JP2019029907A - Transfer system, information processing device, transfer method and information processing method - Google Patents

Abstract

To efficiently grasp a specific communication route.SOLUTION: A transfer system, including a plurality of transfer devices which transfers each packet in a network, includes: a first transfer device which, on receiving a packet that matches a condition received from an information processing device, records into the packet the address of the self-device and predetermined flag information; one or more second transfer devices which, on receiving a packet in which the predetermined flag information is recorded, add the address of the self-device to the packet; and a third transfer device which transmits to the information processing device the address group of the transfer devices recorded in the packet in which the predetermined flag information is recorded.SELECTED DRAWING: Figure 3

Description

  The present invention relates to a transfer system, an information processing apparatus, a transfer method, and an information processing method.

  As countermeasures against DDoS (Distributed Denial of Service attack) attacks in the network, there are mainly “countermeasures for security devices in the first stage of the attack target device” and “measures near the GWR (gateway router) near the attack source”. Yes. Since the former is a countermeasure at a traffic aggregation point, there is a case where all attacks cannot be prevented due to the performance limit of a security device such as a mitigation device. In the latter case, the source IP address is often misrepresented in a DDoS attack, so normal communication may also be stopped at the GWR point, and it is difficult to immediately block it. For this reason, it is possible to take measures for drawing traffic into a mitigation device or the like and cleaning it, but if it is drawn from a transfer device close to the attack source, the transmission cost becomes high.

  Therefore, it is considered effective to draw communication from a location where attack communication is moderately aggregated in the network. However, as a precondition for this, it is necessary to know which route the attack communication is taking, but security devices etc. It is difficult to grasp which route of the attack communication has passed through only the information of the detected source IP address and destination IP address of the attack communication.

  As a method of knowing the path of attack communication, it is conceivable to collect and combine all Flow information from all routers. However, this method is not economical because the amount of data is enormous and the collection cost is high.

  Therefore, it is conceivable to collect and collect Flow information from all routers.

Internet <URL: http://www.sflow.org/developers/specifications.php> Internet <URL: https://www.ietf.org/rfc/rfc3954.txt>

  However, Flow information is probabilistic because of sampling, and the path cannot be specified 100%. Specifically, when there is no attack communication in the sampling data or the detection condition (threshold value) on the flow collector side is not satisfied, it is difficult to accurately specify the attack path. As a result, in order to specify the route, further investigation is required, and operation of the maintenance person is further required.

  The present invention has been made in view of the above points, and an object thereof is to make it possible to efficiently grasp a specific communication path.

  Therefore, in order to solve the above problem, when a transfer system including a plurality of transfer devices that transfer packets in a network receives a packet that matches the conditions received from the information processing device, the transfer system receives the address of the device, predetermined flag information, A first transfer device that records the packet in the packet, and one or more second transfer devices that add the address of the device to the packet when the packet in which the predetermined flag information is recorded is received; And a third transfer device for transmitting the address group of the transfer device recorded in the packet in which flag information is recorded to the information processing device.

  It is possible to efficiently grasp a specific communication path.

It is a figure which shows the network structural example in embodiment of this invention. It is a figure which shows the hardware structural example of the control apparatus 10 in embodiment of this invention. It is a figure which shows the function structural example of the control apparatus 10 and the router R in embodiment of this invention. It is a sequence diagram for demonstrating an example of the process sequence performed at the time of attack detection It is a sequence diagram for demonstrating an example of the process sequence performed according to reception of the attack packet in GWR. It is a flowchart for demonstrating an example of the process sequence which the path | route specific part 14 performs.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a diagram illustrating a network configuration example according to an embodiment of the present invention. In FIG. 1, a network N1 includes a plurality of routers (transfer devices) such as routers R1 to R7. Among these, the router R1 and the router R2 are gateway routers (GWR). In the present embodiment, the router R1 of the two GWRs receives an IP packet (hereinafter referred to as an “attack packet”) from the device X that is an attack source of a cyber attack (for example, a DDoS (Distributed Denial of Service attack) attack). .) Is received first.

  The router R7 is an edge router for the device Y. The device Y is a computer or the like that is a target of a cyber attack in the present embodiment. Therefore, in the present embodiment, the transmission source of the attack packet (attack communication) is the device X and the destination is the device Y. In addition, when not distinguishing each router, it is called "router R".

  The routers R1 and R2 that are GWR and the router R7 that is an edge router are connected to the control device 10 via a predetermined line (network).

