JP4278593B2 - Protection method against application denial of service attack and edge router - Google Patents

Description

  The present invention is used for defense against a DoS (Denial of Service) attack or a DDoS (Distributed Denial of Service) attack in an IP (Internet Protocol) network. In particular, it relates to technology for improving Internet security.

  Conventionally, as a countermeasure for protecting the server from a DoS / DDoS attack performed on layer 5 or higher processing of various end nodes such as a SIP (Session initiation Protocol) server, conventionally, (1) the server itself detects the attack. (2) By installing a firewall, IDS (Intrusion Detection System), IDP (Intrusion Detection Prevention) in front of the server to be protected, and analyzing layer 5 or higher information, Measures are taken to detect the attack and eliminate the detected traffic.

  Such conventional techniques have the following problems. (1) When an attack is defended by the server machine itself, not only is the load imposed on the defense process itself, but the load of attack traffic is also imposed on the system and line connected to the server. Hinder.

  In addition, (2) a firewall, IDS, and IDP installed in front of the server is not only costly, but may be affected by the throughput of the apparatus itself. Furthermore, (3) when defending an attack in a subscriber accommodation router, it is a control method based on bandwidth limitation (communication speed limitation), and depends on the number of IP packets per unit time that is effective for defense of a network server. It is not a control method.

  In order to solve such a conventional problem, for example, in Patent Document 1, when a server is attacked, a dedicated device is installed at each site in the network in order to discard the attack packet at a router close to the attacker. However, it has been proposed that attack information is propagated sequentially between dedicated devices to eliminate attack traffic upstream.

  Further, Patent Document 2 proposes that an attack is detected on the network and protected by a dedicated attack blocking device to protect the network from the attack. However, the proposal in Patent Document 2 targets an attack of layer 4 or lower, and after the attack is detected, a defense is implemented according to an instruction from the network administrator.

  Furthermore, Patent Document 3 proposes a method of counting the number of received IP packets at a specific part of the network, specifically a gateway device, and terminating the communication when a predetermined reception number is exceeded. The method is limited to the gateway device, and is not the closest defense method for the sender of the illegal packet.

JP 2003-283571 A JP 2002-158660 A JP 2002-247114 A

  In both proposals of Patent Documents 1 and 2, it is necessary to install a dedicated device or a dedicated attack blocking device, and communication between these dedicated devices or communication for giving an instruction to the dedicated blocking device is required. Therefore, it is necessary to additionally install a new dedicated device or a dedicated attack blocking device, and it is necessary to change the current network configuration.

  In addition, the proposal of Patent Document 3 is a proposal for providing an attack detection and defense function to the gateway device to prevent the attack, but it may be affected by a line or system attack connected to the gateway device.

  The present invention has been made against this background, and the present invention is a router that accommodates a subscriber who can be an attacker without burdening the server itself and changing the current network configuration. By adding a function to the network, a defense against DoS / DDoS attacks is realized, and the purpose is to prevent attacks in the immediate vicinity of an attacker and prevent unauthorized use of network resources. Further, the present invention proposes that the edge router performs the restriction based on the number of IP packets per unit time, which is effective for the network server to be protected.

  As a premise, it is assumed that the DoS / DDoS attack is an attack on a protocol process having a well-known port number on the TCP or UDP of layer 5 or higher that is processed by various end nodes such as servers.

  This type of flood attack on the so-called application layer above layer 5 detects DoS / DDoS attacks against the application layer by monitoring the traffic volume of TCP or UDP packets destined for the well-known port of the server carrying the application layer information. Is possible.

Specifically, in the edge router accommodating the user terminal, when the end node executes an application in response to a request from the user terminal, the number of IP packet transmissions per unit time from the user terminal sufficient for normal operation is set. Server IP
A preset is made for each address, protocol number, and well-known port number. This is a threshold that can be received by the edge router from the user terminal.

Next, the edge router accommodating the user terminal, for example, “IP header Destination Address is the IP address of this server.
Address, Protocol number 6 or 17 indicating TCP or UDP, TCP or UDP
A packet whose header's Destination Port number is a well-known port number assigned to a protocol of layer 5 or higher managed by this server is inspected for each source IP address.

  Used by normal user terminals by examining IP packets received from user terminals, determining that they are IP packets addressed to this server, and limiting the number of received IP packets per unit time below a preset threshold Therefore, the traffic for the server can be suppressed to a level at which the attack is performed, and attack packets for the server from the user terminal can be suppressed to the level.

  For example, in Patent Document 1, when a server is attacked, an attack packet is discarded by a router close to the attacker, so a dedicated device is installed at each site in the network, and attack information is propagated sequentially between dedicated devices. However, the application-type denial-of-service attack prevention method of the present invention does not propagate attack information between nodes, and it is proposed in the user terminal accommodating node that generates attack traffic. It is characterized by defending attacks by adding functions and setting static in advance.

  Further, Patent Document 2 proposes that an attack is detected on the network and protected by a dedicated attack blocking device to protect the network from the attack. Is different from the attack detection and defense method in the user terminal accommodating router.

  Further, Patent Document 3 proposes that a detection function is provided in the gateway device to eliminate the attack, but the present invention is an attack detection and defense method in the user terminal accommodating router accommodating the attack source. There is a difference in defending the attack in the immediate vicinity of the attacker.

