JP3549861B2 - Distributed denial of service attack prevention method and apparatus, and computer program therefor - Google Patents

Description

[0001]
TECHNICAL FIELD OF THE INVENTION
The present invention relates to a method for preventing a denial of service attack, a device therefor, and a computer program for protecting devices connected to a network from attacks via the network.
[0002]
[Prior art]
Conventionally, network protocols such as Transmission Control Protocol / Internet Protocol (TCP / IP) are open and are designed to be used by mutually trusted groups. For this reason, the computer operating system sends a large amount of communication traffic (data, etc.) to the server, thereby consuming network bandwidth and server resources, thereby preventing a legitimate user from using the service. (Hereinafter referred to as "DoS (Denial of Service) attack") is not considered. Although methods of defense against such DoS attacks are increasing, methods of defense against distributed denial-of-service attacks (DDoS attacks) in which DoS attacks are simultaneously performed from a plurality of locations are not effective yet.
[0003]
As a method of defense against this distributed DoS attack, there are Ingress Filter (RFC2267) proposed by Cisco and Center Track of UUNET. The former is a mechanism for checking for spoofing of a source address, which is often used in a distributed DoS attack. The local area network is installed on a router that is a boundary connected to the Internet, and is transmitted from the local area network to the Internet. Check the legitimacy of the source address of the transmitted packet, and if it does not match the address assigned to the local area network, discard the packet without sending it to the Internet.
[0004]
[Problems to be solved by the invention]
This technology is a technology for prohibiting a distributed DoS attack by spoofing a source address, and is not a technology used by an attacked party to defend. The latter is a technology in which a diagnostic function is added to an Internet router to track the source of a distributed DoS attack. While this technique helps victims to identify the attacker, it does not protect them when they are actually under attack.
[0005]
The Ingress Filter described in the above-mentioned RFC2267 cannot deal with an attack by an IP packet whose source is a correct IP (Internet protocol) address. However, if the router does not have an ingress filter, there is a problem that it is not useful for attack defense at all. In addition, the above-mentioned Center Track makes it difficult to trace when an attacker misrepresents a source address, and furthermore, a computer that is an attack source of distributed DoS distributed in a plurality of locations and a computer connected to the computer. Without contacting the administrator of the network being attacked, the attack itself cannot be stopped, so there is a problem that it takes hours or even days to actually stop the attack.
[0006]
The present invention has been made in view of the above circumstances, and has as its object to protect a distributed DoS attack by a packet whose source address has been spoofed, regardless of whether the source address is spoofed. The present invention provides a distributed denial of service attack prevention apparatus and method capable of protecting a computer, and a computer program therefor.
[0007]
Further, an object of the present invention is to manage a program module to be transmitted to a communication device and realize authentication of a developer or a user of the program module in order to realize the above-mentioned method of preventing a distributed denial of service attack. And a module server capable of improving the reliability of the entire communication system.
[0008]
[Means for Solving the Problems]
In order to solve the above-mentioned problem, the present invention relates to a communication device for preventing a distributed denial of service attack, which monitors a communication packet passing through the communication device and detects a distributed denial of service attack. A functional unit, an attack defense module that discards a communication packet of the distributed denial of service attack when the distributed denial of service attack is detected, and an attack that searches for an address of a higher-level communication device close to the attack source. A source search module, a module transmission unit that transmits the attack source search module to the communication device at the upper defense position, and a candidate of a higher communication device close to the attack source searched by the attack source search module. An attack source determining function unit that extracts a communication device to be a higher defense position from the attack source determining unit; and the module transmitting unit includes the attack source determining function unit. Thus the gist of the communication device, characterized in that on the extracted communication apparatus defense position of the upper side is to transmit the attack protection module.
[0009]
Further, in the communication device of the present invention, the module transmitting unit, together with the attack source search module, transmits attack packet information relating to a communication packet detected as a distributed denial of service attack by the traffic monitoring function unit to the upper side. The attack source search module compares the attack packet information received from the module transmission unit with a communication packet passing through the communication device, and transmits the attack packet information to the attack source search module. If it is detected that the corresponding communication packet is passing through the communication device, it is determined that the communication device itself is a candidate for the communication device at the defense position. Attack source search module It is characterized in that a traffic inspection function unit for notifying the communication device of the transmission source is included.
[0010]
Further, in the communication device of the present invention, the attack defense module includes an attack traffic monitoring function unit that monitors whether the attack is ongoing, and an attack traffic monitoring function unit that determines that the attack is interrupted. Is characterized by including a self-destruction function unit that deactivates the attack defense module itself from the communication device that is executing the process.
[0011]
Further, the communication system of the present invention is the communication device described above, a module server that transmits a program module to the communication device, a program module database that stores a program module installed in the communication device, A developer database that manages developers of program modules that can request storage of program modules; a user database that manages users who can request to install the program modules in the communication device; and the stored program modules. A service menu displayed to the user as a menu, and a service manager for authenticating the authority of the user if the user requests to install the program module displayed in the service menu. If, when it is confirmed the authentication is characterized in that consisting of a module server and a service module injector to be transmitted to the communication device the program modules.
[0012]
The communication device of the present invention further includes a traffic monitoring function unit that monitors a communication packet passing through the communication device and detects a distributed denial of service attack, and includes a distributed denial of service when the distributed denial of service attack is detected. An attack defense module for discarding the communication packet of the attack and searching for an address of a higher-level communication device close to the attack source; and a module transmission unit for transmitting the attack protection module to the higher-level communication device. It is characterized by having.
[0013]
Further, in the communication device of the present invention, the module transmitting unit transmits the attack packet information on the communication packet detected by the traffic monitoring function unit as a distributed denial of service attack together with the attack defense module to the upper-layer communication. The attack defense module compares the attack packet information received from the module transmission unit with a communication packet passing through the communication device, and corresponds to the attack packet information. A traffic inspection function unit for detecting that a communication packet is passing through the communication device is included.
[0014]
Further, in the communication device of the present invention, the attack defense module includes an attack traffic monitoring function unit that monitors whether the attack is ongoing, and an attack traffic monitoring function unit that determines that the attack is interrupted. Is characterized by including a self-destruction function unit that deactivates the attack defense module itself from the communication device that is executing the process.
[0015]
Further, the communication system of the present invention is the communication device described above, a module server that transmits a program module to the communication device, a program module database that stores a program module installed in the communication device, A developer database that manages developers of program modules that can request storage of program modules; a user database that manages users who can request to install the program modules in the communication device; and the stored program modules. A service menu displayed to the user as a menu, and a service manager for authenticating the authority of the user if the user requests to install the program module displayed in the service menu. If, when it is confirmed the authentication is characterized in that consisting of a module server and a service module injector to be transmitted to the communication device the program modules.
[0016]
Further, the method for preventing a denial of service attack of the present invention, when detecting a distributed denial of service attack in the communication device, discards the communication packet of the distributed denial of service attack in the communication device, and detects the detected distributed denial of service attack. A search is performed for a higher-level communication device that is closer to the attack source of the attack, a program module is transmitted to the higher-level communication device obtained as a result of the search, and the program is transmitted to the higher-level communication device that has received the program module. By executing the module, the process of discarding the communication packet of the distributed denial of service attack, the process of searching for the communication service of the upper side, and transmitting the program module to the communication device of the upper side Recursively until it reaches the highest communication device closest to the attack source. It was carried out, and is characterized in that to discard the communication packet of the distributed denial of service in a communication device of the highest level.
[0017]
Further, in the method for preventing a denial of service attack of the present invention, when transmitting the program module to a higher-level communication device, the program module and the communication module related to the communication packet detected as a distributed denial of service attack are transmitted together with the program module. The communication device that transmits the attack packet information to the upper communication device, and the communication device that receives the program module and the attack packet information executes the program module to execute the attack packet information and the communication device. If it is detected that the communication packet corresponding to the attack packet information is passing through the communication device by comparing the communication packet passing through the communication device, the communication device itself is determined as a candidate for the communication device at the defense position. That there is Attack source search module The transmission source communication device is notified.
