JP2011129968A - Communication terminal device - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a communication terminal which prevents another communication terminal from being subjected to network attack and which protects the whole home network against the attack, by renewing a lease of an attacked IP (Internet Protocol) address and using another IP address for communication while preventing the attacked IP address from being returned to a DHCP (Dynamic Host Configuration Protocol) server. <P>SOLUTION: In the communication terminal, when a detection means detects a DoS (Denial of Service) attack, a MAC (Media Access Control) address change means changes a MAC address allocated thereto, an IP address acquisition means acquires a new IP address corresponding to the changed MAC address from the DHCP server for communication through an external network based on the new IP address, and an IP address renewal means continues periodical renewal of the attacked IP address to prevent the IP address from being returned to the DHCP server and prevent other terminals in the home network from being attacked. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a communication terminal device (hereinafter referred to as a communication terminal) capable of supporting a network service by connecting to an IP (Internet Protocol) network.

  In recent years, by sending illegal data over a network, etc., the services provided or executed by other terminal devices (hereinafter referred to as terminals) are obstructed, or stored information is illegally extracted. So-called network attacks are intensifying.

  There are a plurality of types of such network attacks, but there are many technologies that can be used to counter each network attack. For example, Patent Document 1 discloses a technique related to a countermeasure against a service inhibition attack (Denial of Service attack: DoS attack).

  In Patent Document 1, it is monitored whether or not the communication amount is excessive in the terminal, and if it is determined that the communication amount is excessive (subject to DoS attack), interrupt processing is performed by not outputting an interrupt signal. First, a technology is disclosed that can secure resources necessary for a service and maintain normal operation by preventing terminal resource occupation.

  On the other hand, a highly portable terminal such as a notebook personal computer may be used while changing a connection destination network depending on the use environment. At this time, in the terminal, it is necessary to appropriately change the IP address setting depending on the connection destination network. When this setting change is performed manually, the user has to spend time and effort every time. Moreover, even if automatic setting is performed using DHCP (Dynamic Host Configuration Protocol), it is necessary to perform address acquisition processing every time, and the user will have to wait until the acquisition is completed, and the burden on the user is not light. .

  A technique for reducing the burden on the user is disclosed in Patent Document 2. In Patent Document 2, IP address information once set is retained even after the network is disconnected, and a plurality of retained IP address information is retrieved based on a connection destination IP address when communication is started on a new network. A technique for reducing the load on the user by setting an appropriate one is disclosed.

JP 2008-199138 A JP 2006-332716 A

  However, in a home network in which a DHCP service is provided by a home router, Patent Document 1 discloses a countermeasure against a network attack against a communication terminal that receives an IP address assigned by a DHCP server of the home router and communicates with an external network. If the technique disclosed in the above is applied and reception interruption processing is not performed, communication for IP address lease renewal becomes impossible. As a result, the IP address is returned to the DHCP server, and when the returned IP address is assigned to another communication terminal in the home, the communication terminal is subjected to a network attack. As a result, a network attack cannot be avoided in the home network.

  In order to solve such a problem, there is a method of performing lease update communication of an IP address that is an attack target and using another IP address for communication while preventing the IP address from being returned to the DHCP server. It is done.

  As a technique for holding such two IP addresses, it is conceivable to apply the technique disclosed in Patent Document 2. However, in the technology disclosed in Patent Document 2, acquisition and switching of another IP address is performed when connecting to a new network, and another IP address is maintained while maintaining the network connection when subjected to a network attack. Such a problem cannot be solved because it is not taken into consideration.

  The present invention has been made in view of such a problem, and performs lease update communication of an IP address that is an attack target, while preventing the IP address from being returned to the DHCP server, and another IP address. Can be used to avoid the problem of taking over network attacks caused by the IP address reuse mechanism to other communication terminals, and the home network as a whole can prevent such attacks. The purpose is to provide.

  In order to achieve the above object, a communication terminal device according to a first invention of the present application is connected to a home network and has an external network based on an IP (Internet Protocol) address assigned by a DHCP (Dynamic Host Configuration Protocol) server. A communication terminal device that performs communication via a detection means for detecting the end of a DoS (Denial of Service) attack and a DoS attack, and a MAC address changing means for changing the MAC (Media Access Control) address of the own device IP address acquisition means for acquiring an IP address corresponding to a MAC address from the DHCP server, and when the detection means detects a DoS attack, the MAC address change means The stage changes the MAC address assigned to the own apparatus, and the IP address acquisition unit acquires a new IP address corresponding to the changed MAC address from the DHCP server, and based on the new IP address. While communicating via the external network, the IP address acquired before the change is held in the own apparatus without being released.