  The control device 10 is one or more computers (information processing devices) that execute processing for specifying the path of an attack packet in the network N1. That is, the control device 10 may be a single computer or may be configured by a plurality of distributed computers.

  The security device 30 detects the occurrence of the DDos attack and notifies the control device 10 of information indicating the condition of the attack packet. However, the device Y may also function as the security device 30.

  FIG. 2 is a diagram illustrating a hardware configuration example of the control device 10 according to the embodiment of the present invention. The control device 10 in FIG. 2 includes a drive device 100, an auxiliary storage device 102, a memory device 103, a CPU 104, an interface device 105, and the like that are mutually connected by a bus B.

  A program for realizing processing in the control device 10 is provided by a recording medium 101 such as a CD-ROM. When the recording medium 101 storing the program is set in the drive device 100, the program is installed from the recording medium 101 to the auxiliary storage device 102 via the drive device 100. However, the program need not be installed from the recording medium 101 and may be downloaded from another computer via a network. The auxiliary storage device 102 stores the installed program and also stores necessary files and data.

  The memory device 103 reads the program from the auxiliary storage device 102 and stores it when there is an instruction to start the program. The CPU 104 executes functions related to the control device 10 in accordance with a program stored in the memory device 103. The interface device 105 is used as an interface for connecting to a network.

  FIG. 3 is a diagram illustrating a functional configuration example of the control device 10 and the router R according to the embodiment of the present invention. In FIG. 3, the control device 10 includes an attack information receiving unit 11, a control unit 12, a route information receiving unit 13, a route specifying unit 14, and the like. Each of these units is realized by processing that one or more programs installed in the control device 10 cause the CPU 104 to execute. The control device 10 also uses the attack information storage unit 111, the route information storage unit 112, the attack route storage unit 113, and the like. Each of these storage units can be realized using, for example, the auxiliary storage device 102 or a storage device that can be connected to the control device 10 via a network.

  On the other hand, the router R includes a controlled unit 21, a packet receiving unit 22, an address recording unit 23, a route information transmitting unit 24, a packet transfer unit 25, and the like. Each of these units is realized by processing that one or more programs installed in the router R cause the CPU of the router R to execute. However, each unit may be realized by a circuit. The router R also uses the control information storage unit 26. The control information storage unit 26 can be realized using, for example, a memory included in the router R. In the present embodiment, the controlled unit 21 and the control information storage unit 26 may not include routers R1 and R2 that are GWRs. Further, the route information transmitting unit 24 may not have other than the router R7 which is an edge router.

  Hereinafter, a processing procedure executed regarding the network N1 will be described. FIG. 4 is a sequence diagram for explaining an example of a processing procedure executed when an attack is detected.

  When the security device 30 detects a DDos attack or the like from the B device to the A device, the security device 30 transmits attack information including information (for example, 5 tuple information) indicating conditions regarding the attack packet to the control device 10 (S10). Syslog or the like may be used as attack information. That is, all information that can be grasped by the security device 30 may be included in the attack information. The 5-tuple information includes a transmission source IP address (SrcIP_X), a destination IP address (DstIP_Y), a transmission source port number, a destination port number, and a protocol.

  Upon receiving the attack information, the attack information receiving unit 11 of the control device 10 stores a record including the attack information (attack A, 5 tuple information, etc.) in the attack information storage unit 111 (S102). Therefore, the attack information storage unit 111 stores such a history of attack information. “Attack A” is an identifier of an attack and is given by the attack information storage unit 111.

  Subsequently, the attack information receiving unit 11 notifies the control unit 12 of the attack information (S103). In response to the notification of the attack information, the control unit 12 transmits control information for executing special processing on the attack packet to the routers R1 and R2 that are GWRs (S104). In the control information, 5 tuple information as a condition of the packet to be controlled and predetermined flag information are recorded in a specific part of the TOS field of the attack packet (for example, 1 in an unused specific bit of the TOS field). Command). Note that the condition of the packet to be controlled is not limited to 5 tuple information. The source IP address and the destination IP address may be the condition, or only the destination IP address may be the condition.

  The controlled unit 21 of the router R1 that has received the control command stores the control information in the control information storage unit 26 of the router R1 (S105). Also, the router R2 that has received the control command executes the same processing.

  The control information may be realized by using an existing filtering mechanism such as ACL (Access Control List).

  FIG. 5 is a sequence diagram for explaining an example of a processing procedure executed in response to reception of an attack packet in the GWR.