[0018]
In the method for preventing a denial of service attack according to the present invention, the higher-level communication device that has received the program module executes the program module to monitor whether the attack is ongoing and to determine whether the attack is ongoing. If it is determined that the program module has been interrupted, the program module itself is deleted from the communication device.
[0019]
Further, the recording medium of the present invention is a computer readable recording medium which records a computer program executed on a communication device to prevent a distributed denial of service attack, and monitors a communication packet passing through the communication device. Performing a process of continuously discarding the communication packet of the denial of service attack when the communication packet of the denial of service attack is detected by this monitoring; and A step of determining whether or not there is, and in the case of a distributed denial-of-service attack, a higher-level communication device close to the attack source is extracted by referring to the database, and these higher-level communication devices are Sends an attack source search module to search for the attack source, and sends information on the defense position from the destination communication device. And Shin is a record of the computer program for executing the processes of the step of transmitting the attack protection module for protecting an attack on the upper side of the communication device to the computer based on the information of the protection position.
[0020]
Further, the recording medium of the present invention records a computer program for attack source search transmitted from a lower communication device to a higher communication device and executed on the higher communication device in order to prevent a distributed denial of service attack. A computer-readable recording medium that compares a communication packet passing through the communication device with attack packet information related to a denial of service attack, and determines whether the communication packet of the denial of service attack passes through the communication device. Inspecting whether or not the communication result of the denial-of-service attack has passed through the communication device; and
a) when there is no higher-level communication device closer to the attack source than the own communication device itself, the communication device itself is notified to the lower-level communication device as the highest-order communication device;
b) The case where there is a higher-level communication device closer to the attack source than the communication device itself, and as a result of transmitting the attack source search computer program to the higher-level communication device, If no notification that the communication packet of the denial of service attack has passed does not come, the self communication device itself is notified to the lower communication device as the highest communication device,
c) There is a higher-level communication device closer to the attack source than the communication device itself, and as a result of transmitting the attack source search computer program to the higher-level communication device, If at least one notification that a communication packet of a denial of service attack has passed is received, the own communication device itself is not set as the highest communication device,
And a computer program for causing a computer to execute each of the steps a) to c).
[0021]
Further, the recording medium of the present invention is a computer-readable recording medium recording a computer program for attack prevention executed on a communication device in order to prevent a distributed denial of service attack, which passes through the communication device. The communication packet is compared with the attack packet information on the denial of service attack to check whether the communication packet of the denial of service attack has passed through the communication device. ,
a) performing a process of continuously discarding communication packets of the denial of service attack;
b) extracting a higher-level communication device closer to the attack source by referring to the database;
c) transmitting the attack defense computer program itself to the extracted upper communication device;
A) recording a computer program for causing a computer to execute each of the processes a) to c).
[0022]
The present invention is also a computer program executed on a communication device to prevent a distributed denial of service attack, comprising the steps of: monitoring a communication packet passing through the communication device; When detecting a communication packet, performing a process of continuously discarding the communication packet of the denial of service attack; and determining whether the denial of service attack is a distributed denial of service attack, In the case of a distributed denial of service attack, an attack for extracting higher-level communication devices close to the attack source by referring to the database and searching for the higher-level communication devices for these higher-level communication devices The source search module is transmitted, the information of the defense position is received from the communication device of the transmission destination, and the upper-layer communication is performed based on the information of the defense position. It is intended to execute the process in the step of transmitting the attack protection module for protecting an attack on location to the computer.
[0023]
Further, the present invention is a computer program for attack source search transmitted from a lower communication device to a higher communication device and executed on the higher communication device in order to prevent a distributed denial of service attack, A communication packet passing through the communication device is compared with attack packet information related to the denial of service attack to check whether a communication packet of the denial of service attack is passing through the communication device. Notifying the communication device of the above, and as a result of this inspection, if the communication packet of the denial of service attack has passed through the communication device,
a) when there is no higher-level communication device closer to the attack source than the own communication device itself, the communication device itself is notified to the lower-level communication device as the highest-order communication device;
b) The case where there is a higher-level communication device closer to the attack source than the communication device itself, and as a result of transmitting the attack source search computer program to the higher-level communication device, If no notification that the communication packet of the denial of service attack has passed does not come, the self communication device itself is notified to the lower communication device as the highest communication device,
c) There is a higher-level communication device closer to the attack source than the communication device itself, and as a result of transmitting the attack source search computer program to the higher-level communication device, If at least one notification that a communication packet of a denial of service attack has passed is received, the own communication device itself is not set as the highest communication device,
A) to execute any one of the steps a) to c).
[0024]
Further, the present invention is an attack defense computer program executed on a communication device to prevent a distributed denial of service attack, comprising: a communication packet passing through the communication device; attack packet information on a denial of service attack; To determine whether the communication packet of the denial of service attack has passed through the communication device. If the check result indicates that the communication packet has passed,
a) performing a process of continuously discarding communication packets of the denial of service attack;
b) extracting a higher-level communication device closer to the attack source by referring to the database;
c) transmitting the attack defense computer program itself to the extracted upper communication device;
A) to c) are executed by a computer.
[0029]
BEST MODE FOR CARRYING OUT THE INVENTION
Hereinafter, embodiments of the present invention will be described with reference to the drawings. The following embodiments do not limit the interpretation of the claims of the present invention. In addition, it is not always essential to combine all the features described in the following embodiments to achieve the above object.
[0030]
<First embodiment>
Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 is a configuration diagram of a network to which the present invention can be applied. The hosts 113, 114, 116, and 117 operated by the distributed DoS attacker are transmitting attack packets to the attacked server 101. The local area network (LAN) in which the attacker's server 101 is housed is connected to an external network by a border router (communication device) 102. Filtering is installed. Routers (communication devices) 103, 104, 106, 107, 108, 109, 110, and 111 are also routers to which the technology of the present invention is applied, and can receive and execute programs transmitted via a network. Features are provided. Note that the router 105 is a normal router to which the technology of the present invention is not applied.
[0031]
In the network shown in FIG. 1, the distributed DoS attack causes the attack packets to concentrate on the victim-accommodating LAN, causing congestion, thereby consuming the resources of the border router 102. In some cases, it becomes impossible to connect to the server 101 from computers 112, 115, and 118 of legitimate users unrelated to the distributed DoS attacker.
[0032]
Next, FIG. 2 shows a method of defending against a distributed DoS attack performed in the network shown in FIG. In the embodiment of FIG. 2, the mobile packet filtering program of the present invention installed in the border router 102 creates a copy of its own program and moves the copy to the routers 106, 107, 109, 110 by a method described later. Let it. The mobile packet filtering program that has moved to each router prevents all the traffic sent from the distributed DoS attacker's host 113, 114, 116, 117 to the server 101 from passing. As a result, the load on the border router 102 is reduced, the congestion of the LAN accommodating the victim is eliminated, and the server 101 can be accessed from the computers 112, 115, and 118 of regular users other than the distributed DoS attacker. . Thereafter, when an attack on the server 101 from the host 113, 114, 116, 117 of the distributed DoS attacker is completed, the mobile packet filtering program installed in the routers 106, 107, 109, 110 is attacked. The history is transmitted to the copy source mobile packet filtering program installed in the border router 102, and the router itself is deleted from the routers 106, 107, 109, and 110. Further, the mobile packet filtering program of the present invention can be applied to various network forms and communication contents.
[0033]
Next, the processing procedure of mobile packet filtering will be described with reference to the flowcharts of FIGS. In the initial state, this mobile packet filtering is installed in a boundary router (for example, the router 102 in the networks shown in FIGS. 1 and 2) located at a contact point where the network to be protected is connected to another network. ing.