  The communication terminal device of the second invention of the present application is the communication terminal device of the first invention of the present application, further comprising attack target IP address update means for making a lease update request to the DHCP server, wherein the attack The target IP address updating means makes a lease update request for the IP address acquired before the change, which is an attack target, to the DHCP server at a predetermined interval, thereby obtaining the IP acquired before the change. It is characterized in that the address is held in its own device without being released.

  The communication terminal device according to a third aspect of the present invention is the communication terminal device according to the second aspect of the present invention, wherein the attack target IP address update means transmits a DHCPREQUEST message to the DHCP server at a predetermined interval. On the other hand, the response message is not received.

  Further, in the communication terminal device according to the fourth aspect of the present invention, in the communication terminal device according to the first aspect of the present application, when the detecting means detects that the DoS attack has ended, the MAC address changed by the MAC address changing means The new IP address is released, and communication is performed via the external network based on the IP address acquired before the change.

  The communication terminal device of the fifth invention of the present application monitors the packet transmitted to the own device in the communication terminal device of the first invention of the present application, and determines the source MAC address described in the packet. A MAC address storage unit for storing the MAC address, and the MAC address change unit changes the MAC address stored in the MAC address storage unit so that the MAC address does not match when the MAC address of the own device is changed; It is a feature.

  According to the communication terminal of the present invention, it is possible to avoid the “problem that a network attack caused by the IP address reuse mechanism is taken over by another communication terminal”, and protect the attack as a whole home network. Can do.

FIG. 1 is a block diagram showing a network configuration according to Embodiment 1 of the present invention. The block diagram which shows the internal structure of the communication terminal which concerns on Embodiment 1 of this invention. The figure which shows an example of the address management table which the address management part of the communication terminal which concerns on Embodiment 1 of this invention hold | maintains. The figure which shows an example of the sequence at the time of the IP address update part and attack target IP address update part of the communication terminal which concern on Embodiment 1 of this invention each communicate with the DHCP server of a home router The figure which shows an example of the list table of the transmission source MAC address (MAC address of the apparatus in a home network) accumulate | stored in the MAC address storage part of the communication terminal which concerns on Embodiment 1 of this invention.

  EMBODIMENT OF THE INVENTION Below, the form for implementing this invention is demonstrated, referring drawings.

(Embodiment 1)
FIG. 1 is a block diagram showing a network configuration according to Embodiment 1 of the present invention.

  In FIG. 1, the home router 102 includes a DHCP server 1021, a gateway function that relays connection from each terminal in the home network 110 to the Internet 101, and one global IP address shared by each terminal in the home network 110. A network address translation (NAT) function, and a DHCP server function that assigns an IP address to each terminal in the home network 110.

  The communication terminal A 103 according to the present invention in the home network 110 and the communication terminal B 104 not equipped with a network attack countermeasure can use various services existing on the Internet 101 by using these functions. Further, it is assumed that the communication terminal C105 is in a state where there is a possibility of performing a network attack on the terminal in the home network 110 for some reason, such as infection with a computer virus.

  Next, the internal configuration of communication terminal A103 according to Embodiment 1 of the present invention will be described using FIG. FIG. 2 is a block diagram showing an internal configuration of the communication terminal according to Embodiment 1 of the present invention.

  In FIG. 2, an Ethernet (registered trademark) I / F (hereinafter referred to as I / F) 201 performs processing of a physical layer of communication via Ethernet (registered trademark). The communication unit 202 processes communication performed when providing a network service to a user above the data link layer. The attack detection unit 203 monitors the communication status of the I / F 201 and detects an attack by some method.

  A temporary MAC (Media Access Control) address setting unit 204 temporarily generates a necessary MAC address. The attack end detection unit 205 monitors the communication status of the I / F 201 and detects that the attack has ended by some method. The temporary MAC address release unit 206 releases the MAC address generated by the temporary MAC address setting unit 204.

  It should be noted that as a method of detecting an attack in the attack detection unit 203, a case where the number of reception interrupts sent from the I / F 201 to a CPU (Central Processing Unit) (not shown) exceeds a predetermined threshold is considered. However, the present invention is not limited to this.

  The IP address acquisition unit 207 communicates with the DHCP server 1021 of the home router 102 via the I / F 201 using the MAC address given by the caller, receives the IP address assignment, and then assigns the caller to the caller. Returned IP address.

  The IP address update unit 208 uses the MAC address given by the caller and the IP address assigned to the MAC address and acquired by the IP address acquisition unit 207, periodically using the home router 102 via the I / F 201. After communicating with the DHCP server 1021, requesting the DHCP server 1021 to extend the IP address allocation period (lease time), waiting for a response indicating whether extension is possible or not, and receiving the response, the caller Returns whether or not extension is possible.