  In addition, the application-type denial-of-service attack prevention method of the present invention does not newly add a dedicated device by changing the network configuration, and additionally deploys and uses functions on edge routers provided in the network. be able to.

  That is, the first aspect of the present invention is an application-type service inability applicable to a network system including a core network, an edge router that accommodates user terminals, and a server that processes signals transmitted from the user terminals. It is a defense method against attacks.

Here, the feature of the present invention is that, for each user terminal and each server serving as a destination, for each combination of a source IP address, a destination IP address, a destination Port number, and a Protocol number. As a step executed by the edge router accommodating the user terminal, a threshold condition for the number of IP packet transmissions per unit time sufficient to permit transmission of a reliable IP packet is set as a step performed by the user terminal to the server. With respect to the IP packet to be transmitted, the IP packet is transmitted to the originating IP address based on the step of identifying the originating IP address, the destination IP address, the Port number, and the Protocol number, and the identification result of the identifying step. The destination IP address for which the threshold of the number of IP packet transmissions is set for each, Po a step of determining whether or not the IP packet matches a combination of t number and Protocol number, and a destination IP address, a Protocol number, and a Port for which a threshold is set for each IP address of the IP packet by this determination step When it is determined that the IP packet matches the combination of numbers, the time when the edge router receives the IP packet is recorded, and the number of the IP packets is counted. The number of IP packets is compared with the threshold condition set for each originating IP address, and when the number of received IP packets per unit time exceeds the threshold, the received IP packets exceeding the threshold are discarded. Ru near the place to perform the steps of.

Further, as the steps executed by the edge router, for the IP packet received from the user terminal for which the threshold condition is set, the source IP address, the destination IP address, the Port number, and the Protocol number that are information of the IP packet And a step of recording the reception time of the IP packet, and for the IP packet discarded based on the threshold setting condition, the source IP address, the destination IP address, the Port number, the Protocol number, and the IP Ru can be performed and recording the discarding time of the packet.

Further, referring to the recording by the step of recording the discard time as the step executed by the edge router, based on the information of the source IP address, the destination IP address, the Port number, and the Protocol number of the discarded IP packet, The step of confirming the attack target, the step of confirming the attack packet reception status of the attack target confirmed by the confirmation step, and the attack is ongoing based on the attack packet reception status confirmed by the confirmation step And determining whether or not all packets addressed to the attack target from the attack source are attack packets, and the attack is ongoing based on the determination result of the determining step and the attack source from the attack source Applicable if all packets addressed to the attack target are attack packets Performing the steps of: resetting said threshold value so as to suppress all the attack for a packet from the side IP address Ru can.

Ascertaining the attack packets received status refers to the recording by step of recording the reception time, Ru can include the step of estimating an attack packet reception status of the attack target.

  According to this, since it is possible to estimate the attack packet reception status of the attack target by the edge router without requesting the attack target to report the attack packet reception status, it is possible to effectively use the network resources.

  That is, when the edge router actually suppresses the attack, the edge router collects the record of the IP packet reception and the record of the discard of the IP packet, and compares and confirms the attack packet reception status on the SIP server side. If it is determined that all packets from the user received in step 1 are attack packets, the threshold can be reset so that all packets for the SIP server are discarded from this user and all attack packets can be discarded. The protection pattern can be actively optimized.

Further, when the attack is ongoing based on the determination result of the determining step and all packets addressed to the attack target from the attack source are attack packets, a warning notification is given to the attack source. step Ru can be run.

  As a result, the fact that the user is performing an attack can be presented to the user who has become a stepping stone from the edge router, and a warning such as virus infection can be issued to the user. This warning enables the user to prevent the spread of damage by confirming and dealing with the virus infection of his / her terminal and the fact that it has become a stepping stone.

Further, the step of counting the number of IP packets discarded based on the new threshold set by the step of resetting the threshold, and the count result of the step of counting is less than the threshold before the new threshold that was reset when it becomes, the Ru can perform the step of replacing the new threshold to the new threshold previous threshold.

  In other words, after the attack is avoided, if the unusual threshold set for attack avoidance remains, the legitimate IP packet transmitted after that may be discarded, so the attack ends. It is desirable to replace the threshold with a normal value after it has been estimated.

  A second aspect of the present invention is an edge router that is provided in a network system including a core network and a server that processes a signal transmitted from a user terminal and accommodates the user terminal.

Here, the feature of the present invention is that, for each user terminal and each server serving as a destination, for each combination of a source IP address, a destination IP address, a destination Port number, and a Protocol number. A threshold value of the number of IP packet transmissions per unit time sufficient to permit transmission of secure IP packets is set in advance, and an IP packet transmitted from the user terminal to the server, a source IP address and a destination IP address And a destination IP address in which a threshold value of the number of IP packet transmissions is set for each IP address of the originating IP packet based on the identification result by the identifying means and the Port number and the Protocol number , Determines whether the IP packet matches the combination of Port number and Protocol number And the determining means determines that the IP packet is an IP packet that matches a combination of a destination IP address, a protocol number, and a port number for which a threshold is set for each originating IP address. The means for recording the time when the edge router received the IP packet and counting the number of the IP packet, and comparing the number of IP packets counted by the means for counting with the threshold condition set for each originating IP address and, where applicable received IP packets per unit time exceeds a threshold value, Ru near the place and means for discarding the received IP packet amount that exceeds the threshold value.