[0034]
In this state, in step S001 shown in FIG. 3, the mobile packet filtering monitors the transferred packet (traffic). Then, in S002, it is determined whether or not the monitoring result is a DoS attack. If a DoS attack is not detected as a result of this determination, the process returns from step S002 to step S001. That is, when a DoS attack is not detected, the monitoring in step S001 and the determination in step S002 are repeated. In step S002, a pattern of DoS attack data can be detected by using a well-known DoS attack detection algorithm.
[0035]
If a DoS attack is detected in step S002, the process proceeds to step S003, and a new process is generated in step S003. The original process and the newly created process can proceed in parallel. The original process returns to step S001 and continues to monitor the received traffic.
[0036]
As described in steps S004 to S006, the first process newly generated in step S003 performs a process of discarding the detected attack packet in the router, and performs packet processing while the attack packet continues. Continue to destroy. If the attack packet has stopped, the packet discarding process ends.
[0037]
In the second process newly generated in step S003, as described in steps S007 to S014, a process for moving the defense position to the upper router is performed. First, in step S007, it is determined whether or not a distributed DoS attack has occurred. The determination as to whether or not this is a distributed DoS attack can be made by a known technique. If the result of this determination is not a distributed DoS attack, the process is terminated as is, and if it is a distributed DoS attack, the flow proceeds to step S008 in FIG.
[0038]
In step S008, a router that can be an upper router is searched for by referring to an adjacent router database included in the router. Here, a router that can be an upper router is a router that is adjacent to the router and that can perform the function of mobile packet filtering to which the present invention is applied. Taking the network shown in FIG. 2 as an example, the neighboring router database provided in the border router 102 stores routers 103, 104, and 111 as possible routers. The routers 103 and 104 are routers adjacent to the border router 102 and perform the function of the mobile packet filtering of the present invention. In addition, since the router 105 is a normal router to which the present invention is not applied, the router 111 that is further ahead on the route from the border router 102 to the router 105 is an upper router of the border router 102. That is, among the routers equipped with the technology of the present invention, information on adjacent routers is stored in the adjacent router database as a network topology.
[0039]
The result of the search in step S008 is determined in step S009, and if no upper router has been searched (NO), the process ends. If the upper router has been found (in the case of YES), the process proceeds to the next step S010. In the example shown in FIG. 2, the upper routers 103, 104, and 111 are searched as neighbor routers of the border router 102, and thus the process proceeds to S010.
[0040]
In step S010, the attack source search module holding the information of the packet of the distributed DoS attack that is the current search target is transmitted to the upper routers 103, 104, and 111 detected above.
[0041]
In step S011, the attack source search module executes the attack source search module on the upper router that has received the above attack source search module, thereby searching the optimum position for defense of the attack. Returned to lower router. If there is an upper router further than the upper router, the attack source search module is transmitted recursively to search for a defense position.
[0042]
In step S012, the original router receives the search result from the upper router, and sorts out the redundant information of the received address. The arrangement of the redundant information will be described later in detail. When the arrangement of the redundant information is completed, in step S013, it is checked whether the received address exists. If it does not exist (in the case of NO), the process ends as it is. If it does exist (in the case of YES), the attack defense module is transferred to the address remaining after the arrangement of the redundant information in step S014, and then The process ends.
[0043]
Next, the processing contents of the attack source search module called in step S011 of FIG. 4 will be described with reference to the flowcharts of FIGS. In step S101 in FIG. 5, the transmitted attack source search module arrives at the upper router. In the example of the network shown in FIG. 2, the modules arrive at the upper routers 103, 104, and 111 from the boundary router 102, respectively. Here, execution of the module that arrives at the router 103 will be described as an example.
[0044]
In step S102, it is checked whether or not the attack packet has passed through the router 103 by using the attack packet information held by the attack source search module, and the result is reported to the transmission source router. In step S103, the inspection result is checked. If the attack packet has not passed (NO), the process proceeds directly to step S112. If the attack packet has passed (YES), the process proceeds to step S104 in FIG.
[0045]
In step S104, it is checked whether the attack defense module can be installed. This check is, for example, a check to check whether various resources for operating the module on the router are sufficient. Then, in step S105, the above-described inspection result is determined. If the installation is possible (in the case of YES), the own address (router 103) is held as a candidate for the highest router address in step S114, and the process proceeds to step S106. move on. If installation is not possible (NO), the process directly proceeds to step S106.
[0046]
In step S106, the adjacent router which can be an upper router is searched for by referring to the adjacent router database included in the own (router 103). For the router 103, the routers 102, 106, 107, and 108 are extracted as adjacent routers.
[0047]
Then, in step S107, it is checked whether or not there is a further upper router among the routers extracted above. Here, since the router 102 is the transmission source of the attack source search module, the routers 106, 107, and 108 are not higher routers of the router 103 but are higher routers. If there is no further upper router (in the case of NO), the process proceeds to S108, and the held highest router candidate is transmitted to the transmission source of the attack source search module. If there is another upper router (in the case of YES), the process proceeds to step S109.
[0048]
In step S109, the attack source search module holding the DoS attack information is duplicated and transmitted to all the detected upper routers, and a response from all of the duplicated attack source search modules is waited for.
[0049]
In step S110, the upper router that has received the attack source search module transmitted in step S109 executes the module to perform the process of searching for the optimal defense position. That is, the upper router is searched recursively.
[0050]
In step S111, the response from the attack source search module that has been duplicated and transmitted is checked. If there is a reply that the attack has passed in one or more search modules (in the case of YES), the process proceeds to step S112. To end the process. On the other hand, if all the replies from the search module indicate that the attack has not passed (NO), the process proceeds to S108, and the held highest-level router candidate is sent to the sender of the attack source search module. Send to
[0051]
The method of organizing the redundant information of the address of the search result described in step S012 in FIG. 4 will be described in detail. FIG. 7 is a schematic diagram showing a procedure for organizing address redundancy information. According to the procedure described above, the mobile packet filtering program detects the router closest to the attack source for each identified attack.
[0052]
A table T001 illustrated in FIG. 7 indicates information collected as a result of the search. In the case of this example, each attack (attack source addresses are “111.11.11.111”, “111.11.11.122”, and “111”) represented in the first to third rows of the table. .111.11.333 "), there is a possibility that the router closest to the attack source (address is" 111.11.111.1 ") may be the same. Such redundant information is edited and consolidated into one in the table T002.
The duplicated mobile packet filtering program is not duplicated by the number of attacks that can be detected from the table T001, but is duplicated by the number of routers detected from T002. It is not sent to the upper router. Also, not all the copied mobile packet filtering programs retain all the collected information as shown in Table T002, but use the mobile packet filtering at the destination where the copy is made to protect against attacks. Only the information to be processed is extracted and stored in an efficient format as shown in T003.
[0053]
Next, a processing procedure of the above-described copied mobile packet filtering program will be described. FIG. 8 is a flowchart showing a processing procedure of the mobile packet filtering program. Hereinafter, description will be given along this flowchart.
[0054]
First, in step S021, upon receiving information that is copied and necessary for defense against an attack, the program is moved (transmitted) toward a router to be installed. Next, the process proceeds to step S022, in which the installed router performs a process of discarding all packets from the attack source to the attack destination. Next, the process proceeds to step S023 to measure the time from the time when the last attack stopped, and if the attack is restarted before the measured time reaches a certain time, the process returns to step S022 to continue the defense and measure. If the time has reached a certain time, the process proceeds to step S024.
[0055]
In step S024, history information (log) on the attack is transmitted to the copy source mobile packet filtering program. Finally, the process proceeds to step S025 to delete its own program from the router, and ends the processing.