  The attack target IP address update unit 209 performs almost the same operation as the IP address update unit 208, but does not wait for a response indicating whether extension is possible or not after requesting extension of the IP address allocation period.

  The IP address release unit 210 communicates with the DHCP server 1021 of the home router 102 via the I / F 201 using the MAC address and IP address given from the caller, and requests the DHCP server 1021 to release the IP address. To do.

  The address management unit 211 manages the MAC addresses previously associated with the communication terminal A103 or the MAC addresses generated by the temporary MAC address setting unit 204 and the IP addresses assigned to these MAC addresses by DHCP communication. Manages control such as acquisition, retention and release of IP addresses.

  The MAC address storage unit 212 extracts a source MAC address of a packet received by the I / F 201 and stores a source MAC address having a reception history.

  Here, the relationship between each unit described in the claims and each unit in FIG. 2 will be described. The detection unit includes an I / F 201, an attack detection unit 203, and an attack end detection unit 205. Further, the MAC address changing unit includes a temporary MAC address setting unit 204 and an address management unit 211, and the IP address acquisition unit includes an I / F 201, an IP address acquisition unit 207, and an address management unit 211. Further, the attack target IP address update unit is configured by the I / F 201, the IP address update unit 208, and the address management unit 211, and the MAC address storage unit is configured by the I / F 201 and the MAC address storage unit 212.

  Next, the operation in communication terminal A103 according to Embodiment 1 of the present invention will be described with reference to FIGS. FIG. 3 is a diagram showing an example of an address management table held by the address management unit of the communication terminal according to Embodiment 1 of the present invention. FIG. 4 is a diagram showing an example of a sequence when the IP address update unit and the attack target IP address update unit of the communication terminal according to Embodiment 1 of the present invention communicate with the DHCP server of the home router, respectively. . FIG. 5 is a diagram showing an example of a list table of transmission source MAC addresses (MAC addresses of devices in the home network) stored in the MAC address storage unit of the communication terminal according to Embodiment 1 of the present invention.

  The communication terminal A103 according to the first embodiment of the present invention includes an I / F 201 and a communication unit 202, and provides a communication service to the user, as with a normal communication terminal.

  When an IP address needs to be acquired for communication, an address acquisition request is sent to the address management unit 211. For example, immediately after the Ethernet cable is connected to the communication terminal A 103, the I / F 201 sends an address acquisition request to the address management unit 211. The address management table (hereinafter referred to as the management table) held by the address management unit 211 before receiving the address acquisition request includes only the MAC address previously associated with the communication terminal A103, as shown in FIG. This is a state registered as a communication MAC address.

  Here, upon receiving an address acquisition request from the I / F 201, the address management unit 211 sends an IP address acquisition request together with a communication MAC address to the IP address acquisition unit 207.

  When receiving an IP address acquisition request from the address management unit 211, the IP address acquisition unit 207 receives an IP address assigned by DHCP communication, and returns the IP address and lease time to the address management unit 211 as a response.

  The address management unit 211 registers the IP address and lease time received from the IP address acquisition unit 207 in the management table. The management table at this time is as shown in FIG. The communication IP address registered in the management table in this way is notified to the communication unit 202 and used when performing communication.

  Further, the address management unit 211 determines a lease renewal interval based on the lease time (usually half the lease time), the lease renewal interval, the communication IP address and the communication MAC address registered in the management table, etc. Is sent to the IP address updating unit 208.

  The IP address update unit 208 periodically communicates with the DHCP server 1021 in the home router 102 for lease update of the communication IP address using the information sent from the address management unit 211. When the communication with the DHCP server 1021 cannot be normally performed or when the update is rejected, the address management unit 211 is notified of the fact.

  Through the series of processes as described above, the communication terminal A 103 can achieve acquisition and holding of the communication IP address.

  Here, when it is detected that the communication terminal A 103 has received a network attack and the attack detection unit 203 has received a network attack, the attack detection unit 203 attacks the temporary MAC address setting unit 204 in order to avoid the attack. Send detection notification.

  When receiving the attack detection notification from the attack detection unit 203, the temporary MAC address setting unit 204 generates a temporarily used MAC address and sends the generated MAC address and an address change request to the address management unit 211.

  The method for generating the MAC address generated by the temporary MAC address setting unit 204 is as follows.

  First, the MAC address accumulating unit 212 extracts the source MAC address of the packet that has been received by the I / F 201 so far, and records all the source MAC addresses with a reception history in a table (MAC address table).

