, there are measures such as a traffic analysis apparatus and an analysis method (see, for example, Patent Document 1). However, when the apparatus or analysis method is used as a DDoS attack countermeasure, It is necessary to install and apply at a point wider than the bandwidth of the traffic generated by the DDoS attack. Thus, the defense against the DDoS attack is difficult to realize with the target server alone or only with countermeasures installed in the immediate vicinity of the server.

  An Internet service provider (hereinafter abbreviated as ISP) that provides an Internet service may cope with such an attack by changing the Internet signal transmission path. In an AS (Autonomous System) that is an autonomous network owned, operated, and managed by an ISP, a BGP (Border Gateway Protocol) signal or the like is adjacent to an AS that is owned, operated, or managed by another ISP. It transmits mutually with AS, and the setting of a path | route and the exchange of change information are performed (for example, refer nonpatent literature 1). By making the change of the transmission route known to all ISPs using these BGP signals and the like, route information to be routed can be distributed throughout the Internet. In the AS, among the packet signals input from the adjacent AS, signals other than the one addressed to the subscriber are transferred to another adjacent AS according to the routing table created in advance using the transmission path information received so far. is doing. Therefore, when an attack is detected, the BGP that is receiving the public information is sent to the IP address of the target server by publicizing the route to Null indicating that the next forwarding destination of the BGP router is to be discarded by BGP. All the packet signals for the target server that reached the router and became the attack target can be discarded. For this reason, it is possible to prevent an enormous amount of traffic associated with an attack from flowing over the entire Internet, and to reduce the arrival of an attack signal at the target server. This method is referred to herein as RTBH (Remotely triggered black hole filtering).

  Although RTBH avoids Internet congestion, packets from normal users heading to the target server are also discarded, and the service by the server cannot be continued. Therefore, a method is considered that enables normal service of the target server to be continued by inserting a server acting as a proxy for the target server between the attacker and the target server. Specifically, a defense device that estimates illegal traffic such as attack traffic and excessive traffic (see, for example, Patent Document 1), deletes only the attack signal, and passes signals other than the attack signal (for example, Patent Document 2). And patent document 3) are placed in the Internet as a proxy server of the target server, and the packet addressed to the target server is guided to the defense device and the output of the defense device is guided to the target server, so that attack resistance and service continuity are achieved. It is conceivable to achieve both. The defense device uses Syn Cookie or Syn Cache (for example, refer to Non-Patent Document 2) for Syn Flood attacks, or for each IP address for reload attacks or Connection Flood attacks. This can be dealt with by setting an upper limit on the number of TCP (Transmission Control Protocol) connections established in (1) and not accepting TCP connection requests exceeding the upper limit. In addition, since the configuration of the defense device is different from the configuration of the normal server device, it has a dedicated hardware configuration for defense, so that it is almost impossible to process the attack signal. Guide of the packet signal addressed to the target server to the defense device can be realized by advertising the route information for changing the route set for the target server to the route for the defense device by BGP.

  On the other hand, in order to guide the output signal of the defense device to the target server, the IP address of the target server cannot be used. This is because when the IP address of the target server is used, the output from the defense device is collected by the defense device again by the setting of BGP. Therefore, the signal addressed to the target server is encapsulated and transmitted from the defense device to the router nearest to the target server (the default gateway router of the target server). Since the outside of the capsule is a signal addressed to the nearest router from the defense device, it is not affected by the route to the target server set by the BGP for the defense device. On the other hand, since it is not necessary to perform routing between the default gateway router of the target server and the target server, it is not affected by BGP. Thus, the encapsulated signal addressed to the target server can be decapsulated by the default gateway router of the target server and supplied to the target server. This makes it possible to insert a defense device between the attacker and the target server as a proxy server for the target server without changing any settings on the defense device side.

JP 2008-136002 A JP 2008-252221 A JP 2006-345014 A

“Introduction to Internet Routing” by Tomobe, Ikejiri and Kobayakawa, first published on September 18, 2001, Shosuisha “A Constructable Overlay Network for Defense against Distributed Syn Flood Attack”, 2004 IEICE Technical Report, Vol. 104, no. 513 (20041209) pp. 13-18

  As described above, it is possible to continue the service of the target server by inserting the defense device as a proxy server of the target server between the attacker and the target server.

  However, if the attacker's nearest router (the attacker's default gateway router) is the same as the target server's default gateway router, that is, if the attacker is in the same subnet as the target server, the defense device as described above A defense method installed outside the subnet is not effective. This is because an attacker can attack the target server directly without going through the default gateway router.

  An attacker can infer that the target server is in the same subnet if his IP address is close to the IP address of the target server. In this case, if the attacked target server simply changes the IP address for the purpose of avoiding the attack, the attacker can check the target server's change destination IP address from the MAC address of the targeted server. It is difficult to avoid. Since the difference between the server's capabilities and the capabilities of the client PC (personal computer) or bot that the attacker has is small, a DDoS attack from just a few PCs can completely stop the server service. Is possible. For this reason, defense must be complete. Thus, when the attacker exists in the same subnet as the target server, it is a problem that cannot be solved by the above method.

  The present invention has been proposed in view of the above, and even if an attacker exists in the same subnet as the target server, the target server can be protected from the attacker and services can be continued for other than the attacker. An object of the present invention is to provide a service protection method that can prevent a service stop due to an attack.

In order to achieve the above object, the first requirement of the service protection system of the present invention is that a first network provided with a transfer destination changing means, a router connected to the transfer destination changing means, and via the router In a network comprising a second network connected to a first network,
The first network includes a defense means connected to the transfer destination changing means,
The second network includes a connection means for changing the routing information of the router, a service providing means for providing an information providing service to a user connected to the first network or the second network and connected to the connection means, An attack detection means for detecting a distributed denial of service attack connected to the network or the second network, and a defense control means for controlling the defense system in response to the output of the attack detection means,
When the service providing means is subjected to a distributed denial of service attack, the transfer destination changing means aggregates the attack signals into the defense means according to the control from the defense control means, and the defense means deletes the attack signals The other signal is provided to the service providing means.