[0056]
Next, a configuration for executing the processing procedure described above will be described. FIG. 9 is a configuration diagram illustrating a configuration of the router according to the present embodiment. As shown in the figure, an operating system (OS) runs on the hardware of this router, and the module of the present invention runs on this operating system. The operating system controls activation and termination of the entire system, and provides a packet filtering function, a traffic schedule management function, a socket function, a routing table management function, a relay packet distribution function, and the like.
[0057]
FIG. 10 is a configuration diagram illustrating a functional configuration for preventing a distributed DoS attack according to the present embodiment. As shown in the figure, each function for realizing the present invention operates in an environment on router middleware. The router middleware environment is an environment provided by the operating system as a virtual machine. Hereinafter, each function shown in FIG. 10 will be individually described.
[0058]
The attack source determination function unit has a function of extracting a router to which an attack defense module (mobile packet filtering module) is sent from the attack source candidates searched by the attack source search module. This attack source determining function unit performs the process of step S012 shown in FIG.
[0059]
The attack source search module is a program module sent to another router in order to search for the address of the router closest to the attack source. This attack source search module performs the processing shown in FIGS.
[0060]
The attack defense module (mobile packet filtering module) is a program module sent to a router close to the attack source to stop the attack. This attack defense module performs the processing shown in FIG.
[0061]
The attacking router information receiving unit has a function of receiving information on the attacking router as a search result from the attacking source search module operating on the upper router. The information of the attacking router is information transmitted from the upper router in the process of step S114 in FIG.
[0062]
The attack source address management unit has a function of storing and managing the address received by the attack source router information receiving unit from the attack source search module, that is, the address of the destination router of the attack defense module.
[0063]
The attack information management unit has a function of managing information on distributed DoS attacks.
[0064]
The traffic monitoring function unit has a function of monitoring traffic passing through the router and detecting a distributed DoS attack. The traffic monitoring function unit makes the determination in steps S002 and S007 shown in FIG.
[0065]
The module duplication function unit has a function of duplicating the attack source search module and the attack defense module.
[0066]
The adjacent router database is a database to which the technology of the present invention is applied, and stores information of a router adjacent to the router on a network topology.
[0067]
The attacking router information receiving unit has a function of receiving information on the attacking router as a search result from the attacking source search module operating on the upper router.
[0068]
The module transmission unit has a function of transmitting the attack source search module and the attack defense module to another router.
[0069]
The attack defense function unit has a function of discarding an attack packet.
[0070]
The attack source address organizing unit has a function of organizing the address information on the optimal defense position received from the upper router. That is, the attack source address organizing unit performs a process of organizing the redundancy of the address as shown in FIG.
[0071]
FIG. 11 is a configuration diagram showing a more detailed configuration of the attack source search module. As shown in the figure, the attack source search module includes an adjacent router inspection function unit, a traffic inspection function unit, an attack notification function unit, and a self-destruction function unit. Information can be retained.
[0072]
The adjacent router inspection function unit has a function of extracting an inspection target as an upper router from an adjacent router database provided in the router.
[0073]
The traffic inspection function compares the traffic passing through the router with the attack packet information, and records the upper router as the top router candidate when it detects that the attack packet is passing the router. Having.
[0074]
The attack notification function unit notifies the duplicated attack search module of the address of the top router candidate after the search of the attack source is completed, and the attack is performed if no attack was performed during the search of the attack source. Has the function of notifying that the operation has not been performed.
[0075]
The self-destruction function unit has a function of deleting the attack source search module from the router when the attack source search module becomes unnecessary.
[0076]
The attack packet information holds one of the attack source candidates of the distributed DoS attack. The top router candidate holds information of the top router candidate of the attack source.
[0077]
FIG. 12 is a configuration diagram showing a more detailed configuration of the attack defense module. As shown in the figure, the attack defense module includes each of an attack defense function unit, an attack traffic monitoring function unit, and a self-destruction function unit, and can hold attack packet information.
[0078]
The attack defense function unit has a function of discarding an attack packet. The attack traffic monitoring function unit monitors whether the attack is ongoing. The self-extinguishing function unit has a function of extinguishing the attack defense module itself from the router when the attack is interrupted.
[0079]
In summary, in order to facilitate understanding of the present embodiment, the apparatus for performing packet filtering is not limited to one router or a router installation location, and the packet filtering program is located at an optimal position for preventing a distributed DoS attack. Move to a router that exists. In order to detect the optimal position to be the destination, the packet filtering program uses an existing tracking technology such as a known technology, such as Center Track, and sends its own program to the source of the distributed DoS attack. To move.
[0080]
The present invention also includes a mechanism that can make a copy of a packet filtering program and move the copy to routers located at various locations. This mechanism is used to protect against a distributed DoS attack by operating packet filtering at each source of the distributed DoS attack that simultaneously attacks from a plurality of locations. In the system according to the present invention, the packet filtering function is installed in a router located at the boundary where the local area network to be protected is initially connected to the Internet, and detects a distributed DoS attack when a distributed DoS attack is detected. Move replicas to routers near each of the multiple attack sources. Since the destination is the router that is as close as possible to the attack source, the router that exists on the boundary where the local area network to which the attacking terminal is connected is connected to the Internet is the most effective, but it is not necessarily the boundary It does not need to be a router that exists in
[0081]
The duplicated packet filtering function has a function of storing its own movement history and history of filtered packets and transmitting the same to the duplication source.
[0082]
Further, the copied packet filtering function has a function of deleting itself. This can be done by removing itself from the router after a certain amount of time has passed since the end of the attack that duplicated packet filtering prevented, or by installing duplicated packet filtering. This operation is deleted according to the policy of the existing router.
[0083]
As described above, according to the present embodiment, when defending a distributed DoS attack by a packet whose source address has been spoofed, regardless of whether the source address is spoofed, a method of preventing a distributed denial of service attack that can defend the attack and Equipment can be provided.
[0084]
<Second embodiment>
Next, a second embodiment of the present invention will be described. In the first embodiment described above, the attack source search module moves while holding all the attack information. In the second embodiment, the attack source search module holds only one attack source information. There is a feature that it moves.
[0085]
FIGS. 13 and 14 are flowcharts showing the procedure of the mobile packet filtering process according to the present embodiment. Hereinafter, description will be given along this flowchart.
[0086]
The processing from steps S201 to S203 in FIG. 13 is the same as the processing from steps S001 to S003 shown in FIG. Further, the processing from steps S204 to S206 and the processing in step S207 are also the same as the processing from steps S004 to S006 and the processing in step S007 shown in FIG. 3, respectively.
[0087]
The processing from steps S208 to S209 in FIG. 14 is the same as the processing from steps S008 to S009 shown in FIG. In step S210, one new attack source address is extracted from the attack source address management unit. If it is determined in step S211 that the processing for all addresses has been completed, the entire processing ends. Further, in steps S212 to S216, the same processing as in steps S010 to S014 shown in FIG. 4 is executed for the attack source address extracted in step S210. Then, the process returns to step S210, and the process of the next attack source address is extracted.
[0088]
Note that, in the second embodiment, the processing procedures of the attack source search module and the attack defense module transmitted to the upper router are the same as those in the first embodiment.
[0089]
<Third embodiment>
Next, a third embodiment of the present invention will be described. In the first and second embodiments, the attack source search module and the attack defense module are separate modules. However, in the third embodiment, the function of the attack source search module and the function of the attack defense module are different. (Hereinafter referred to as “attack defense module B” for the sake of convenience).
[0090]
FIGS. 15 and 16 are flowcharts illustrating the procedure of the mobile packet filtering process according to the present embodiment. Hereinafter, description will be given along this flowchart.
[0091]
The processing from steps S301 to S303 in FIG. 15 is the same as the processing from steps S001 to S003 shown in FIG. Further, the processing from steps S304 to S306 and the processing in step S307 are also the same as the processing from steps S004 to S006 and the processing in step S007 shown in FIG. 3, respectively.