Further, for the IP packet received from the user terminal for which the threshold condition is set, the source IP address, the destination IP address, the Port number, the Protocol number, and the reception time of the IP packet that are information of the IP packet are recorded. And means for recording a source IP address, a destination IP address, a Port number, a Protocol number, and a discard time of the IP packet, which are information of the IP packet for the IP packet discarded based on the threshold setting condition Ru can be provided with.

Furthermore, referring to the record by the means for recording the discard time, means for confirming the attack source and attack target based on the information of the source IP address, destination IP address, Port number, Protocol number of the discarded IP packet; Means for confirming the attack packet reception status of the attack target confirmed by the means for confirming, and the attack is ongoing based on the attack packet reception status confirmed by the confirmation means, and the attack from the attack source A means for determining whether or not all packets addressed to the attack target are attack packets, and the attack is ongoing based on the determination result of the means for determining, and all packets addressed to the attack target from the attack source are attack packets. If so, the attack target packets from the corresponding originating IP address are all suppressed Ru can be provided with means for resetting the value.

  The means for confirming the attack packet reception status may include means for estimating the attack packet reception status of the attack target with reference to a record by the means for recording the reception time.

Further, when the attack is ongoing based on the determination result of the determining means and all the packets addressed to the attack target from the attack source are attack packets, a warning notification is given to the attack source. Ru can be provided with a means.

Furthermore, the means for counting the number of IP packets discarded based on the new threshold set by the means for resetting the threshold, and the count result of the means for counting is less than the threshold before the new threshold that was reset when it becomes, the Ru can be provided with a means for replacing the new threshold to the new threshold previous threshold.

  According to a third aspect of the present invention, when installed in an information processing apparatus, the information processing apparatus is provided with a network system including a core network and a server that processes a signal transmitted from a user terminal. This is a program for realizing a function corresponding to an edge router that accommodates a user terminal.

Here, the feature of the present invention is that, for each user terminal and each server serving as a destination, for each combination of a source IP address, a destination IP address, a destination Port number, and a Protocol number. A threshold value of the number of IP packet transmissions per unit time sufficient to permit transmission of secure IP packets is set in advance, and an IP packet transmitted from the user terminal to the server, a source IP address and a destination IP address And a function for identifying the Port number and the Protocol number, and a destination IP address in which a threshold value of the number of IP packet transmissions is set for each IP address of the IP packet based on the identification result by the identifying function , Determines whether the IP packet matches the combination of Port number and Protocol number When the function and this determination function determine that the IP packet is an IP packet that matches a combination of a destination IP address, a protocol number, and a port number for which a threshold is set for each originating IP address, A function that records the time when the edge router receives the IP packet and counts the number of the IP packets, and compares the number of IP packets counted by the counting function with a threshold condition set for each originating IP address. and, where applicable received IP packets per unit time exceeds a threshold value, Ru near was a function discards the received IP packet amount that exceeds the threshold value.

Further, for the IP packet received from the user terminal for which the threshold condition is set, the source IP address, the destination IP address, the Port number, the Protocol number, and the reception time of the IP packet that are information of the IP packet are recorded. And a function for recording the IP packet information that has been discarded based on the threshold setting condition, the source IP address, the destination IP address, the Port number, the Protocol number, and the discard time of the IP packet. Ru can be realized.

Further, referring to the recording by the step of recording the discard time, the function of confirming the attack source and the attack target based on the information of the source IP address, the destination IP address, the Port number, and the Protocol number of the discarded IP packet, A function of confirming the attack packet reception status of the attack target confirmed by the function of confirming, and the attack is ongoing based on the attack packet reception status confirmed by the function of confirming and the attack source from the attack source A function for determining whether or not all packets addressed to the attack target are attack packets, and the attack is ongoing based on the determination result based on the determination function, and all packets addressed to the attack target from the attack source are attack packets. If so, all the packets targeted for attack from the corresponding originating IP address are suppressed. Ru can be realized and a function of resetting the serial threshold.

Examples ability to verify the attack packets received status, with reference to recording with function of recording the received time, Ru can be realized a function of estimating an attack packet reception status of the attack target.

Further, when the attack is ongoing based on the determination result of the determining function and all the packets addressed to the attack target from the attack source are attack packets, a warning notification is given to the attack source. Ru can be made to realize the function.

Further, the function of counting the number of IP packets discarded based on the new threshold set by the function of resetting the threshold, and the count result of the function of counting is less than the threshold before the new threshold reset when it becomes, the Ru can be realized and a function to replace the new threshold to the new threshold previous threshold.

The fourth aspect of the present invention, Ru said information processing apparatus readable media der which the program is recorded of the present invention. By recording the program of the present invention on the recording medium of the present invention, the information processing apparatus can install the program of the present invention using this recording medium. Alternatively, the program of the present invention can be directly installed in the information processing apparatus via a network from a server holding the program of the present invention.

  As a result, using a general-purpose information processing device, the server itself is not burdened, the attack is protected immediately by the attacker, the network resources are not illegally used, and the network server to be protected is protected. It is possible to realize an edge router that can realize an effective restriction by the number of IP packets per unit time.

  According to the present invention, since the server is not loaded and there is no time lag from detection to exclusion, compared to the case where the attack is detected and the attack traffic is detected and eliminated at the server, The risk of high loads is reduced.