Further, in the second requirement, in addition to the first requirement, the router is connected to the data link layer switching unit connected to the connection unit, the data link layer switching unit, and the transfer destination changing unit. Network layer switching means,
The data link layer and network layer addresses of the connection means connected to the service providing means can be changed,
The transfer destination changing means includes an information transmission means connected to the network layer switching means and capable of changing an information transmission path, and a path change command transmission means for transmitting an information transmission path change instruction of the information transmission means,
The information transmission means aggregates the signals to the service providing means from attackers and users into the defense means in accordance with a command from the route change command sending means,
The defense means is connected to the information transmission means, and transmits and receives signals from the attacker and the user to the service provision means on behalf of the service provision means. The attack signal is deleted, and other signals can be provided to the service providing means according to the address change of the connecting means,
A decoy means for transmitting and receiving a signal to the service providing means from an attacker and a user connected to the data link layer switching means or the network layer switching means on behalf of the service providing means,
The defense control means receives the attack detection signal, a signal for starting the operation of the defense means, a signal for starting the operation of the decoy means, and a connection capable of changing the addresses of the data link layer and the network layer The information transmission path change command of the information transmission means that can change the information transmission path is transmitted so that the signal for starting the change operation of both addresses of the means and the signal to the service providing means are aggregated in the defense means A signal for starting the operation of the route change command transmitting means is transmitted.

The third requirement is that, in addition to the first requirement, the router is connected to the data link layer switching means connected to the connection means, the data link layer switching means and the transfer destination changing means. Network layer switching means,
The connection means is connected to the service providing means,
The transfer destination changing unit includes an information transmission unit that is connected to the network layer switching unit and capable of changing an information transmission path, and a path change command transmission unit that transmits an information transmission path change command of the information transmission unit. ,
The information transmission means aggregates the signals to the service providing means from attackers and users into the defense means in accordance with a command from the route change command sending means,
The data link layer switching means can dynamically change a connection destination port connected to the connection means by a virtual LAN,
The network layer switching means eliminates the function of encapsulating the signal from the data link layer switching means and the encapsulation of the signal inputted to the data link layer switching means, and the data link A layer switching means provided with a virtual LAN,
The defense means is connected to the information transmission means and transmits / receives a signal from the attacker and the user to the service provision means on behalf of the service provision means, and signals other than the attack signal are transmitted. The service providing means encapsulates and transmits the network layer address in the network layer switching means as the destination, and the encapsulated signal received from the network layer switching means is decapsulated and sent to the information transmission means. It is sent to the attacker or the user by sending it,
The defense control means receives the attack detection signal, starts a signal for starting the operation of the defense means, and communicates with the defense means between the service providing means and the defense means via the network layer switching means. The information transmission path can be changed so that the signal for changing the connection destination port of the data link layer switching means and the signal to the service providing means can be aggregated in the protection means to prevent mixing of signals outside the communication. The third requirement is that a signal for starting the operation of the route change command transmission means for transmitting the information transmission route change command of the information transmission means is transmitted.

According to a fourth requirement, in addition to the first requirement, the router is connected to the data link layer switching unit connected to the connection unit, the data link layer switching unit, and the transfer destination changing unit. Network layer switching means,
The connection means is a connection means connected to the service providing means and capable of changing addresses of the data link layer and the network layer of the router,
The transfer destination changing means includes an information transmission means connected to the network layer switching means, a domain name system capable of searching for a network layer address with a unified resource location specifier, and an IP address of the network layer of the connection means. A registered address changing means for rewriting the address with the IP address of the defense means,
The information transmission means can provide signals to the service providing means from attackers and users to the defense means in accordance with the IP address change of the connection means and the defense means,
The defense means is connected to the information transmission means, and transmits and receives signals to the service providing means from attackers and users on behalf of the service providing means,
A decoy means for transmitting and receiving a signal to the service providing means from an attacker and a user connected to the data link layer switching means or the network layer switching means on behalf of the service providing means,
The defense control means receives the attack detection signal, a signal for starting the operation of the defense means, a signal for starting the operation of the decoy means, and a connection capable of changing the addresses of the data link layer and the network layer The fourth requirement is that a signal for starting the changing operation of both addresses of the means and a signal for starting the operation of the registered address changing means are transmitted.

  The fifth requirement includes, in addition to the second requirement, a recovery control unit connected to the information transmission unit capable of changing the information transmission path, and a normal service of the service providing unit targeted for attack. When the recovery control means that aggregates the information of the attack detection means detects that the attack has fallen below a predetermined threshold that enables the provision operation, the state of the information transmission means that can change the information transmission path, and the protection means The above-described recovery of the attack end signal that returns the state, the state of both addresses of the connection means that can change the address of the data link layer and the network layer, and the state of the decoy means to the state before the attack detection means detects the attack. This is transmitted by the control means.

  Further, the sixth requirement includes, in addition to the third requirement, a recovery control unit connected to the information transmission unit capable of changing the information transmission path, and a normal service of the service providing unit targeted by the attack When the recovery control means that aggregates the information of the attack detection means detects that the attack has fallen below a predetermined threshold that enables the provision operation, the state of the information transmission means that can change the information transmission path, and the protection means The attack detection means attack the status, the status of the data link layer switching means that can dynamically change the connection destination port by the virtual LAN, and the status of the network layer switching means having the function of encapsulating and outputting the input signal. The recovery control means transmits an attack end signal for returning to the state before detection.

  In addition to the fourth requirement, the seventh requirement includes a recovery control unit connected to the information transmission unit, and a predetermined service enabling the service providing unit targeted for attack to perform a normal service providing operation. When the recovery control means that aggregates the information of the attack detection means detects that the attack has fallen below the threshold value, the address of the data link layer and the network layer can be changed registered in the domain name system changed by the registered address change means The attack detector detects the state of the network layer address of the secure connection means, the state of the defense means, the state of both addresses of the connection means that can change the address of the data link layer and the network layer, and the state of the decoy means. The recovery control means transmits an attack end signal for returning to the state before detection.

In addition to the second, fourth, fifth, or seventh requirement, the eighth requirement is one or a plurality of attack detection means or defense means, or a connection means that can change the address of the data link layer and the network layer. When the attack detection signal is received,
One or more attack detection means or defense means or data link layer and network layer address changeable connection means determine the network layer addresses of attackers and users who are sending signals to the service provision means. The decoy means is notified, and the decoy means sends an Internet control message protocol redirect signal in the Internet protocol to the attacker and the user, and rewrites the routing table used by the attacker and the user, so that the attack is performed. The signal from the user and the user is prevented from reaching the service providing means directly until the decoy means receives the attack end signal.