[0092]
The processing from steps S308 to S309 in FIG. 16 is the same as the processing from steps S008 to S009 shown in FIG. In step S310, the attack defense module B holding the information of the attack packet is transmitted to all the upper routers obtained in step S309. Then, in step S311, the process of the attack defense module B is executed in the destination upper router. In other words, the attack defense is performed in the upper router, the higher router is searched, and the module is recursively transmitted to the higher router.
[0093]
FIG. 17 is a flowchart illustrating a procedure of processing of the attack defense module B according to the present embodiment. Hereinafter, description will be given along this flowchart.
[0094]
In step S401 in FIG. 17, the transmitted attack defense module B arrives at the upper router. In step S402, it is checked whether or not the attack packet has passed through the router using the attack packet information held by the attack defense module B. If the attack packet has passed, the process proceeds to step S402. Proceeding to S403, if it has not passed, the attack defense module B itself disappears from the router in step S411, and the process ends.
[0095]
In step S403, a new process is generated so that the discard of the attack packet and the search for the upper router can be performed in parallel.
[0096]
The first process forked in step S403 discards the attack packet until the attack is stopped in steps S404 to S406, deletes the own process, and ends the process. The processing from steps S404 to S406 is the same as the processing from steps S004 to S006 shown in FIG.
[0097]
The second process branched (forked) in step S403 performs the processing from steps S407 to S410. Note that the processing from steps S407 to S410 is the same as the processing from steps S308 to S311 shown in FIG. Thereafter, in step S411, the own process is deleted, and the process ends.
[0098]
That is, the attack defense module B recursively searches for the upper router, transmits the attack defense module B itself to the upper router, and further executes the processing of the attack defense module B in the destination upper router. Then, the recursion stops at the highest router closest to the attack source, and the highest router continues to discard the attack packet until the attack is stopped.
[0099]
FIG. 18 is a configuration diagram showing a configuration of the attack defense module B having both a function of searching for an attack source and a function of defending an attack. As shown in the figure, the attack defense module B includes the adjacent router inspection function unit, the traffic inspection function unit, the attack protection function unit, the attack traffic monitoring function unit, and the self-destruction function unit. Information can be stored.
[0100]
Among these, the adjacent router inspection function unit, the traffic inspection function unit, and the self-destruction function unit are the same as the respective function units having the same names shown in FIG. 11 as the configuration of the attack source search module in the first embodiment. belongs to. The attack defense function unit is the same as the attack defense function unit also shown in FIG.
[0101]
<How to execute various functions on a network relay node (router)>
In the first to third embodiments, it is possible to transfer a program module from a router to a router, execute the program module on a receiving router, and perform processing on communication data passing through a relay node. Was assumed. Here, a method of transferring and executing such a program module will be described.
[0102]
In recent years, as the use of the Internet has expanded in various fields, it is no longer possible to meet various needs of users simply by transferring packets by network nodes. In addition, various network device manufacturers have realized new services such as multicasting and Resource Reservation Protocol (RSVP) by upgrading the firmware of network devices.
[0103]
On the other hand, what is called active network technology is to rapidly develop new network services by providing a program execution environment to network relay nodes and executing standardized function modules on the execution environment. The goal is to be able to. In a conventional network, a communication terminal can hardly specify any options other than the source or destination address of an IP packet. However, in this active network, a packet transmitted from a communication terminal of a transmission source is transmitted. It is possible to specify what kind of processing should be performed before reaching the communication terminal. The active network system can be divided into the following three points.
[0104]
First, there is an active packet method. The active packet method is a method of embedding a small program in a packet. This program is taken out and executed by the relay node. The second is an active node method. The active node method is a method in which a program is installed in a relay node in advance. A program to be executed in the relay node is specified by adding an ID for identifying a service defined in advance to the packet. The third active packet node is a combination of the first and second schemes, combining the advantages of both. These three types of systems are required to use a new header system such as an ANEP (Active Network Encapsulation Protocol) header.
[0105]
The above-mentioned new services such as multicast and RSVP have been realized by upgrading the firmware of the network equipment. However, this method is costly and requires time for service development, and requires software for different hardware. Have to be developed.
[0106]
In addition, the above three methods of the active network use conventional IP packets, such as embedding a program in a packet or adding a predefined service ID before the packet is transmitted from a terminal that transmits data. It is necessary to add information for giving an instruction to perform processing on the transmission data that did not exist. In order to realize these, a process of adding information to a packet is performed by an application of a terminal that sends out data or a processing program of an IP packet. For this reason, there is a problem that an application on a communication terminal and a processing program of an IP packet need to be changed, and a burden is imposed on cost.
[0107]
In the present invention, the service module can be moved without being limited to the type of the relay node, and the communication module such as a computer is used to use the service module installed in the relay node. The following means are provided so that the program can be operated on a network communication device without changing the installed software.
[0108]
That is, a method and an apparatus for operating a program on a network communication device used in the present invention are a platform means for dynamically installing a program on a relay node arranged on a network, and an application for the installed program. Means for providing an interface, when the program operates, means for delivering a packet to the program if the packet sent to the relay node is a processing target of the program, and after the processing is completed. Means for transmitting a packet.
[0109]
A technique for operating a program in this network communication device will be described using a more detailed implementation method with reference to the drawings.
[0110]
FIG. 19 is a configuration diagram showing a schematic configuration of the system. As shown in FIG. 19, communication terminals 1 and 7 are connected by a communication network 5, and integrate three types of functions of a router, an ATM (Asynchronous Transfer Mode) switch, and a computer capable of transferring IP packets. Are connected by the relay nodes 2, 4 and 6 of the provided network. The module server 3 receives a new module sent from a service module developer (not shown), and authenticates the developer by an electronic signature sent together with the module. Thus, the hardware system and the system software (platform) used by the computer system are arranged.
[0111]
Next, FIG. 20 is a configuration diagram showing the configuration of the module server 3 described above. The service module receiving unit 11 authenticates the developer by checking the electronic signature added to the received service module using information of the database 12 of the authorized developer registered in advance. Thereafter, the service module receiving unit 11 checks that the received service module satisfies the interface and security requirements. Then, the inspected module is stored in the service module database 13. The stored service module name and service outline are displayed on the service menu 14. The private service menu 14 can be viewed by the network user via the network, and the end user views the contents of the menu and requests a service. Upon receiving the request, the contents of the user database 17 are checked, and if it is confirmed that the network user who sent the request has the right to request, the service module injector 15 determines the service module requested by the network user. Transfer to network relay node. At this time, the service manager 16 records the transfer destination of the service module. If the service module subsequently moves to another relay node, the service manager 16 receives information on the transfer destination from the service module, and determines whether the service module is operating. Is received from the service module and managed.
[0112]
Next, FIG. 21 shows an outline of a network relay node (router) implementing the present invention, and FIG. 22 is a table showing functions of a node kernel and an execution engine in the relay node. The node kernel and the execution engine are functions of the OS shown in FIG.
[0113]
As shown in FIG. 21, the node kernel 20 starts / stops the system mounted on the relay node, manages input / output between the system mounted on the relay node and the system, performs packet filtering and traffic data. Provides an interface for processes different for each relay node maker such as schedule management, socket processing, and routing table operation, and when the execution engine 21 or the service module 22 requests the node kernel 20 for processing such as packet filtering. , This node kernel 20 mediates the processing. Further, when the IP packet is transferred to the relay node, if the packet is to be processed by the service module 22 installed in the relay node, the node kernel 20 sends the packet to the service module 22 via the execution engine 21. Distribute packets. On the other hand, if the packet is not to be processed by the service module 22 installed in the relay node, the packet is processed and transferred as a normal IP packet as it is. Information on which packet to process at this time is sent together with the service module 22 from the module server 3 (see FIG. 19).