  Furthermore, the application type denial-of-service attack defense method of the present invention can be realized by adding functions to the user-accommodating edge node without changing the current network configuration or installing a new device.

  In general, edge routers protect against attacks by band limiting (communication speed limitation). However, the limiting method of the present invention limits the number of IP packets per unit time, and does not depend on the packet size of the attack packet. , Defense is possible.

  Furthermore, since the attack defense position of the present invention is a user terminal accommodating node that can be an attacker, it is possible to efficiently reduce the influence of other legitimate users and attacks on the network load.

  An application-type denial-of-service attack defense method according to an embodiment of the present invention will be described with reference to FIG. FIG. 1 is a network configuration diagram for explaining a defense method against an application-type denial-of-service attack according to this embodiment. Reference numeral 1 denotes an edge router that accommodates user terminals located at the end of the core network of each ISP (Internet Service Provider). Reference numeral 4 denotes a core network of each ISP. Reference numeral 6 denotes a SIP server that controls the SIP protocol within the ISP. Here, the SIP server is taken as an example, but the present invention is also effective in other control servers such as an SMTP (Simple Mail Transfer Protocol) server. Reference numerals 2 and 3 denote user terminals accommodated in the SIP server, which are terminals that perform legitimate communication with the attacking terminal.

  As shown in FIG. 1, the application type denial-of-service attack defense method of the present embodiment uses signals transmitted from the ISP core network 4, the edge router 1 that accommodates the user terminals 2 and 3, and the user terminals 2 and 3. This is a defense method against an application-type denial-of-service attack applied to a network system composed of a SIP server 6 to be processed.

Here, the feature of this embodiment is that each of the user terminals 2 and 3 and the destination SIP server 6 is a combination of a source IP address, a destination IP address, a destination Port number, and a Protocol number. As a step executed by the edge router 1 that accommodates the user terminals 2 and 3 in advance, a threshold condition for the number of IP packet transmissions per unit time sufficient to permit transmission of a legitimate IP packet is set in advance. 3, with respect to the IP packet transmitted from the SIP server 6 to the SIP server 6, the step of identifying the originating IP address, the destination IP address, the Port number, and the Protocol number, and the identification result of this identifying step Destination IP for which the IP packet transmission threshold is set for each IP address of the IP packet A step of determining whether or not the IP packet matches a combination of a dress, a Port number, and a Protocol number, and a destination IP address and a Protocol number for which a threshold is set for each source IP address by the determination step When it is determined that the IP packet matches the port number combination, the time when the edge router 1 receives the IP packet is recorded and the number of the IP packets is counted, and the counting step is performed. The counted number of IP packets is compared with the threshold condition set for each source IP address, and when the number of received IP packets per unit time exceeds the threshold, the received IP corresponding to the threshold is exceeded. Ru near the place to perform the steps of discarding the packet.

Further, as the steps executed by the edge router 1, for the IP packet received from the user terminal for which the threshold condition is set, the source IP address, the destination IP address, the Port number, and the Protocol number that are information of the IP packet And a step of recording the reception time of the IP packet, and for the IP packet discarded based on the threshold setting condition, the source IP address, the destination IP address, the Port number, the Protocol number, and the IP to run and recording the discarding time of the packet.

Further, as a step executed by the edge router 1, referring to the recording by the step of recording the discard time, the attack source and the destination number based on the information of the source IP address, the destination IP address, the Port number, and the Protocol number of the discarded IP packet The step of confirming the attack target, the step of confirming the attack packet reception status of the attack target confirmed by the confirmation step, and the attack is ongoing based on the attack packet reception status confirmed by the confirmation step And determining whether or not all packets addressed to the attack target from the attack source are attack packets, and the attack is ongoing based on the determination result of the determining step and the attack source from the attack source If all packets addressed to the attack target are attack packets, That perform the steps of: resetting said threshold value so as to suppress all the attack for a packet from IP address.

Wherein the step of confirming an attack packet reception state refers to the recording by step of recording the reception time, steps including estimating an attack packet reception status of the attack target.

Further, when the attack is ongoing based on the determination result of the determining step and all the packets addressed to the attack target from the attack source are attack packets, the user terminal 2 that is the attack source is It runs the step of performing a warning notification Te.

Further, the step of counting the number of IP packets discarded based on the new threshold set by the step of resetting the threshold, and the count result of the step of counting is less than the threshold before the new threshold that was reset and when it becomes the that perform the step of replacing the new threshold to the new threshold previous threshold.

  Next, the edge router of the present embodiment will be described with reference to FIGS. FIG. 3 is a functional block diagram for providing a defense function in the edge router of this embodiment.

  As shown in FIG. 1, the edge router of this embodiment is provided in a network system including an ISP core network 4 and a SIP server 6 that processes signals transmitted from user terminals 2 and 3. 3 is an edge router 1 that accommodates 3.