  The ninth requirement is that, in addition to the second, fourth, fifth or seventh requirement, both addresses of the data link layer connected to the service providing means and the connecting means capable of changing the address of the network layer are provided. Before the decoy means receives the attack detection signal, the decoy means stores in advance, and when the decoy means receives the attack detection signal, the decoy means sends a signal using both the stored addresses as a source address. Thus, the signal from the attacker and the user in the previous period is prevented from reaching the service providing means directly until the decoy means receives the attack end signal.

  The tenth requirement is that the above attack is made by rewriting the routing table held by the attacker and the user in addition to any of the second, third, fourth, fifth or seventh to ninth requirements. Signals from users and users are aggregated in either one or a plurality of decoy means or defense means, and the aggregated signals are rendered harmless by either one or more decoy means or defense means, respectively, and the service The provision to the providing means is performed until the decoy means receives an attack end signal.

  In addition, the eleventh requirement is used with the attacker by sending an address resolution signal or a reverse address resolution signal in addition to any of the second, fourth, fifth, or seventh to ninth requirements. Signals from a person are aggregated in either one or a plurality of decoy means or defense means, and the aggregated signals are rendered harmless by either one or a plurality of decoy means or defense means, respectively, to the service providing means. This is performed until the decoy means receives an attack end signal.

  The twelfth requirement is characterized in that the address to be changed of the connection means capable of changing the address of the data link layer and the network layer is stored in advance in one or more defense means and decoy means, respectively, The service is protected according to any one of the second, fourth, fifth, or seventh to eleventh requirements.

  The thirteenth requirement is that the change address of the connection means capable of changing the address of the data link layer and the network layer is received after the connection detection means capable of changing the address of the data link layer and the network layer receives the attack detection signal. One or more defensive means and decoy means are notified in a predetermined procedure, respectively, and the protection of the service is achieved according to any one of the second, fourth, fifth, or seventh to eleventh requirements. Is to do.

  Further, the fourteenth requirement is that when one or a plurality of attack detection means detects an attack on a plurality of different service providing means, the network resource layer is designated from the unified resource location specifier for each of the different service providing means. The network layer address of the connection means capable of changing the address of the data link layer and the network layer registered in the domain name system capable of searching for the address and the network layer address of the defense means are made adjacent to each other. The service is protected according to any one of the fourth or seventh to thirteenth requirements of the present invention.

  Previously, it was impossible to protect the target server without stopping the service of the target server when a DDoS attack is received from an attacker who exists in the same subnet as the target server. Made possible by the present invention. The defense capability in the present invention is determined solely by the capabilities of the defense means and the decoy means and the network bandwidth from the attacker to the defense means. For this reason, there is virtually no upper limit to the defense capability against the DDoS attack by strengthening the portion according to the assumed degree of attack.

It is a block diagram which shows the basic form of this invention. It is a block diagram which shows the 1st Embodiment of this invention. It is a block diagram which shows the 2nd Embodiment of this invention. It is a block diagram which shows the 3rd Embodiment of this invention. It is a block diagram which shows the 4th Embodiment of this invention. It is a block diagram which shows the 5th Embodiment of this invention. It is a block diagram which shows the 6th Embodiment of this invention.

  Embodiments of the present invention will be described below in detail with reference to the drawings. In the following description, devices having the same function or similar functions are denoted by the same reference numerals unless there is a special reason.

  First, the basic form of the present invention is shown in FIG. This is a network comprising a first network having transfer destination changing means 50, a router 60 connected to the transfer destination changing means 50, and a second network connected to the first network via the router 60. It is about. The first network includes defense means 10 connected to the transfer destination changing means 50. Further, the second network receives the output of the attack detection means 8 for detecting the distributed denial of service attack, the defense control means 9 for controlling the defense system in response to the output of the attack detection means 8, and the routing information of the router 60. Connection means 20 to be changed, and service providing means 1 connected to the connection means 20 and providing an information providing service to a user connected to the first network or the second network. When the service providing means 1 is subjected to a distributed denial of service attack, the connection means 20 aggregates attack signals into the defense means 10 according to the control from the defense control means 9, and the defense means 10 The signal is deleted and other signals are provided to the service providing means 1.

  First, a first embodiment will be described with reference to FIG. This is an application of the present invention to the Internet, and even when an attacker is in the same subnet as the target server, it is possible to protect the target server from the attacker and to continue services to non-attackers. It is a block diagram which shows the structure of the service protection system which can be performed. The service providing means 1 is an object to be protected. One or a plurality of attackers A2 attack the service providing means 1 via the information transmission means 4 capable of changing the information transmission path. The user B3 receives the service of the service providing means 1 via the information transmission means 4 capable of changing the information transmission path. The information transmission means 4 capable of changing the information transmission path relays and transmits the signal addressed to the service providing means 1 from the attacker A2 and the user B3 and the signal of the reverse transmission path.

  The network layer switching means 5 carries out an operation of relaying a signal that has reached one of the communication ports of the means to any of the other ports according to the routing table of the means. The network layer switching means 5 is a default gateway router that is the closest router on the network to the service providing means 1. The data link layer switching means 6 has the ability to determine the destination port of the next received signal by sequentially storing the MAC address of the received signal for each port. Reference numeral 7 denotes connection means that can change the address of the data link layer and the network layer. The attack detection means 8 can detect a Syn flood attack or a Connection flood attack from an attacker. In the example of FIG. 2, the attack detection means 8 is connected to the connection means 7 (hereinafter abbreviated as connection means 7) that can change the address of the data link layer and the network layer. The installation position is not limited to this, and it can be installed singularly or plurally at any position where an attack can be detected. Moreover, the defense control means 9, the defense means 10, and the path | route change command transmission means 11 are provided. Assume that the attacker C12 and the user D13 are in the same subnet as the service providing means 1. The decoy means 14 is also present in the same subnet as described above.

  Next, the operation will be described. When an attack on the service providing unit 1 from the attacker A2 or the attacker C12 starts, a signal specific to the attack is detected by one or a plurality of attack detection units 8.

When the defense control means 9 receives the signal from the attack detection means 8 and determines that the attack is severer than the threshold that the defense is necessary for the service providing means 1,
1) a signal for starting the operation of the defense means 10,
2) a signal for starting the operation of the decoy means 14;
3) a signal for starting the change operation of both addresses of the connection means 7 capable of changing the addresses of the data link layer and the network layer;
4) Start the operation of the route change command sending means 11 for sending the information transmission path change command of the information transmission means 4 capable of changing the information transmission path so that the signals to the service providing means 1 are collected in the defense means 10 And a signal to be transmitted.