  When the packet receiving unit 22 of the router R1 receives a packet from outside the network N1 (S201), whether or not the packet matches the condition included in the control information stored in the control information storage unit 26 in FIG. Is determined (S202). For example, it is determined whether or not the 5 tuple information of the packet matches the condition.

  When the packet does not meet the condition, a general transfer process is executed instead of the process procedure of FIG.

  When the packet matches the condition (that is, when the packet is an attack packet), the packet receiver 22 records predetermined flag information in the IP header of the packet according to the control information (S203). For example, predetermined flag information may be recorded by setting 1 to a specific unused bit in the TOS field of the packet. However, the setting destination of the predetermined flag information is not limited to the ToS field. For example, when RR, which is an IPv4 mechanism, is used, a predetermined flag is set at a specified location in the option field. Subsequently, the address recording unit 23 of the router R1 determines whether or not predetermined flag information is recorded in the packet, and based on the fact that the predetermined flag information is recorded, the IP header of the packet The IP address of the own device (router R1) is recorded in the option field (S204). Subsequently, the packet transfer unit 25 transfers the packet according to a normal transfer method (S205).

  When the packet receiving unit 22 of the transfer destination router R receives the packet, the address recording unit 23 checks whether or not predetermined flag information is recorded in the IP header of the packet (S206). . Based on the fact that the predetermined flag information is recorded in the packet, the address recording unit 23 of the router R additionally records the IP address of the router R in the option field of the IP header of the packet ( S207). That is, the IP address of the router is recorded at the end of the already recorded IP address. Subsequently, the packet transfer unit 25 of the router R transfers the packet (S208).

  Steps S206 to S208 are executed in the same way in each router R that is the transfer destination of the packet.

  When the packet is received by the packet receiver 22 of the router R7, which is an edge router, the router R7 executes the same processing as steps S206 and S207 (S209, S210). Subsequently, based on the fact that the router R7 is an edge router, the route information transmission unit 24 of the router R7 receives the 5 tuple information of the packet and the IP address string (IP address) recorded in the option field of the IP header of the packet. Group information) is transmitted to the control device 10 (S211). That is, the route information is transmitted to the control device 10 immediately before the packet is transferred to the device Y. The route information may be included in the Flow information and transmitted using a known mechanism such as sflow or NetFlow. In addition, the determination as to whether a certain router R is an edge router may be made based on a known technique.

  Subsequently, the route information receiving unit 13 of the control device 10 stores the received route information in the route information storage unit 112 (S212). Therefore, the route information storage unit 112 additionally stores route information every time the processing procedure of FIG. 5 is executed.

  Subsequently, a process executed by the route specifying unit 14 of the control device 10 will be described. FIG. 6 is a flowchart for explaining an example of a processing procedure executed by the route specifying unit 14. The processing procedure of FIG. 6 may be executed, for example, in synchronization with step S212 of FIG. 5 (following S212), or may be executed asynchronously with step S212, such as periodically.

  In step S <b> 301, the route specifying unit 14 acquires all attack information stored in the attack information storage unit 111.

  Subsequently, the route specifying unit 14 acquires all the route information stored in the route information storage unit 112 (S302).

  Subsequently, the route specifying unit 14 matches the list of attack information and the list of route information, and specifies the route information corresponding to each attack information (S303). For example, for each attack information, route information including 5 tuple information that matches the 5 tuple information included in the attack information is searched. The searched route information is associated with the attack information. As a result, it is possible to grasp the route in the network N1 for the attack packet of each DDos attack.

  The particle size (condition) of the butt does not necessarily have to be 5 tuple. For example, the association may be performed by matching only the source IP address and the destination IP address, or may be performed by matching only the destination IP address. For example, when there is a possibility that an attack has reached a single destination IP address through a plurality of routes, it is possible to grasp all the routes of the attack by colliding with only the destination IP address. is there.

  Subsequently, the path identification unit 14 stores the identification result in the attack path storage unit 113 (S304). For example, the attack information and the route information associated in step S303 are stored in the attack route storage unit 113 in a state where the association is maintained. The attack information and route information stored in the attack route storage unit 113 may be deleted from the attack information storage unit 111 or the route information storage unit 112.

  As for the recording of the IP address of each router R, the IP address of each router R may be recorded in the option field using a record route (RR) mechanism defined in IPv4 (RFC791). .

  As described above, according to the present embodiment, each of the routers to which the predetermined flag information is recorded for the communication (attack packet) suspected of being a DDos attack and the packet in which the predetermined flag information is recorded is transferred. Thus, the IP address of the router is recorded in the packet. Accordingly, it is possible to efficiently grasp a specific communication path such as communication related to the DDos attack. As a result, it is possible to expect a reduction in operating costs for the maintenance personnel.