[0114]
Further, the execution engine 21 always waits for a new service module 22 to be sent from the module server 3, and when the processing of the service module 22 is started, monitors the state of the processing. Is transmitted to the module server 3.
[0115]
Next, FIG. 23 is a flowchart showing how the packet received by the relay node is processed according to the present invention. First, in step S1001, a certain relay node receives an IP packet from an adjacent relay node or the like. Next, the process proceeds to S1002, and it is checked whether the source address or the destination address of the received packet is to be processed by any of the service modules installed in the relay node. If the source address or the destination address is specified as a target address to be processed by the service module, the process advances to step S1003 to deliver the packet to the service module 22 (see FIG. 21) specified as a target to be processed. The service module 22 performs the processing. If the packet is not a packet to be processed, the process advances to step S1004 to perform a transfer process as a normal IP packet by referring to a routing table or the like so that the IP packet reaches the destination address. Although the determination condition in S1002 has been described in terms of the destination or source address of the IP packet, the present invention is not limited to this condition, and the service module 22 can freely set the condition.
[0116]
Next, FIG. 24 is a flowchart showing a procedure for transmitting the service module 22 (see FIG. 21) to the module server 3 (see FIG. 19). First, in S1011, the program of the service module 22 and the electronic signature of the developer are received together with the transmission request of the service module 22 from the developer of the service module 22. Next, the process proceeds to S1012, where the presence or absence of the electronic signature is checked. If added, the process proceeds to S1013 to check whether the developer has been registered in advance. To check whether the program of the service module 22 satisfies the required conditions. If at least one of the conditions in S1012, S1013, and S1014 is not satisfied, the process proceeds to S1015, where the reception of the service module 22 is rejected, and the process ends. If all the conditions are satisfied, the process proceeds to S1016, where the service module 22 is registered in the database, and the contents of the service menu are updated.
[0117]
Next, FIG. 25 is a flowchart showing a procedure for receiving a request for a service module from a network user. First, in S1021, a request for the service module 22 (see FIG. 21) from the network user is received. Then, the process proceeds to S1022, and it is confirmed from the information of the network user sent together with the request that the network user who transmitted the request is an authorized user. If the user is a legitimate user, the process proceeds to S1023, and the service module 22 included in the request received from the network user is stored in the module server 3 (see FIG. 19), or the authority that the network user can request is determined. The validity of the service module 22 requested by the network user such as whether the service module 22 is possessed is checked. If either of the conditions is not satisfied in S1022 or S1023, the process proceeds to S1024, where an error message is displayed and the process ends.
[0118]
Next, in S1025, the information of the network user is collected from the user database stored in the module server 3. Then, the process proceeds to S1026, where a packet that can be processed by the requested service module 22 is defined from the information on the network connected to the network user who has requested the service module 22 included in the user information. Further, the process proceeds to S1027, and from the information on the network to which the network user who has requested the service module 22 collected in S1025 is connected, a relay node existing at the boundary where the network is connected to the Internet is derived and derived. The service module 22 is transferred to the relay node existing at the boundary, and the processing ends.
[0119]
Next, FIG. 26 shows the logical structure of the service module 22. Here, in order to manage the behavior of the private service module, seven types of attributes are added before the service module 22 is installed in the relay node. The seven types of attributes are a service ID, an owner ID, an installation time, a developer ID, a module server IP address, copy information, and a processing target. The duplication information and the processing target will be described in detail below.
[0120]
The service module can be moved from an originally installed relay node, and in some cases, the service module can create a copy and perform processing at a plurality of relay nodes. In order to identify the service module copied in this manner, the service module installed on the relay node from the module server is used as an original, and when a copy other than the installed service module is created on another relay node, the copied service module is copied. The service module is a service module, and the service module holds information for distinguishing the service modules as copy information. This processing target is generated when the network user requests a service module from the module server. Further, the module server checks a database of user information, and determines a packet that can be processed by the service module based on an IP address or the like. What is permitted as a processing target is data whose transmission source or destination is the end user who has requested the service module, and can be identified using information other than the IP address.
[0121]
The network user makes a request by selecting a service module from a menu. At this time, in addition to the service ID specifying the service module to be requested, a parameter specifying the initial state of the service module can be transmitted to the module server at the same time. In this case, when the initialization is completed, the service module is installed in the relay node. The relay node to be installed is the node closest to the network to which the network user who has requested the service module belongs, unless otherwise specified. When the service module is installed in the relay node, it can start processing a packet, move to another relay node, create a copy, etc. without waiting for other conditions. This depends on the algorithm programmed in the service module by the service module developer and the parameters specified as initial values by the network user.
[0122]
The following restrictions on execution are added to the service module from the viewpoint of security. The first is usage restrictions. This usage limit is the number of services available at a particular point in time, and the service module can also disappear from the relay node as soon as it has finished processing. When the number of used service modules reaches the limit, no new service can be executed any more, and the service module manager in the module server monitors the number of used services of all users. Things.
[0123]
Second is the duplication module. When the copy source module no longer exists, the copy module cannot automatically exist. When there is no longer a copy source module, the copy module is also deleted by the module server. If the duplication module does not process the packet for a certain period of time or more, the packet is deleted by the execution engine. That is, in order for the duplication module to continue processing, it is necessary to continue receiving packets.
[0124]
Third is a service module. This service module terminates only when the termination condition set for itself is reached, or when the network user who has requested the service module explicitly sends a termination instruction via the module server. I do. This condition applies to all service modules.
[0125]
Fourth is a packet to be processed. There is a limit on the packets that can be processed by the service module, and the service module processes only data that is transmitted or transmitted by a communication terminal belonging to the network to which the network user who has requested the service module belongs. Because you can't do that.
[0126]
Fifth, there is contention for processing. As described in the fourth section, there are restrictions on the packets that can be processed by the service module. However, when focusing on a certain packet, there is always a transmission source user and a transmission destination user. For this reason, a certain relay node may have installed a service module from both the network user of the source and the destination of the transferred IP packet. At this time, only the service module of the transmission destination is authorized to process the packet.
[0127]
Sixth is module conflict. When a plurality of service modules from the same network user are installed in a certain relay node, only the service module that is installed first can process IP packets.
[0128]
Seventh is packet input / output. The service module cannot generate new IP packets by itself. That is, one packet is transferred for each packet transferred.
[0129]
Eighth is location management. Since all the service modules including the copy module can move between the relay nodes, when they move, the location of the new relay node is also notified to the module manager in the module server.
As described above, the service module is restricted in execution from the viewpoint of security.
[0130]
By using the technology described above, a manufacturer provides an execution environment in which program interfaces with different specifications are provided to service modules in a unified manner at different relay nodes, and any relay node on which a service module can be installed is provided. If this is the case, the service module can be moved without being limited to that model. Further, the conventional method of specifying the processing target of the service module without changing the IP packet eliminates the need for modifying the packet itself in the conventional technology such as an active network. This eliminates the need to change software installed in a communication terminal such as a computer in order to use the service module installed in the relay node.
[0131]
Each of the above-described computer programs is recorded on a computer-readable recording medium, and a CPU (central processing unit) mounted on a communication device or the like reads the computer program from this recording medium to prevent an attack or a service module. Each process is also executed for providing. The “computer-readable recording medium” refers to a portable medium such as a magnetic disk, a magneto-optical disk, a ROM, and a CD-ROM, and a storage device such as a hard disk built in a computer system. Further, the “computer-readable recording medium” refers to a volatile memory (RAM) inside a computer system that becomes a server or a client when a program is transmitted via a network such as the Internet or a communication line such as a telephone line. In addition, programs that hold programs for a certain period of time are also included.
[0132]
Further, the above program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting a program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.
[0133]
Further, the program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.
[0134]
As described above, the embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to these embodiments, and includes a design and the like without departing from the gist of the present invention.