  When the route change command transmission unit 11 receives an operation start signal from the defense control unit 9, the route of the information transmission unit 4 that can change the information transmission route is changed using a BGP signal or the like, and is sent to the service providing unit 1. Are aggregated in the defense means 10.

  The connection means 7 capable of changing the addresses of the data link layer and the network layer receives both address change operation start signals from the defense control means 9 and changes both addresses. The changed network layer address is determined in advance with the defense unit 10 or is notified to the defense unit 10 after the address is changed. After the address change, communication between the defense unit 10 and the service providing unit 1 is established.

  When Ethernet (registered trademark) is used for the data link layer, a MAC address is used as the data link layer address. The data link layer switching means (hereinafter simply abbreviated as “switch”) 6 displays the address of the source MAC of the signal reaching the port which is its input / output terminal for each port (switching table) in order to realize its switching function. ) Or have some storage means. That is, the switch learns the MAC address of the host connected to the port while receiving a signal. When the destination MAC address of the signal received by the switch is described in this table, the signal is transferred only to a necessary port by transferring the signal to a port in the table. ing.

  The data link layer switching unit 6 stores the MAC address of the connection unit 7. For this reason, even if both addresses of the connection means 7 are changed, the attack signal from the attacker C12 still remains at the ports of the data link layer switching means 6 connected to the connection means 7 at both addresses before the change. The connection line between the data link layer switching means 6 and the connection means 7 is congested. Therefore, before the attack detection means 8 sends an attack detection signal, the decoy means 14 sends a signal to the data link layer switching means 6 by using both addresses used by the connection means 7 so that the data link layer By updating the memory of the switching means 6 and directing the signal of the attacker C12 to the decoy means 14, the congestion of the line reaching the service providing means 1 is avoided.

  The defense means 10 acts as a proxy server for the service providing means 1, receives the signals of the attacker A2 and the user B3, deletes the attack signal, and supplies the other signals to the service providing means 1 so that the service can be continued. It is what.

  In general, since there is no need to change the MAC address, the MAC address is often described in a device such as a ROM that cannot be rewritten. However, the MAC address can be easily changed by recording in a rewritable device.

  In addition, when PPPoE (Point-to-point protocol over Ethernet (registered trademark)) is used for connection between the connection means 7 and the data link layer switching means 6 and the Internet is connected via an Internet service provider, etc. It is also assumed that user authentication is required from the network service provider when changing the MAC address. In this case, if the authentication is completed, connection to the data link layer switching means 6 is possible.

  A second embodiment will be described with reference to FIG. In this embodiment, the present invention is applied to the Internet. Compared to the first embodiment, the protection means 10 has a signal encapsulation function, the network layer switching means 5 has a decapsulation function and a virtual local area network (LAN) function, and the data link layer switching means 6 has a virtual function. A device having a new LAN function is used. Further, the connection means 20 does not need to change the addresses of the data link layer and the network layer. Moreover, the decoy means 14 is not required.

  Next, the operation of the second embodiment will be described. In the first embodiment, in order to prevent an attack from an attacker C12 existing in the same subnet as the service providing means 1, the connection means 20 is provided with a function capable of changing the addresses of the data link layer and the network layer and a decoy means 14. It cost. However, in the second embodiment, instead of this, (1) the virtual LAN function of the data link layer switching means 6, (2) the decapsulation function and the virtual LAN function of the network layer switching means 5, and (3) protection The attack from the attacker C12 is prevented by the signal encapsulation function of the means 10.

  The operations are the same as those in the first embodiment until the attacks from the attacker A1 are concentrated in the defense means 10. In the defense means 10, in order to send a signal other than the attack signal input to the protection means 10 to the service providing means 1, a signal addressed to the connection means 20 is once created, and the created signal is further addressed to the network layer switching means 5. Encapsulate as a signal. The encapsulated signal from the defense unit 10 that has reached the network layer switching unit 5 is decapsulated by the network layer switching unit 5, and the decapsulated signal is not mixed with other signals. And transmitted to the data link layer switching means 6 by the virtual LAN. By transmitting the data link layer switching means 6 to the connection means 20 via the port virtual LAN, it is possible to prevent the signal that does not pass through the protection means 10 from reaching the service providing means 1. For this reason, the attack signal of the attacker C12 does not reach the service providing means 1, and the service can be continued. For this reason, the decoy means 14 required in the first embodiment is not necessary in the second embodiment.

  As described above, in RTBH, route information that directs Nexthop, which is the next transfer destination of the BGP router, to Null was advertised by BGP. However, the transfer destination is not Null, and the information transmission route can be changed. It is possible to aggregate the signals addressed to the service providing means into the defense means by publicizing the route information directed to the protection means installed connected to the information transmission means by BGP. Since there are generally multiple BGP routers on the Internet, each defense means is directly connected to each BGP router to delete only the attack signal from the signal addressed to the service providing means, or the service is provided from multiple BGP routers. It is also possible to aggregate the signals addressed to the means as appropriate into one defense means and delete only the attack signal.

  In the above, publicizing of route information has been explained using BGP, but it is possible to publicize route information between ASs, and it is different from BGP between ASs. If the public information means can be used, the publicity of the route and the routing by the publicized route can be performed by means other than BGP. In the AS to which the service providing means 1 belongs, if the signal arrival from an attacker outside the own AS is permitted and the protection is performed only by the defense means 10 existing in the own AS, the use of the BGP in the own AS is not performed. It is also possible to change the route by changing the static routing or rewriting the routing table of the IGP which is the routing protocol in the AS, and guiding the signal addressed to the target server to the defense means.

  A third embodiment will be described with reference to FIG. In this embodiment, the present invention is applied to the Internet, and includes a domain name system 30, a registered address changing means 31, and an information transmitting means 32. This embodiment is characterized in that protection of the service providing means 1 can be realized without using BGP or the like to operate Internet route information. That is, even the person who cannot publicize the BGP route information can use the third embodiment.

  Next, the operation of this embodiment will be described. In this embodiment, by changing the IP address of the connection means 7 registered in the domain name system (hereinafter abbreviated as “DNS”) 30, the attack signal to the service providing means 1 is directed to the defense means 10. The principle is shown below.