  In the home network 110 on the premise of IP address allocation by DHCP, a broadcast packet is transmitted when an IP address allocation request is made, so that the MAC addresses of all terminals in the home network 110 can be collected. That is, the MAC address table recorded by the MAC address storage unit 212 is the MAC address table of all terminals connected to the home network 110 while the communication terminal A103 is operating. An example of the MAC address table is shown in FIG.

  In generating a MAC address, the temporary MAC address setting unit 204 first requests a MAC address table from the MAC address storage unit 212, and the MAC address stored in the MAC address storage unit 212 from the MAC address storage unit 212. Get the table.

  The temporary MAC address setting unit 204 randomly generates a MAC address, but when the same MAC address as that in the MAC address table acquired from the MAC address storage unit 212 is generated, it is generated again. Thereby, a MAC address that does not overlap with the MAC address of the terminal in the home network 110 can be generated, and a failure due to a plurality of terminals having the same MAC address in the home network 110 can be avoided.

  On the other hand, when the address management unit 211 receives an address change request from the temporary MAC address setting unit 204, first, the address management unit 211 stores the communication MAC address, the communication IP address, and the lease time on the management table managed by itself. Move to the attack target line as shown in (c). Subsequently, another MAC address received together with the address change request is set as a communication MAC address as shown in FIG.

  Subsequently, the address management unit 211 sends an update stop notification to the IP address update unit 208 to stop the periodic update process in the IP address update unit 208.

  Subsequently, the address management unit 211 sends an IP address acquisition request to the IP address acquisition unit 207 together with the communication MAC address registered in the management table.

  Upon receiving an IP address acquisition request from the address management unit 211, the IP address acquisition unit 207 receives an IP address assignment by DHCP communication, and returns the assigned IP address and lease time to the address management unit 211 as a response. .

  The address management unit 211 registers the IP address and lease time received from the IP address acquisition unit 207 in the management table. The management table at this time is as shown in FIG. The communication IP address shown in (e) of FIG. 3 is notified to the communication unit 202 and used when performing communication. Further, the address management unit 211 determines a lease renewal interval based on the lease time (usually half the lease time), and determines the determined lease renewal interval, the communication IP address on the management table, and the communication MAC address as IP. This is sent to the address update unit 208.

  The IP address update unit 208 periodically communicates with the DHCP server 1021 for lease update of the communication IP address using these pieces of information sent from the address management unit 211, and communicates with the DHCP server 1021. When the communication is not successful or when the update is rejected, the address management unit 211 is notified.

  Through a series of processes as described above, it is possible to obtain and retain a communication IP address separately from the IP address that is the target of attack, so that network services can be used while avoiding attacks. Become.

  Next, the address management unit 211 sends the lease update time determined from the attack target IP address, attack target MAC address, and lease time on the management table to the attack target IP address update unit 209.

  The attack target IP address update unit 209 periodically communicates with the DHCP server 1021 for lease update of the attack target IP address using the information transmitted from the address management unit 211.

  At this time, in the normal lease renewal process performed in the IP address renewal unit 208, as shown in FIG. 4, the communication terminal A103 sends a DHCPREQUEST message to the DHCP server 1021 of the home router 102 and then waits for reception of the message. The DHCP server 1021 receives a DHCPACK message or a DHCPPNAK message and determines whether or not the address can be used for subsequent communication. The processing in the attack target IP address update unit 209 is performed by the DHCP server 1021. After sending the DHCPREQUEST message, the message reception is not waited. The reason is that if you wait for the IP address (MAC address) to be attacked, you will receive a large number of packets due to DoS attack while waiting for the reception, and this may cause problems in the service due to increased CPU load. Because there is sex.

  Therefore, when updating the attack target IP address, it is possible to avoid a problem that causes a problem in the service by not waiting for reception. When waiting for reception is not possible, it is not possible to determine whether or not the IP address can be used for communication. However, since communication is not performed using the attack target IP address, there is no particular problem.

  With the series of processes as described above, it is possible to avoid the trouble due to the attack while continuing to renew the lease of the attack target IP address, so that the return of the IP address to the DHCP server 1021 can be prevented, and the inside of the home network 110 It is possible to prevent a situation in which the attack target IP address is assigned to another communication terminal, for example, the communication terminal B104, and the communication terminal B104 is subjected to the DoS attack.

  In the management table held by the address management unit 211, when the attack end detection unit 205 detects the end of the attack with the MAC address or IP address set in the attack target row (attack detection state), it is temporarily set In order to release the MAC address and the IP address, the attack end detection unit 205 sends an attack end notification to the temporary MAC address release unit 206.