Here, the feature of this embodiment is that each of the user terminals 2 and 3 and the destination SIP server 6 is a combination of a source IP address, a destination IP address, a destination Port number, and a Protocol number. Each time, a threshold of the number of IP packet transmissions per unit time sufficient to permit transmission of a legitimate IP packet is set in advance, and is transmitted from the user terminals 2 and 3 to the SIP server 6 as shown in FIG. IP packet receiving unit 10 for identifying the originating IP address, the destination IP address, the Port number, and the Protocol number, and based on the identification result by the IP packet receiving unit 10, Destination IP address, Port number, and Prot for which a threshold for the number of IP packet transmissions is set for each originating IP address a header inspection unit 11 that determines whether or not the IP packet matches a combination of col numbers; a destination IP address for which a threshold is set for each source IP address by the header inspection unit 11, a protocol number, When it is determined that the IP packet matches the port number combination, the IP packet counting unit 14 that records the time when the edge router 1 receives the IP packet and counts the number of the IP packets, and the IP packet The number of IP packets counted by the packet counting unit 14 is compared with the threshold condition set for each originating IP address, and the threshold is exceeded when the number of received IP packets per unit time exceeds the threshold. Provided with a control unit 17 and an IP packet discard unit 12 for discarding the received IP packets of That.

Further, for the IP packet received from the user terminals 2 and 3 for which the threshold condition is set, the source IP address, the destination IP address, the Port number, the Protocol number, and the reception time of the IP packet, which are information of the IP packet And a count information recording unit 15 for recording the IP packet that has been discarded based on the threshold setting condition, the source IP address, the destination IP address, the Port number, the Protocol number, and the discard of the IP packet as the information of the IP packet time Ru and a IP packet discard information recording unit 18 for recording.

Furthermore, referring to the record by the IP packet discard information recording unit 18, the means for confirming the attack source and the attack target based on the information of the source IP address, the destination IP address, the Port number, and the Protocol number of the discarded IP packet, Means for confirming the attack packet reception status of the attack target confirmed by the means for confirming, and the attack is ongoing based on the attack packet reception status confirmed by the confirmation means, and the attack from the attack source A means for determining whether or not all packets addressed to the attack target are attack packets, and the attack is ongoing based on the determination result of the means for determining, and all packets addressed to the attack target from the attack source are attack packets. If so, all the packets targeted for attack from the corresponding originating IP address are suppressed. Ru and means for resetting the threshold value setting unit 16 to the threshold resetting unit 19.

It said means for confirming an attack packet reception state refers to the recording by counting information recording unit 15, including means for estimating an attack packet reception status of the attack target.

Further, when the attack is ongoing based on the determination result of the determining means and all the packets addressed to the attack target from the attack source are attack packets, the user terminal 2 that is the attack source is Ru with a warning notification unit 20 to perform the warning notification Te.

Further, the IP packet discard information recording unit 18 includes means for counting the number of IP packets discarded based on the new threshold set by the threshold resetting unit 19, and the threshold resetting unit 19 includes the IP packet discard information recording when the counting result of the unit (18) is less than the re-set the new threshold previous threshold, Ru comprises means for replacing said new threshold set in the threshold setting unit 16 to the new threshold previous threshold .

This embodiment can be implemented as a program that, when installed in a general-purpose information processing apparatus, causes the information processing apparatus to realize a function corresponding to the edge router 1 of the present embodiment. This program is recorded in a recording medium and installed in the information processing apparatus, or installed in the information processing apparatus via a communication line, so that the information processing apparatus has an IP packet receiving unit 10, header inspection unit 11, IP Packet discard unit 12, IP packet transmission unit 13, IP packet counting unit 14, count information recording unit 15, threshold setting unit 16, control unit 17, IP packet discard information recording unit 18, threshold resetting unit 19, warning notification unit 20 each Ru can be realized corresponding functions.

  Hereinafter, this embodiment will be described in more detail.

  The control procedure of the application-type denial-of-service attack defense method of the present embodiment will be described with reference to the flowchart of FIG. 2, taking the SIP server 6 as an example. FIG. 2 is a flowchart showing a defense procedure in the edge router.

  As shown in FIG. 2, the threshold setting unit 16 is preset with the IP packet transmission permission number per unit time for each IP address (S0), and the IP packet is received by the IP packet receiving unit 10 of the edge router 1. When arriving (S1), the header inspection unit 11 inspects the originating IP address of the IP packet to determine whether or not it is subject to regulation. It is determined whether the IP address of the server, whether the Protocol number is 6 or 17, and whether the destination port is 5060 (S2). If so, the IP packet counter 14 per unit time for each calling user terminal The number of transmitted IP packets is measured (S3), and the count information is recorded in the count information recording unit 15 (S4).

  The control unit 17 compares the number of IP packets counted by the IP packet counting unit 14 with the threshold value of the number of IP packets set in advance in the threshold setting unit 16, and the number of IP packet transmissions per unit time is normal. It is determined whether the amount is less than the threshold (S5). As a result, if the number of IP packet transmissions per unit time is a normal amount (less than the threshold), normal processing is performed (S6), but the number of IP packet transmissions per unit time is equal to or greater than the normal amount (above the threshold). If so (S6), the IP packet discarding unit 12 discards packets that are equal to or greater than the threshold (S7). Information of the discarded IP packet is recorded in the IP packet discard information recording unit 18 (S8).

In this way, even if there is a user terminal that performs a DoS / DDoS attack by limiting the number of IP packet transmissions per unit time determined in advance, the number of attack packets is suppressed to the number used for normal processing. Ru is.