  In the Internet, there is a Uniform Resource Locator (URL) that is a uniform resource location specifier as a format for identifying the “location” of a resource on the Internet by a unified method. In the URL, after a character string called a scheme (mailto :, http :, etc.), the identification method is defined in a format defined for each scheme. For example, in the case of the location of a web site, http: //www.nict.go It is written like .jp. A DNS 30 is used as a system for associating an Internet host name described by this URL with an IP address. Therefore, when accessing a host having a specific URL, first the DNS 30 is queried for the IP address from the URL of the host, the IP address of the access destination is acquired, and then the target host is used using the acquired IP address. Can be accessed.

  Therefore, in this embodiment, the attack detection means 8 detects attack signals from the attacker A2, the attacker C12, etc., and the defense control means 9 receives the attack detection signal emitted by the attack detection means 8, and the defense control means 9 Shall start the operation of the registered address changing means 31. The registered address changing unit 31 rewrites the IP address that is described in the DNS 30 and is the network layer address of the connecting unit 7 with the IP address of the protecting unit 10. Thereafter, when the attacker A2, the user B3, the attacker C12, and the user D13 query the DNS 30 for the URL of the connection means 7 to access the service providing means 1, the IP address of the defense means 10 is returned. come. Thereafter, the service of the service providing means 1 is received via the protection means 10. Here, when there are a plurality of defense means 10 each having a different IP address, by performing an operation of sequentially switching IP addresses registered in the DNS 30 to those IP addresses with time, that is, a so-called DNS round robin operation. By doing so, the load due to the attack related to the protection means 10 can be distributed to the plurality of protection means 10. By such an operation, an attack signal is included up to the defense means 10 and the traffic volume is large. However, since the defense means 10 deletes only the attack signal and passes other signals, the defense means 10 provides a service providing means. Traffic to 1 decreases, and the service providing means 1 can continue to provide services.

  On the other hand, the attacker A1 and the attacker C12 know that the IP address corresponding to the URL of the service providing means 1 that is the attack target has been changed by inquiring the DNS 30, and the changed IP address is stored in the defense means 10. Know that it may be an IP address. Therefore, the attacker A2 and the attacker C12 may attack the address of the connection means 7. Since the attacker C12 exists in the same subnet as the connection unit 7, simply changing the network layer address, that is, the IP address of the connection unit 7, cannot be avoided without changing the data link layer address, that is, the MAC address.

  Therefore, in this embodiment, the attack detection means 8 detects attack signals from the attacker A2 and the attacker C12, and the defense control means 9 receives the attack detection signal emitted by the attack detection means 8, and the defense control means 9 Starts changing both addresses of the connection means 7. However, the data link layer switching means 6 stores the MAC address of the connection means 7. For this reason, even if both addresses of the connection means 7 are changed, an attack signal from the attacker C12 still arrives at the port of the data link layer switching means 6 connected to the connection means 7 at both addresses before the change. The connection line between the connection means 7 is congested.

  Therefore, the decoy unit 14 uses both addresses used by the connection unit 7 before the attack detection unit transmits the attack detection signal, and transmits a signal to the data link layer switching unit 6 to thereby perform data link layer switching. By updating the memory of the means 6 and directing the signal of the attacker C12 to the decoy means 14, the congestion of the line reaching the service providing means 1 is avoided.

  Alternatively, the decoy means 14 or the defense control means 9 or the like directly controls the data link layer switching means 6, and both addresses used by the connection means 7 before the attack detection means 8 sends an attack detection signal are displayed as decoys. By making the port of the data link layer switching means 6 to which the means 14 is connected or the signal discarding port of the data link layer switching means 7, the attack signal from the attacker C 12 does not reach the service providing means 1. You can also As a result, it is possible to continue providing services while preventing attacks from the attacker A2, attacker C12, etc. on the service providing means 1.

  A fourth embodiment will be described with reference to FIG. This is an application of the present invention to the Internet. The operation in this embodiment is almost the same as that in the first embodiment. In the first embodiment, the range from the detection of the attack to the start of the defensive operation is in the scope of the attack, whereas in this embodiment, the attack ends. Specifies the operation of the hour.

  As described above, in the malware called bot, the attack target can be arbitrarily changed, for example, attacking a server of an organization at a certain time, and attacking another server of a different organization after one minute. It is also possible to command For this reason, even if an attack is prevented by the method of the first, second, or third embodiment and the protection of the service of the service providing unit 1 is established, the attacker is different from the service providing unit 1 that has been attacked so far. An attack to the server against another service providing means may be started. In this case, it is a waste of resources to let the defense means 10 strike the defense of the service providing means 1 whose attack has already been stopped.

  For this reason, it is desirable that the defense system is canceled in response to changes in the attack target servers such as the attacker A2 and the attacker C12, and the resources are effectively used.

  In the configuration of FIG. 5, when the attack falls below a predetermined threshold, the service providing unit 1 that is the attack target can perform a normal service providing operation. Thus, when the recovery control means 40 detects that the attack has dropped below a predetermined threshold by aggregating the information of the attack detection means 8, the state of the information transmission means 4 that can change the information transmission path, the defense The end of the attack in which the state of the means 10, the state of both addresses of the connection means 7 where the address of the data link layer and the network layer can be changed, and the state of the decoy means 14 are brought into a state before the attack detecting means 8 detects the attack. The defense operation is canceled by transmitting a signal. As described above, the recovery control means 40 detects that the attack has fallen below a certain threshold value. The threshold value is determined by the defense control means in the first invention from the viewpoint of control stability. It is desirable that it is lower than the threshold of the attack amount for starting the operation upon receiving the attack detection signal from the detection means 8.

  A fifth embodiment will be described with reference to FIG. In this example, the present invention is applied to the Internet. The operation in the fifth embodiment is almost the same as that in the second embodiment. In the second embodiment, the range from the detection of the attack to the start of the defensive operation is in the scope of the fifth embodiment. Specifies the operation.

  In FIG. 6, when the recovery control means 40 that aggregates the information of the attack detection means 8 detects that the attack has fallen below a certain threshold that allows normal service provision operation of the service provision means 1 that is the target of attack, The state of the information transmission means 4 capable of changing the information transmission path, the state of the protection means 10, the state of the data link layer switching means 6 whose connection destination port can be dynamically changed by the virtual LAN, and the input signal are encapsulated and output. The defense operation is canceled by transmitting an attack end signal for returning the state of the network layer switching means 5 having the function to the state before the attack detection means 8 detects the attack.

  A sixth embodiment will be described with reference to FIG. In this embodiment, the present invention is applied to the Internet. This operation is almost the same as that of the third embodiment, but in the third embodiment, the range from the detection of the attack to the start of the defensive operation is in the scope of that, while in the sixth embodiment, the operation at the end of the attack is defined. is doing.