  When receiving the attack end notification from the attack end detection unit 205, the temporary MAC address release unit 206 sends an address release request to the address management unit 211 to release the temporarily set IP address.

  Upon receiving the address release request from the temporary MAC address release unit 206, the address management unit 211 first sends an IP address release request to the IP address release unit 210 together with the communication MAC address and communication IP address of the management table. .

  The IP address release unit 210 sends a DHCPRELEASE message to the DHCP server 1021 using the communication MAC address and communication IP address received from the address management unit 211, and returns the communication IP address.

  Subsequently, the address management unit 211 deletes the communication MAC address, the communication IP address, and the lease time in the management table so as to be in a state as shown in FIG. The attack target IP address and the lease time are deleted, and the state shown in FIG.

  Subsequently, the address management unit 211 sends an update stop request to the attack target IP address update unit 209, and the attack target IP address update unit 209 periodically responds to the update stop request from the address management unit 211. The general update process is stopped.

  Subsequently, the address management unit 211 sends an IP address acquisition request together with the communication MAC address in the management table to the IP address acquisition unit 207, and the IP address acquisition unit 207 receives the IP address acquisition request from the address management unit 211. Corresponding to the IP address is assigned by DHCP communication, and the assigned IP address and lease time are returned to the address management unit 211.

  The address management unit 211 registers the IP address and lease time received from the IP address acquisition unit 207 in the management table. The management table at this time is as shown in FIG. The communication IP address shown in (b) of FIG. 3 is notified to the communication unit 202 and used when performing communication.

  Further, the address management unit 211 determines a lease renewal interval based on the lease time of the management table (usually half of the lease time), the determined lease renewal interval, the communication IP address and the communication MAC address on the management table. Is sent to the IP address updating unit 208. The IP address update unit 208 periodically communicates with the DHCP server 1021 to update the lease of the communication IP address using the information sent from the address management unit 211, When the communication is not normally performed or when the update is rejected, the address management unit 211 is notified of the fact.

  Through the series of processes described above, after the attack is over, the IP address leased for avoiding the attack can be returned, and the occupied resources in the home network 110 can be minimized.

  When a communication terminal according to the present invention is subjected to a network attack, the attack can be avoided without stopping the provision of network services, and the attack destination is not switched to another terminal in the network. It is useful as a communication terminal capable of supporting network services by connecting to an IP network.

101 Internet 102 Home router 103 Communication terminal A
104 Communication terminal B
105 Communication terminal C
110 Home Network 201 Ethernet (registered trademark) I / F
202 Communication Unit 203 Attack Detection Unit 204 Temporary MAC Address Setting Unit 205 Attack End Detection Unit 206 Temporary MAC Address Release Unit 207 IP Address Acquisition Unit 208 IP Address Update Unit 209 Attack Target IP Address Update Unit 210 IP Address Release Unit 211 Address Management Unit 212 MAC address storage unit 1021 DHCP server

Claims (5)

A communication terminal device connected to a home network and performing communication via an external network based on an IP (Internet Protocol) address assigned from a DHCP (Dynamic Host Configuration Protocol) server,
Detection means for detecting the end of a DoS (Denial of Service) attack and a DoS attack;
MAC address changing means for changing the MAC (Media Access Control) address of its own device;
IP address acquisition means for acquiring an IP address corresponding to a MAC address from the DHCP server,
When the detecting means detects a DoS attack, the MAC address changing means changes the MAC address assigned to the own device, and the IP address obtaining means assigns a new IP address corresponding to the changed MAC address. A communication terminal that is obtained from the DHCP server and communicates via the external network based on the new IP address, and the IP address obtained before the change is held in its own device without being released. apparatus. Further comprising attack target IP address updating means for making a lease update request to the DHCP server,
The attack target IP address update means acquires before the change by making a lease update request for the IP address acquired before the change that is the attack target to the DHCP server at a predetermined interval. 2. The communication terminal device according to claim 1, wherein the IP address is held by the own device without being released. 3. The communication terminal apparatus according to claim 2, wherein the attack target IP address updating unit does not receive a response message for a DHCPREQUEST message transmitted to the DHCP server at a predetermined interval. When the detecting means detects that the DoS attack has ended, the MAC address changing means releases the changed MAC address and the new IP address, and the external network is changed based on the IP address acquired before the change. The communication terminal device according to claim 1, wherein communication is performed via the communication terminal device. It further comprises a MAC address accumulating unit that monitors a packet transmitted to its own device and accumulates a source MAC address described in the packet,
2. The communication terminal according to claim 1, wherein the MAC address changing unit changes the MAC address so as not to match the MAC address stored in the MAC address storing unit when changing the MAC address of the own device. apparatus.

Images