[0135]
【The invention's effect】
As described above, according to the present invention, a communication device is a communication device for preventing a distributed denial of service attack, and monitors a communication packet passing through the communication device to detect the distributed denial of service attack. A traffic monitoring function unit, an attack protection module for discarding a communication packet of the distributed denial of service attack when the distributed denial of service attack is detected, and a process of searching for an address of a higher-level communication device close to the attack source Source search module that performs the attack, a module transmission unit that transmits the attack source search module to the communication device at the upper defense position, and a higher-level communication device closer to the attack source searched by the attack source search module And an attack source determination function unit that extracts a communication device to be a higher defense position from the candidates of the attack source. When the distributed denial of service attack is detected, the communication packet of the attack is discarded when the distributed denial of service attack is detected because the attack protection module is transmitted to the communication device at the upper defense position extracted by the disconnection function unit. And searching for a higher-level communication device closer to the attack source, transmitting an attack source search module to the higher-level communication device obtained as a result of the search, and executing this module in the higher-level communication device. Determines whether the communication packet of the attack has passed through the higher-level module, and if so, it can recursively search for a higher-level communication device. It is possible to defend against an attack in the nearest uppermost communication device, that is, to discard a communication packet of the attack. As a result, it is possible to limit the influence of the communication packet of the attack to a local area close to the attack source, and it is possible to suppress the adverse effect on the entire network.
[0136]
Also, for example, even in a network such as the Internet that does not originally have an attack defense function, effective defense against an attack can be achieved by applying the present invention. Also, when the present invention is used, the administrator of the network to which the attacker is directly connected does not need to take any action, and the defense function is automatically performed by the action of the network to which the attacked device is connected. Will be activated to prevent attacks.
[0137]
Further, according to the present invention, the communication device monitors a communication packet passing through the communication device and detects a distributed denial of service attack, and the distributed monitoring function unit detects the distributed denial of service attack when the distributed denial of service attack is detected. An attack defense module for discarding a communication packet of a denial of service attack and searching for an address of a higher-level communication device close to the attack source, and a module transmission for transmitting the attack protection module to the higher-level communication device With this configuration, the function of searching for an attack source and the function of defending an attack can be realized by a single program module, and the defense algorithm can be simplified.
[Brief description of the drawings]
FIG. 1 is a configuration diagram of a network to which the present invention can be applied.
FIG. 2 is a schematic diagram showing a method for defending against a distributed DoS attack performed in the network shown in FIG. 1;
FIG. 3 is a part of a flowchart showing a processing procedure of mobile packet filtering according to the first embodiment of the present invention.
FIG. 4 is a part of a flowchart showing a processing procedure of mobile packet filtering according to the first embodiment of the present invention.
FIG. 5 is a part of a flowchart showing a procedure of a process of an attack source search module according to the first embodiment of the present invention.
FIG. 6 is a part of a flowchart showing a procedure of a process of an attack source search module according to the first embodiment of the present invention.
FIG. 7 is a schematic diagram showing a procedure for organizing redundant information of an address of an upper router close to an attack source according to the first embodiment of the present invention.
FIG. 8 is a flowchart showing a processing procedure of a mobile packet filtering program according to the first embodiment of the present invention.
FIG. 9 is a configuration diagram showing a configuration of a router according to the first embodiment of the present invention.
FIG. 10 is a configuration diagram showing a functional configuration for preventing a distributed DoS attack according to the first embodiment of the present invention.
FIG. 11 is a configuration diagram showing a detailed configuration of an attack source search module according to the first embodiment of the present invention.
FIG. 12 is a configuration diagram showing a detailed configuration of an attack defense module according to the first embodiment of the present invention.
FIG. 13 is a part of a flowchart showing a procedure of a mobile packet filtering process according to the second embodiment of the present invention.
FIG. 14 is a part of a flowchart showing a procedure of a mobile packet filtering process according to the second embodiment of the present invention.
FIG. 15 is a part of a flowchart showing a procedure of a mobile packet filtering process according to the third embodiment of the present invention.
FIG. 16 is a part of a flowchart showing a procedure of a mobile packet filtering process according to the third embodiment of the present invention.
FIG. 17 is a flowchart illustrating a processing procedure of the attack defense module B according to the third embodiment of the present invention.
FIG. 18 is a configuration diagram showing a configuration of an attack defense module B according to a third embodiment of the present invention.
FIG. 19 is a configuration diagram showing a schematic configuration of a system for operating a program on a network communication device to which the present invention is applied;
FIG. 20 is a configuration diagram illustrating a configuration of a module server.
FIG. 21 is a schematic diagram illustrating an outline of a network relay node (router).
FIG. 22 is a table showing functions of a node kernel and an execution engine in a relay node.
FIG. 23 is a flowchart showing a procedure for processing a packet received by the relay node.
FIG. 24 is a flowchart showing a procedure for transmitting a service module to a module server.
FIG. 25 is a flowchart showing a procedure for receiving a service module request from a network user.
FIG. 26 is a schematic diagram showing a logical structure of a service module.
[Explanation of symbols]
1 communication terminal
2 Relay node
3 Module server
4 Relay node
5 Communication network
6 Relay nodes
7 Communication terminal
11 Service module receiver
12 Certified Developer Database
13 Service Module Database
14 Service Menu
15 Service module injector
16 Service Manager
17 User database
20 node kernel
21 Execution Engine
22 Service Module
101 Attacker's server
102 Border router
103, 104, 106 to 111 router (router to which the present invention is applied)
105 router (router to which the present invention is not applied)
112,115,118 Computer of authorized user
113,114,116,117 DoS attacker host

Claims (17)

A communication device for preventing a distributed denial of service attack,
A traffic monitoring function unit that monitors communication packets passing through the communication device and detects a distributed denial of service attack;
An attack defense module for discarding a communication packet of the distributed denial of service attack when the distributed denial of service attack is detected;
An attack source search module for searching for an address of a higher-level communication device close to the attack source;
A module transmitting unit that transmits the attack source search module to the communication device at the upper defense position;
An attack source determination function unit that extracts a communication device to be a higher defense position from candidates of upper communication devices close to the attack source searched by the attack source search module,
The communication device, wherein the module transmission unit transmits the attack defense module to the communication device at the upper defense position extracted by the attack source determination function unit. The communication device according to claim 1, wherein
The module transmission unit transmits, to the higher-level communication device, attack packet information on a communication packet detected as a distributed denial of service attack by the traffic monitoring function unit together with the attack source search module. ,
The attack source search module compares the attack packet information received from the module transmission unit with a communication packet passing through the communication device, and determines that a communication packet corresponding to the attack packet information passes through the communication device. If it is detected that the communication device itself is a candidate for the communication device at the defense position, the traffic inspection function unit that notifies the communication device of the transmission source of the attack source search module is included. Characteristic communication device. The communication device according to claim 1, wherein
The attack defense module includes:
An attack traffic monitoring function that monitors whether the attack is ongoing;
A communication device comprising: a self-destruction function unit that, when the attack traffic monitoring function unit determines that the attack is interrupted, deletes the attack protection module itself from the communication device that is performing the process. A communication device according to any one of claims 1 to 3,
A module server for transmitting a program module to the communication device,
A program module database for storing program modules installed in the communication device;
A developer database that manages the developers of the program modules that can request the storage of the program modules,
A user database that manages users who can request to install the program module in the communication device;
A service menu for displaying the stored program module to the user in a menu,
A service manager that authenticates the authority of the user if there is a request from the user to install the program module displayed in the service menu;
A service module injector for transmitting the program module to the communication device if the authentication can be confirmed;
A module server comprising:
A communication system comprising: A communication device for preventing a distributed denial of service attack,
A traffic monitoring function unit that monitors communication packets passing through the communication device and detects a distributed denial of service attack;
An attack defense module that, when a distributed denial of service attack is detected, discards the communication packet of the distributed denial of service attack and performs a process of searching for an address of a higher-level communication device close to the attack source;
A module transmitting unit that transmits the attack defense module to a higher-level communication device;
A communication device comprising: The communication device according to claim 5, wherein
The module transmitting unit transmits, to the upper communication device, attack packet information on a communication packet detected as a distributed denial of service attack by the traffic monitoring function unit together with the attack defense module,