  Below, the application type | mold denial-of-service attack defense method of a present Example in a SIP protocol is demonstrated. FIG. 4 is a network configuration diagram in which the defense method against the application-type denial-of-service attack of this embodiment is not applied. As a glossary of terms below, FIG. 5 and FIG. 6 show field configuration diagrams of an IP header, a TCP header, and a UDP header, respectively. FIG. 5 is a diagram showing the field structure of the IP header and TCP header. FIG. 6 is a diagram showing the field structure of the IP header and the UDP header. In FIG. 4, it is assumed that 2 is a user terminal that issues a DoS / DDoS attack packet and 3 is a valid user.

  The user terminal 2 sends a large number of IP packets for processing at layer 5 or higher to the SIP server 6, overloads the SIP server 6 and the network up to that point, and allows the legitimate user terminal 3 to receive service. to disturb.

  FIG. 7 shows a normal sequence example between the user terminal and the SIP server in the SIP protocol. It is assumed that the SIP server 6 operates as a server for the SIP protocol (RFC3261) on TCP or UDP. As shown in FIG. 7, the user terminal (source) issues a session generation request to the user terminal (incoming) via the SIP server 6 (INVITE).

  Upon receiving the session request from the SIP server, the user terminal (incoming) notifies the user terminal (outgoing) that the session generation is accepted via the SIP server 6 (180 Ringing, 200 OK). A session is generated between the user terminal (outgoing) and the user terminal (incoming) (ACK).

  Thereby, communication is performed between the user terminal (calling) and the user terminal (arriving). When the user terminal (calling) sends a session disconnect request to the user terminal (calling) via the SIP server 6 (BYE), the session between the user terminal (calling) and the user terminal (calling) is deleted. The

  The above is the exchange between the user terminal (source), the SIP server, and the user terminal (destination) in the normal SIP protocol.

  Next, an example attack sequence will be described with reference to FIG. FIG. 8 is a diagram showing an example of an attack sequence. The form of attack is assumed as follows. By sending a large number of connection request INVITE or registration request REGISTER requests from the attacking terminal to the SIP server, the processing capacity of the SIP server is significantly reduced, and congestion is caused in the system and line connected to the SIP server. Hinder regular communication from legitimate users.

  In general, the user terminal accommodating router performs bandwidth limitation (communication speed limitation) and takes a countermeasure against the attack, but the SIP server starts processing for the request in response to a request from the user. It is most effective to limit the number of requests per hour. Therefore, in the present invention, as shown in FIG. 2, the attack is suppressed by limiting the number of IP packets per unit time.

Next, a defense pattern optimization method using the discarded IP packet information recorded in the IP packet discard information recording unit 18 and the count information recorded in the count information recording unit 15 will be described with reference to FIG. . Figure 9 is Ru flowchart der illustrating a method for optimizing protection pattern using the count information recorded in the IP packet discard information recording unit 18 information and counting information recording section 15 of the recorded discarded IP packet to.

  The threshold resetting unit 19 of the edge router, when the attack is actually suppressed, the source IP address (SA) and destination IP address (DA) of the discarded IP packet recorded in the IP packet discarding information recording unit 18 The attack source and the attack target are confirmed based on the destination port number (DP) and the protocol number (S9).

  Also, the attack packet reception status on the SIP server 6 side targeted for attack is confirmed (S10). This confirmation method is estimated by searching the number of IP packets addressed to the attacked SIP server 6 recorded in the counting information recording unit 15. In addition to this, for example, it may be confirmed by a method of requesting the attack packet reception status report to the SIP server 6 side targeted for attack and receiving the report directly from the SIP server 6 side.

  Thus, it is determined whether the attack is ongoing and all packets addressed to the SIP server 6 from the attack source are attack packets (S11). The attack is ongoing and the SIP server 6 from the attack source is determined. If all the packets addressed are attack packets, the threshold setting unit 16 resets the threshold value so as to suppress all packets destined for the SIP server 6 from the corresponding originating IP address (S13). Thereby, a defense pattern can be actively optimized.

  Further, the warning notification unit 20 notifies the user terminal 2 of the warning by attaching the count information of the IP packet recorded in the count information recording unit 15 (S12). As a result, the fact that the user has executed the attack can be presented to the user who has become a stepping stone, and a warning such as virus infection can be issued to the user. This warning enables the user to prevent the spread of damage by confirming and dealing with the virus infection of his / her own terminal and the fact that it has become a springboard (S15).

  If the attack is ongoing and all packets addressed to the SIP server 6 from the attack source are not attack packets, the monitoring is continued (S14).

  Further, the IP packet discard information recording unit 18 counts the number of IP packets discarded based on the new threshold value reset by the threshold resetting unit 19 in the threshold setting unit 16 in step S13 (S16), and the threshold resetting unit 19 When the count result of the IP packet discard information recording unit 18 becomes less than the threshold value before the new threshold value that has been reset (S17), the new threshold value set in the threshold value setting unit 16 is changed to the new threshold value. Replace with a threshold value before the threshold value (S18). In addition, when the count result of the IP packet discard information recording unit 18 is equal to or greater than the threshold before the new threshold (S17), the threshold set in the threshold setting unit 16 remains the new threshold. All suppression of IP packets by the IP packet discard unit 12 is continued (S19).

  In other words, after the attack is avoided, if the unusual threshold set for attack avoidance remains, the legitimate IP packet transmitted after that may be discarded, so the attack ends. After it has been estimated, the threshold value is replaced with a normal value.