  In FIG. 7, when the recovery control means 40 that aggregates the information of the attack detection means 8 detects that the attack has fallen below a certain threshold that allows normal service provision operation of the service provision means 1 that is the target of attack, The network layer address status of the connection means 7 registered in the domain name system 30 to be changed by the registered address change means 31, the status of the defense means 10, the status of both addresses of the connection means 7, and the status of the decoy means 14 are attacked. The defensive operation is canceled by transmitting an attack end signal for returning to a state before the detection means 8 detects the attack.

  Next, a seventh embodiment will be described. In the present embodiment, the present invention is applied to the Internet in the same manner as any one of the first, third, fourth and fourth embodiments. In order to prevent an attack signal from an attacker C12 or the like existing in the same subnet as the service providing means 1 from reaching the service providing means 1, the decoy means 14 is abbreviated as an Internet control message protocol (hereinafter referred to as "ICMP") in the Internet protocol. ) Is sent to the host that is going to transmit the signal to the service providing means 1 such as the attacker C12 and the user D13, and the routing table held by the attacker C12 and the user D13 is rewritten. The signals from these do not reach the service providing means 1 directly. The routing table loses its routing effect after its validity period expires.

  Therefore, as a feature of the present embodiment, the operation of sending the ICMP redirect signal again before the valid period expires is repeated until the decoy means 14 receives the attack end signal. It should be noted that the host that is going to transmit a signal to the service providing means 1 is a partner to which the decoy means 14 should send an ICMP redirect signal, and its address is one or more attack detection means 8, defense means 10 or connection means. 7 assumes that the attacker A2 transmitting the signal to the service providing means 1 and the network layer address of the user are determined and notified to the decoy means 14. For example, the attack detection unit 8 monitors a signal passing through the attack detection unit 8 using a mirror port, and notifies the decoy unit 14 of the transmission source address if the signal is directed to the service providing unit 1. In addition, the connecting means 7 notifies the decoy means 14 of the source address of the arrived signal if the arrived signal is not a signal from the defense means 10.

  Next, the operation of the eighth embodiment will be described. This embodiment operates in the same manner as any one of the first, third, fourth, and fourth embodiments described above, but the connecting means 7 connected to the service providing means 1 before the decoy means 14 receives the attack detection signal. The feature is that both addresses are stored in advance. Further, when the decoy means 14 receives the attack detection signal, the decoy means 14 sends out the signal using both the stored addresses as the source address. As a result, the data link layer switching means 6 recognizes that the device having the address of the connection means 7 is connected to the port connected to the decoy means 14 of the data link layer switching means 6, and the switching of the data link layer switching means 6 is performed. Rewrite the table. Thereby, it is possible to prevent the signals from the previous attacker C12 and the user D13 from reaching the service providing means 1 directly. This operation is performed until the decoy means 14 receives an attack end signal.

  In general, when Ethernet (registered trademark) is used for a data link layer, a MAC address is used as a data link layer address. In order to realize the switching function, the data link layer switching means 6 stores the address of the transmission source MAC of the signal reaching the port which is its input / output terminal as a table for each port, or some storage means Have. That is, the switch learns the MAC address of the host connected to the port while receiving a signal. When the destination MAC address of the signal received by the switch is described in this table, the signal is transferred only to a necessary port by transferring the signal to a port in the table. ing. As a result, the MAC address used by the connection means 7 before the attack is started is used as the source address by the decoy means 14, and the signal is sent to the switch 6, thereby rewriting the table for each port of the switch 6. It is possible to prevent signals from the attacker C12 and the user D13 and the like from reaching the service providing means 1.

  Next, the operation of the ninth embodiment will be described. In the service protection method shown in any one of the first, third, fourth, and sixth embodiments, the service provision to the user D13 existing in the same subnet as the service providing unit 1 is stopped when the operation of the defense control unit is started. There is a drawback of doing. Therefore, by rewriting the routing table held by the attacker C12 and the user D13, the signals from the attacker C12 and the user D13 are collected into one or more decoy means 14 or the defense means 10. The aggregated signal is rendered harmless by either the decoy means 14 or the defense means 10 and then provided to the service providing means 1. This operation is performed until the decoy means 14 receives an attack end signal. This processing can be applied to the service protection system described in any of the first, third, fourth, sixth, and eighth embodiments.

Next, the operation of the tenth embodiment will be described. The present embodiment is for preventing the disadvantage that the service provision to the service providing means 1 and the user D13 existing in the same subnet stops with the start of the operation of the defense control means.
In this embodiment, first, the decoy unit 14 stores in advance both addresses of the connection unit 7 connected to the service providing unit 1 before the decoy unit 14 receives the attack detection signal. When the decoy means 14 receives the attack detection signal, the decoy means 14 sends out the signal using both the stored addresses as the source address. As a result, the signals addressed to the service providing means 1 from the hosts on the same subnet as the service providing means 1 such as the attacker 12 and the user 13 are collected in the decoy means 14. This operation is performed until the decoy means 14 receives an attack end signal.

  Thereby, signals addressed to the service providing means 1 from the attacker C12 and the user D13 are collected in the decoy means 14. This aggregated signal is rendered harmless by either the decoy means 14 or the defense means 10 and provided to the service providing means 1. This processing can be applied to the service protection system described in any of the first, third, fourth, sixth, and eighth embodiments.

  Next, the operation of the eleventh embodiment will be described. In this embodiment, the planned change address of the connection means 7 is stored in advance in the plural or single defense means 10 and the decoy means 14. In this way, when the attacks are stored in advance before the attack is started, there is an advantage that the protection operation can be surely started even if the traffic is congested due to the attack. Further, this process can be applied to the service protection system described in any one of the first, third, fourth, sixth, seventh, eighth, ninth, and tenth embodiments.

  Next, the operation of the twelfth embodiment will be described. In this embodiment, the changed address of the connecting means 7 is notified to the plural or single defense means 10 and the decoy means 14 in a predetermined procedure after the connecting means 7 receives the attack detection signal. To do. This processing can also be applied to the service protection system described in any of the first, third, fourth, sixth, seventh, eighth, ninth, or tenth embodiments.