The attack defense module compares the attack packet information received from the module transmission unit with a communication packet passing through the communication device, and determines that a communication packet corresponding to the attack packet information passes through the communication device. A communication device, comprising: a traffic inspection function unit for detecting the presence of the communication device. The communication device according to claim 5, wherein
The attack defense module includes:
An attack traffic monitoring function that monitors whether the attack is ongoing;
A communication device comprising: a self-destruction function unit that, when the attack traffic monitoring function unit determines that the attack is interrupted, deletes the attack protection module itself from the communication device that is performing the process. A communication device according to any one of claims 5 to 7,
A module server for transmitting a program module to the communication device,
A program module database for storing program modules installed in the communication device;
A developer database that manages the developers of the program modules that can request the storage of the program modules,
A user database that manages users who can request to install the program module in the communication device;
A service menu for displaying the stored program module to the user in a menu,
A service manager that authenticates the authority of the user if there is a request from the user to install the program module displayed in the service menu;
A service module injector for transmitting the program module to the communication device if the authentication can be confirmed;
A module server comprising:
A communication system comprising: A denial of service prevention method for preventing a distributed denial of service attack,
When the distributed denial of service attack is detected in the communication device, while the communication packet of the distributed denial of service attack is discarded in the communication device,
Search for a higher-level communication device closer to the source of the detected distributed denial of service attack,
Transmitting a program module to the upper communication device obtained as a result of the search,
In the communication device on the side receiving the program module, by executing the program module, a process of discarding the communication packet of the distributed denial of service attack, and a process of searching for the communication service of the upper side, By performing the process of transmitting the program module to the upper communication device,
A method for preventing a denial of service attack, wherein a search is performed recursively until the communication device reaches the highest communication device closest to the attack source, and the communication packet of the distributed denial of service attack is discarded in the highest communication device. A method for preventing a denial of service attack according to claim 9,
When transmitting the program module to the upper communication device, together with the program module, attack packet information on the communication packet detected as a distributed denial of service attack to the upper communication device Send
The communication device on the side receiving the program module and the attack packet information compares the attack packet information with a communication packet passing through the communication device by executing the program module, and If the communication device detects that the communication packet is passing through the communication device, the communication device determines that the communication device itself is a candidate for the communication device at the defense position with respect to the communication device of the transmission source of the attack source search module . A denial-of-service attack prevention method characterized by notifying. A method for preventing a denial of service attack according to claim 9,
The upper communication device that has received the program module executes the program module to monitor whether or not the attack is ongoing, and when it is determined that the attack has been interrupted, A method of preventing a denial-of-service attack, comprising performing a process of deleting a module itself from the communication device. A computer-readable recording medium recording a computer program executed on a communication device to prevent a distributed denial of service attack,
Monitoring communication packets passing through the communication device;
If a communication packet of the denial of service attack is detected by this monitoring, a step of continuously discarding the communication packet of the denial of service attack;
Determining whether the denial of service attack is a distributed denial of service attack;
In the case of a distributed denial of service attack, an attack for extracting higher-level communication devices close to the attack source by referring to the database and searching the higher-level communication devices for the source of the attack Transmitting a source search module, receiving defense position information from a destination communication device, and transmitting an attack defense module for preventing an attack on an upper communication device based on the defense position information; When,
Recording medium on which a computer program for causing a computer to execute each of the processes is recorded. A computer-readable recording medium that records a computer program for attack source search transmitted from a lower communication device to a higher communication device to prevent a distributed denial of service attack and executed on the higher communication device. hand,
A communication packet passing through the communication device is compared with attack packet information relating to a denial of service attack, and it is checked whether the communication packet of the denial of service attack is passing through the communication device. Notifying a lower-level communication device;
As a result of this inspection, if the communication packet of the denial of service attack passes through the communication device,
a) when there is no higher-level communication device closer to the attack source than the own communication device itself, the communication device itself is notified to the lower-level communication device as the highest-order communication device;
b) The case where there is a higher-level communication device closer to the attack source than the communication device itself, and as a result of transmitting the attack source search computer program to the higher-level communication device, If no notification that the communication packet of the denial of service attack has passed does not come, the self communication device itself is notified to the lower communication device as the highest communication device,
c) There is a higher-level communication device closer to the attack source than the communication device itself, and as a result of transmitting the attack source search computer program to the higher-level communication device, If at least one notification that a communication packet of a denial of service attack has passed is received, the own communication device itself is not set as the highest communication device,
A) performing any of a) to c);
Recording medium on which a computer program for causing a computer to execute each of the processes is recorded. A computer-readable recording medium recording an attack defense computer program executed on a communication device to prevent a distributed denial of service attack,
A communication packet passing through the communication device is compared with attack packet information relating to a denial of service attack to check whether a communication packet of the denial of service attack is passing through the communication device. If you have
a) performing a process of continuously discarding communication packets of the denial of service attack;
b) extracting a higher-level communication device closer to the attack source by referring to the database;
c) transmitting the attack defense computer program itself to the extracted upper communication device;
A) a recording medium on which a computer program for causing a computer to execute each of the processes a) to c) is recorded. A computer program executed on a communication device to prevent a distributed denial of service attack,
Monitoring communication packets passing through the communication device;
If a communication packet of the denial of service attack is detected by this monitoring, a step of continuously discarding the communication packet of the denial of service attack;
Determining whether the denial of service attack is a distributed denial of service attack;
In the case of a distributed denial of service attack, an attack for extracting higher-level communication devices close to the attack source by referring to the database and searching the higher-level communication devices for the source of the attack Transmitting a source search module, receiving defense position information from a destination communication device, and transmitting an attack defense module for preventing an attack on an upper communication device based on the defense position information; When,
Computer program that causes a computer to execute each of the above processes. A computer program for attack source search transmitted from a lower communication device to a higher communication device to prevent a distributed denial of service attack, and executed on the higher communication device,
A communication packet passing through the communication device is compared with attack packet information relating to a denial of service attack, and it is checked whether the communication packet of the denial of service attack is passing through the communication device. Notifying a lower-level communication device;
As a result of this inspection, if the communication packet of the denial of service attack passes through the communication device,
a) when there is no higher-level communication device closer to the attack source than the own communication device itself, the communication device itself is notified to the lower-level communication device as the highest-order communication device;
b) The case where there is a higher-level communication device closer to the attack source than the communication device itself, and as a result of transmitting the attack source search computer program to the higher-level communication device, If no notification that the communication packet of the denial of service attack has passed does not come, the self communication device itself is notified to the lower communication device as the highest communication device,
c) There is a higher-level communication device closer to the attack source than the communication device itself, and as a result of transmitting the attack source search computer program to the higher-level communication device, If at least one notification that a communication packet of a denial of service attack has passed is received, the own communication device itself is not set as the highest communication device,
A) performing any of a) to c);
Computer program that causes a computer to execute each of the above processes. An attack defense computer program executed on a communication device to prevent a distributed denial of service attack,
A communication packet passing through the communication device is compared with attack packet information relating to a denial of service attack to check whether a communication packet of the denial of service attack is passing through the communication device. If you have
a) performing a process of continuously discarding communication packets of the denial of service attack;
b) extracting a higher-level communication device closer to the attack source by referring to the database;
c) transmitting the attack defense computer program itself to the extracted upper communication device;
A) a computer program for causing a computer to execute each of the processes a) to c).

Images