  According to the present invention, since it is possible to improve Internet security against DoS / DDoS attacks in an IP network, it is possible to contribute to acquisition of users of networks and service providers such as ISPs. In addition, it is possible to contribute to saving time and cost required for the network change for improving the Internet security in the network operator.

  Furthermore, by issuing warnings to users who have become attackers due to virus infection, etc. based on specific attack information, the trust of the network provider is improved, and further, from the users who have become attackers The spread of damage can be suppressed, and the user himself / herself can be prevented from suffering disadvantages due to compensation. It is also possible for the IP network operator to provide this user with a warning notification itself as an additional service.

The network block diagram for demonstrating the defense method with respect to the application type | mold denial of service attack of a present Example. The flowchart which shows the defense procedure in the edge router with respect to the application type | mold denial of service attack of a present Example. The functional block diagram which provides the defense function in the edge router with respect to the application type | mold denial of service attack of a present Example. The network block diagram which does not give the defense method with respect to the application type | mold denial of service attack of a present Example. The figure which shows the field structure of an IP header and a TCP header. The figure which shows the field structure of an IP header and a UDP header. The figure which shows a normal SIP protocol sequence example. The figure which shows the example of an attack sequence in a SIP protocol. The flowchart which shows the optimization method of the defense pattern using the information of the discarded IP packet recorded on the IP packet discard information recording part, and the count information recorded on the count information recording part.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1 Edge router which accommodates user terminal 2 User terminal which attacks 3 Legitimate user terminal 4 ISP core network 5 Edge router which accommodates SIP server 6 SIP server 10 IP packet receiving part 11 Header inspection part 12 IP packet discarding part 13 IP Packet transmission unit 14 IP packet counting unit 15 Count information recording unit 16 Threshold setting unit 17 Control unit 18 IP packet discard information recording unit 19 Threshold resetting unit 20 Warning notification unit

Claims (13)