  In general, the plurality of or single defense means 10 and decoy means 14 are realized by using a dedicated device, and thus are expensive and inferior in economy. Therefore, it is desirable that a greater number of service providing means 1 can be protected with as few defense means 10 and decoy means 14 as possible. In this case, in the eleventh embodiment, it is necessary to store the addresses of the connection means 7 corresponding to a large number of service providing means 1 in the defense means 10 or the decoy means 14. However, this is not necessary in this embodiment.

  Next, the operation of the thirteenth embodiment will be described. In this embodiment, when one or a plurality of attack detection means 8 detects an attack on a plurality of different service providing means 1, the IP address is searched from the URL for each of the different service providing means 1. The IP address of the connection means 7 registered in the possible DNS and the IP address of the protection means 10 are set as adjacent addresses, respectively. This processing can be applied to the service protection system described in the third embodiment or any one of 6 to 12.

  Generally, a router transfers an incoming signal according to a routing table that the router itself has. For example, it is assumed that the input / output terminals of the router are three terminals of A, B and A. The signal that arrives from Party A is forwarded to either Party B or B, but the router compares the destination IP address of the received signal with the routing table to determine whether it is forwarded to Party B or B. In other words, by using the routing table, it is possible to determine whether to transfer to all of the IP addresses, A, B, or A. Here, if there is no regularity in the relationship between the IP address and the AS that relays the signal, it is necessary to search for a routing destination for each IP address. There is a risk of not being in time. In general, IP addresses are not randomly assigned to AS. For example, IP addresses 1 to 6 are assigned to a first AS, 7 to 10 are assigned to a second AS, and 11 to 11 are assigned. The number 16 is continuously allocated so as to be allocated to the third AS. Therefore, in this case, in the routing table, for example, addresses 1 to 6 are listed as A, 7 to 10 as B, and 11 to 16 as 乙.

  Therefore, the destination address of the input signal is compared with, for example, the address described in No. 6, and if it is equal to or smaller than the address described in No. 6, it is transferred to the former. Next, it is compared with the address written in No. 10, and if it is equal to or smaller than the address written in No. 10, it is transferred to B. Otherwise, it is transferred to Sakai. This realizes routing with a small number of comparisons. In other words, what should be compared 16 times in total from No. 1 to No. 16 in the original case, in this case, the port of the routing destination can be determined by a maximum of two comparisons.

  Therefore, if a router receives an attack that sends a large amount of signals to a specific IP address, the routing table is searched from the port that is frequently used as the transfer destination port of the received signal, so that the transfer can be performed faster. Increases the chance of discovering the destination port. For example, in the example of the router having the above-described ports A, B, and B, consider the case where the attacks are concentrated on the 15th and 16th addresses. In this case, since the attacks have been concentrated on the 15th and 16th addresses so far, it can be seen that there is a high possibility that the signal will be transferred to the port corresponding to the address described after the 10th address. Therefore, until then, the size was compared in the order of the 6th address and the 10th address, but the comparison order is changed to the 10th address and the 6th address. By comparing the ports having a high possibility of passing many signals in this way, it is possible to reduce the number of comparisons in the router on average, thereby reducing the processing load on the router due to the attack signal. Therefore, the IP address of the connection means 7 and the IP address of the protection means 10 are set as addresses that are adjacent or close to each other, and the load on the router that relays the attack signal is reduced.

  In the above description, the DDoS attack has been described as an example, but the present invention can also be applied to a primitive DoS attack, for example, an F5 attack in which reloading is manually repeated.

1 Service providing means 2 Attacker A
3 User B
4 Information transmission means capable of changing information transmission path 5 Network layer switching means 6 Data link layer switching means 7 Connection means capable of changing addresses of data link layer and network layer 8 Attack detection means 9 Defense control means 10 Defense means 11 Path Change command transmission means 12 Attacker C
13 User D
14 decoy means 20 connection means 30 domain name system 31 registered address change means 32 information transmission means 40 recovery control means 50 transfer destination change means 60 router

Claims (14)