  Specifically, it is possible to obtain equivalent information at a low cost / small amount of data compared to a case where all traffic information is collected and combined from all routers. Further, the possibility of specifying the path can be increased as compared with the case where the flow information is collected by sampling from all the routers and combined.

  Further, the present embodiment has a small need for special modification / additional development for related devices such as the router R. Basically, the present embodiment can be realized by changing the setting of each router R or the like. In addition, the present embodiment can be operated by the processing of the IP layer without expanding the mounted functions such as the description of the IP address and the setting of the flag. Therefore, the present embodiment can reduce the introduction cost.

  In addition, although this Embodiment demonstrated the example which specifies the path | route of the attack communication which concerns on a DDos attack, this Embodiment may be applied regarding the specification of the path | route regarding other specific communication.

  In the present embodiment, the router R is an example of a transfer device. The router R1 is an example of a first transfer device. Routers R2 to R6 are examples of the second transfer device. The router R7 is an example of a third transfer device. The control unit 12 is an example of a transmission unit. The route information receiving unit 13 is an example of a receiving unit. The route specifying unit 14 is an example of an associating unit. The control device 10 is an example of an information processing device.

  Although the embodiments of the present invention have been described in detail above, the present invention is not limited to such specific embodiments, and various modifications can be made within the scope of the gist of the present invention described in the claims. Deformation / change is possible.

DESCRIPTION OF SYMBOLS 10 Control apparatus 11 Attack information receiving part 12 Control part 13 Path | route information receiving part 14 Path | route specific | specification part 21 Controlled part 22 Packet receiving part 23 Address recording part 24 Path | route information transmission part 25 Packet transfer part 26 Control information storage part 30 Security apparatus 100 Drive device 101 Recording medium 102 Auxiliary storage device 103 Memory device 104 CPU
105 Interface device 111 Attack information storage unit 112 Route information storage unit 113 Attack route storage unit B Bus R1, R2, R3, R4, R5, R6, R7 Router X device Y device

Claims (8)

A transfer system including a plurality of transfer devices for transferring packets in a network,
When receiving a packet that matches the conditions received from the information processing device, a first transfer device that records the address of the device and predetermined flag information in the packet;
When receiving the packet in which the predetermined flag information is recorded, one or more second transfer devices that add the address of the device to the packet;
A third transfer device that transmits an address group of the transfer device recorded in the packet in which the predetermined flag information is recorded, to the information processing device;
A transfer system comprising: The third transfer device transmits the address group of the transfer device recorded in the packet to the information processing device immediately before the packet in which the predetermined flag information is recorded is transferred to a destination address.
The transfer system according to claim 1. Further including the information processing apparatus,
The information processing apparatus includes:
A transmitter that transmits the condition to the first transfer device;
A receiving unit for receiving the address group from the third transfer device;
An association unit associating the address group with communication according to the condition;
The transfer system according to claim 1, further comprising: The information processing apparatus according to claim 1 or 2,
A transmitter that transmits the condition to the first transfer device;
A receiving unit for receiving the address group from the third transfer device;
An association unit for associating the address group with communication information according to the condition;
An information processing apparatus comprising: A transfer method executed by a plurality of transfer devices that transfer packets in a network,
When the first transfer device receives a packet that matches the conditions received from the information processing device, a procedure for recording the address of the device itself and predetermined flag information in the packet;
When one or more second transfer apparatuses receive a packet in which the predetermined flag information is recorded, a procedure for adding the address of the own apparatus to the packet;
A procedure in which a third transfer device transmits an address group of the transfer device recorded in the packet in which the predetermined flag information is recorded to the information processing device;
The transfer method characterized by performing. The third transfer device transmits the address group of the transfer device recorded in the packet to the information processing device immediately before the packet in which the predetermined flag information is recorded is transferred to a destination address.
6. The transfer method according to claim 5, wherein: The information processing apparatus is
A transmission procedure for transmitting the condition to the first transfer device;
A receiving procedure for receiving the address group from the third transfer device;
An association procedure for associating the address group with communication according to the condition;
7. The transfer method according to claim 5 or 6, wherein: The information processing apparatus according to claim 1 or 2,
A transmission procedure for transmitting the condition to the first transfer device;
A receiving procedure for receiving the address group from the third transfer device;
An association procedure for associating the address group with communication according to the condition;
The information processing method characterized by performing.

Images