In a defense method against an application-type denial-of-service attack applied to a network system composed of a core network, an edge router that accommodates a user terminal, and a server that processes a signal transmitted from the user terminal,
Permit transmission of a legitimate IP packet for each combination of a source IP (Internet Protocol) address, a destination IP address, a destination Port number, and a Protocol number for each user terminal and each destination server. A threshold condition for the number of IP packet transmissions per unit time sufficient for
As the step executed by the edge router accommodating the user terminal,
Identifying an originating IP address, a destination IP address, a port number, and a protocol number for an IP packet transmitted from the user terminal to the server;
Based on the identification result in the identifying step, whether or not the IP packet matches the combination of the destination IP address, the Port number, and the Protocol number for which the threshold of the number of IP packet transmissions is set for each originating IP address Determining whether or not
When it is determined in this determination step that the IP packet is an IP packet that matches a combination of a destination IP address, a protocol number, and a port number for which a threshold is set for each originating IP address, the edge router Recording the time at which the IP packet was received and counting the number of the IP packet;
The number of IP packets counted in the counting step is compared with the threshold condition set for each source IP address, and when the number of received IP packets per unit time exceeds the threshold, the threshold is exceeded. minute of the received IP packet to perform the steps of discarding,
As the steps executed by the edge router,
A step of recording an IP packet received from the user terminal for which the threshold condition is set, information of the IP packet, that is, a source IP address, a destination IP address, a Port number, a Protocol number, and a reception time of the IP packet When,
Recording a source IP address, a destination IP address, a Port number, a Protocol number, and a discard time of the IP packet, which are information of the IP packet, for the IP packet discarded based on the threshold setting condition;
Referring to the recording by the step of recording the discard time, and confirming the attack source and the attack target based on the information of the source IP address, the destination IP address, the Port number, and the Protocol number of the discarded IP packet;
Confirming the attack packet reception status of the attack target confirmed by the confirming step;
Determining whether or not the attack is ongoing based on the attack packet reception status confirmed by the confirming step and all packets addressed to the attack target from the attack source are attack packets;
Based on the determination result of the determining step, when the attack is ongoing and all the packets addressed to the attack target from the attack source are attack packets, the attack target address from the corresponding originating IP address Re-setting the threshold to suppress all packets;
A defense method against an application-type denial-of-service attack characterized by executing   2. The defense against an application-type denial-of-service attack according to claim 1, wherein the step of confirming the attack packet reception status includes a step of estimating the attack packet reception status of the attack target with reference to a record by the step of recording the reception time. Method.   When the attack is ongoing based on the determination result of the determining step and all the packets addressed to the attack target from the attack source are attack packets, a step of notifying the attack source of a warning The defense method against an application type | mold denial-of-service attack of Claim 1 to perform. Counting the number of discarded IP packets based on the new threshold set by the step of resetting the threshold;
2. The application according to claim 1, wherein when the counting result of the counting step becomes less than a threshold value before the new threshold value, the step of replacing the new threshold value with a threshold value before the new threshold value is executed. Protection against type-of-service denial of service attacks. In an edge router that accommodates the user terminal that is provided in a network system that includes a core network and a server that processes a signal transmitted from the user terminal,
A unit time sufficient to permit transmission of a legitimate IP packet for each combination of a source IP address, a destination IP address, a destination Port number, and a Protocol number for each user terminal and each destination server The threshold of the number of IP packets transmitted per unit is preset,
Means for identifying an originating IP address, a destination IP address, a Port number, and a Protocol number for an IP packet transmitted from the user terminal to the server;
Based on the identification result by the identifying means, whether or not the IP packet matches the combination of the destination IP address, the Port number, and the Protocol number for which the threshold of the number of IP packet transmissions is set for each originating IP address Means for determining whether or not
When it is determined by the determining means that the IP packet is an IP packet that matches a combination of a destination IP address, a protocol number, and a port number for which a threshold is set for each originating IP address, the edge router Means for recording the time when the IP packet was received and counting the number of the IP packet;
The number of IP packets counted by the counting means is compared with the threshold condition set for each originating IP address. When the number of received IP packets per unit time exceeds the threshold, the threshold is exceeded. And a means for discarding the received IP packets of minutes ,
Means for recording the IP packet received from the user terminal for which the threshold condition is set, the source IP address, the destination IP address, the Port number, the Protocol number, and the reception time of the IP packet, which are information of the IP packet When,
Means for recording an IP packet information that has been discarded based on the threshold setting condition, a source IP address, a destination IP address, a Port number, a Protocol number, and a discard time of the IP packet, which are information of the IP packet;
Means for referring to the record by the means for recording the discard time and confirming the attack source and the attack target based on information of the source IP address, destination IP address, Port number, Protocol number of the discarded IP packet;
Means for confirming the attack packet reception status of the attack target confirmed by the confirmation means;
Means for determining whether the attack is ongoing based on the attack packet reception status confirmed by the means for confirming and all packets addressed to the attack target from the attack source are attack packets;
Based on the determination result of the determining means, if the attack is ongoing and all the packets addressed to the attack target from the attack source are attack packets, the attack target address from the corresponding originating IP address Means for resetting the threshold so as to suppress all packets;
Edge router, comprising the.   6. The edge router according to claim 5, wherein the means for confirming the attack packet reception status includes means for estimating the attack packet reception status of the attack target with reference to a record by the means for recording the reception time.   Based on the determination result of the determining means, when the attack is ongoing and all packets addressed to the attack target from the attack source are attack packets, means for notifying the attack source of warning The edge router according to claim 5 provided. Means for counting the number of discarded IP packets based on the new threshold set by the means for resetting the threshold;
The edge according to claim 5, further comprising: means for replacing the new threshold value with a threshold value before the new threshold value when the counting result of the means for counting becomes less than the reset threshold value before the new threshold value. Router. By installing on an information processing device,
In a program for realizing a function corresponding to an edge router that accommodates the user terminal and is provided in a network system including a core network and a server that processes a signal transmitted from the user terminal,
A unit time sufficient to permit transmission of a legitimate IP packet for each combination of a source IP address, a destination IP address, a destination Port number, and a Protocol number for each user terminal and each destination server The threshold of the number of IP packets transmitted per unit is preset,
A function for identifying a source IP address, a destination IP address, a port number, and a protocol number for an IP packet transmitted from the user terminal to the server;
Based on the identification result by the identification function, whether or not the IP packet matches the combination of the destination IP address, the Port number, and the Protocol number for which the threshold of the number of IP packet transmissions is set for each originating IP address A function to determine whether
When it is determined by the determination function that the IP packet is an IP packet that matches a combination of a destination IP address, a protocol number, and a port number for which a threshold is set for each originating IP address, the edge router A function of recording the time when the IP packet is received and counting the number of the IP packet;
The number of IP packets counted by this counting function is compared with the threshold condition set for each originating IP address. When the number of received IP packets per unit time exceeds the threshold, the threshold is exceeded. A function of discarding received IP packets of minutes ,
A function for recording the IP packet received from the user terminal for which the threshold condition is set, the source IP address, the destination IP address, the Port number, the Protocol number, and the reception time of the IP packet, which are information of the IP packet When,
A function of recording an IP packet information that has been discarded based on the threshold setting condition, a source IP address, a destination IP address, a Port number, a Protocol number, and a discard time of the IP packet,
A function of referring to the recording by the step of recording the discard time and confirming the attack source and the attack target based on information of the source IP address, the destination IP address, the Port number, and the Protocol number of the discarded IP packet;
A function of confirming the attack packet reception status of the attack target confirmed by the function of confirming;
A function for determining whether the attack is ongoing based on the attack packet reception status confirmed by the function to confirm and whether all the packets addressed to the attack target from the attack source are attack packets;
If the attack is ongoing based on the determination result and the packets addressed to the attack target from the attack source are all attack packets, the attack target address from the corresponding originating IP address A program for realizing a function corresponding to an edge router having a function of resetting the threshold value so as to suppress all packets .   10. The program according to claim 9, wherein, as a function of confirming the attack packet reception status, the function of estimating the attack packet reception status of the attack target is realized by referring to a record by the function of recording the reception time.   A function of notifying the attack source of a warning when the attack is ongoing based on the determination result of the function to be determined and all the packets addressed to the attack target from the attack source are attack packets; The program according to claim 9 to be realized. A function of counting the number of discarded IP packets based on a new threshold set by the function of resetting the threshold;
10. The program according to claim 9, wherein when the counting result of the counting function becomes less than a threshold value before the new threshold value, the function of replacing the new threshold value with a threshold value before the new threshold value is realized. . The information processing apparatus readable recording medium having a program recorded thereon according to any one of claims 9 to 12.

Images