In a network comprising a first network provided with transfer destination changing means, a router connected to the transfer destination changing means, and a second network connected to the first network via the router,
The first network includes a defense means connected to the transfer destination changing means,
The second network includes a connection means for changing the routing information of the router, a service providing means for providing an information providing service to a user connected to the first network or the second network and connected to the connection means, An attack detection means for detecting a distributed denial of service attack connected to the network or the second network, and a defense control means for controlling the defense system in response to the output of the attack detection means,
When the service providing means is subjected to a distributed denial of service attack, according to control from the defense control means, the forwarding destination changing means aggregates attack signals into the defense means,
The defense means deletes the attack signal and provides other signals to the service providing means.
Service protection system characterized by that. The router includes data link layer switching means connected to the connection means, network layer switching means connected to the data link layer switching means and the transfer destination changing means,
The data link layer and network layer addresses of the connection means connected to the service providing means can be changed,
The transfer destination changing means includes an information transmission means connected to the network layer switching means and capable of changing an information transmission path, and a path change command transmission means for transmitting an information transmission path change instruction of the information transmission means,
The information transmission means aggregates the signals to the service providing means from attackers and users into the defense means in accordance with a command from the route change command sending means,
The defense means is connected to the information transmission means, and transmits and receives signals from the attacker and the user to the service provision means on behalf of the service provision means. The attack signal is deleted, and other signals can be provided to the service providing means according to the address change of the connecting means,
A decoy means for transmitting and receiving a signal to the service providing means from an attacker and a user connected to the data link layer switching means or the network layer switching means on behalf of the service providing means,
The defense control means receives the attack detection signal, a signal for starting the operation of the defense means, a signal for starting the operation of the decoy means, and a connection capable of changing addresses of the data link layer and the network layer The information transmission path change command of the information transmission means that can change the information transmission path is transmitted so that the signal for starting the change operation of both addresses of the means and the signal to the service providing means are aggregated in the defense means A signal for starting the operation of the route change command transmitting means is transmitted,
The service protection system according to claim 1, wherein: The router includes data link layer switching means connected to the connection means, and network layer switching means connected to the data link layer switching means and the transfer destination changing means,
The connection means is connected to the service providing means,
The transfer destination changing unit includes an information transmission unit that is connected to the network layer switching unit and capable of changing an information transmission path, and a path change command transmission unit that transmits an information transmission path change command of the information transmission unit. ,
The information transmission means aggregates the signals to the service providing means from attackers and users into the defense means in accordance with a command from the route change command sending means,
The data link layer switching means can dynamically change a connection destination port connected to the connection means by a virtual LAN,
The network layer switching means eliminates the function of encapsulating the signal from the data link layer switching means and the encapsulation of the signal inputted to the data link layer switching means, and the data link A layer switching means provided with a virtual LAN,
The defense means is connected to the information transmission means and transmits / receives a signal from the attacker and the user to the service provision means on behalf of the service provision means, and signals other than the attack signal are transmitted. The service providing means encapsulates and transmits the network layer address in the network layer switching means as the destination, and the encapsulated signal received from the network layer switching means is decapsulated and sent to the information transmission means. It is sent to the attacker or the user by sending it,
The defense control means receives the attack detection signal, starts a signal for starting the operation of the defense means, and communicates with the defense means between the service providing means and the defense means via the network layer switching means. The information transmission path can be changed so that the signal for changing the connection destination port of the data link layer switching means and the signal to the service providing means can be aggregated in the protection means to prevent mixing of signals outside the communication. A signal for starting the operation of the route change command transmission means for transmitting the information transmission route change command of the information transmission means is transmitted.
The service protection system according to claim 1. The router includes data link layer switching means connected to the connection means, network layer switching means connected to the data link layer switching means and the transfer destination changing means,
The connection means is a connection means connected to the service providing means and capable of changing addresses of the data link layer and the network layer of the router,
The transfer destination changing means includes an information transmission means connected to the network layer switching means, a domain name system capable of searching for a network layer address with a unified resource location specifier, and an IP address of the network layer of the connection means. A registered address changing means for rewriting the address with the IP address of the defense means,
The information transmission means can provide signals to the service providing means from attackers and users to the defense means in accordance with the IP address change of the connection means and the defense means,
The defense means is connected to the information transmission means, and transmits and receives signals to the service providing means from attackers and users on behalf of the service providing means,
A decoy means for transmitting and receiving a signal to the service providing means from an attacker and a user connected to the data link layer switching means or the network layer switching means on behalf of the service providing means,
The defense control means receives the attack detection signal, a signal for starting the operation of the defense means, a signal for starting the operation of the decoy means, and a connection capable of changing the addresses of the data link layer and the network layer A signal for starting the changing operation of both addresses of the means, and a signal for starting the operation of the registered address changing means,
The service protection system according to claim 1, wherein: Comprising a recovery control means connected to the information transmission means capable of changing the information transmission path,
Change of the information transmission path when the recovery control means that aggregates the information of the attack detection means detects that the attack has fallen below a predetermined threshold that enables normal service provision operation of the service provision means targeted by the attack The attack detection means detects the state of possible information transmission means, the state of defense means, the state of both addresses of the connection means that can change the address of the data link layer and the network layer, and the state of the decoy means. 3. The service protection system according to claim 2, wherein the recovery control means transmits an attack end signal for returning to the previous state. Comprising a recovery control means connected to the information transmission means capable of changing the information transmission path,
Change of the information transmission path when the recovery control means that aggregates the information of the attack detection means detects that the attack has fallen below a predetermined threshold that enables normal service provision operation of the service provision means targeted by the attack Network layer having a function of encapsulating and outputting an input signal, a state of possible information transmission means, a state of defense means, a state of a data link layer switching means capable of dynamically changing a connection destination port by a virtual LAN 4. The service protection system according to claim 3, wherein the recovery control means transmits an attack end signal for returning the state of the switching means to the state before the attack detection means detects the attack. Comprising recovery control means connected to the information transmission means,
When the recovery control means that aggregates the information of the attack detection means detects that the attack has dropped below a predetermined threshold that enables normal service provision operation of the service provision means targeted by the attack, the registered address change means Status of network layer address of connection means registered in domain name system to be changed and changeable address of data link layer and network layer, status of defense means, and connection means of changeable address of data link layer and network layer 5. The service protection according to claim 4, wherein the recovery control means transmits an attack end signal for returning the state of both addresses and the state of the decoy means to a state before the attack detection means detects the attack. method. When an attack detection signal is received by one or more attack detection means or defense means, or a connection means that can change the address of the data link layer and the network layer
One or more attack detection means or defense means or data link layer and network layer address changeable connection means determine the network layer addresses of attackers and users who are sending signals to the service provision means. The decoy means is notified, and the decoy means sends an Internet control message protocol redirect signal in the Internet protocol to the attacker and the user, and rewrites the routing table used by the attacker and the user, so that the attack is performed. The signal from the user and the user is prevented from reaching the service providing means directly until the decoy means receives the attack end signal. The service protection method according to any one of the above.   Before the decoy means receives the attack detection signal, the decoy means stores in advance the addresses of both the data link layer connected to the service providing means and the changeable connection means of the network layer. When an attack detection signal is received, a signal is transmitted using both the stored addresses as a source address so that signals from the attacker and the user in the previous period do not reach the service providing means directly. 8. The service protection method according to claim 2, wherein the decoy unit performs until the decoy means receives an attack end signal.   By rewriting the routing table possessed by the attacker and the user, the signals from the attacker and the user are each aggregated into one or a plurality of decoy means or defense means, and the aggregated signals are each singular or The detoxification by any one of a plurality of decoy means or defense means, and the provision to the service providing means is performed until the decoy means receives an attack end signal. The service protection method according to any one of 7 to 9.   By sending an address resolution signal or a reverse address resolution signal, the signals from the attacker and the user are each aggregated into one or a plurality of decoy means or defense means, and the aggregated signals are each singular or The method according to claim 2, 4, 5, or 7, wherein the detoxification is performed by any one of a plurality of decoy means or defense means and provided to the service providing means until the decoy means receives an attack end signal. 10. The service protection method according to any one of 9 above.   8. A change-scheduled address of a connection means capable of changing the address of the data link layer and the network layer is stored in advance in one or a plurality of defense means and decoy means, respectively. The service protection system according to any one of 1 to 11.   The change address of the connection means capable of changing the address of the data link layer and the network layer is changed to a single address in accordance with a predetermined procedure after the connection means capable of changing the address of the data link layer and the network layer receives the attack detection signal. The service protection system according to any one of claims 2, 4, 5, and 7 to 11, wherein notification is made to a plurality of defense means and decoy means.   The domain name that can search the network layer address from the unified resource locator for each of the different service providing means when an attack to different service providing means is detected by one or more attack detecting means The network layer address of the connection means capable of changing the address of the data link layer and the network layer registered in the system and the network layer address of the protection means are respectively adjacent addresses. The service protection method according to any one of 7 to 13.

Images