JP4284248B2 - Application service rejection attack prevention method, system, and program - Google Patents

Description

  The present invention relates to a security improvement technique in an IP (Internet protocol) network, and more particularly, to a protection method and system against a DoS attack or a DDoS attack on the Internet.

  On the Internet, attacks that try to send a large amount of abnormal data or packets to a specific site and thereby stop the service at that site have often been carried out. Such an attack is called a DoS (Denial of Service) attack, but as a more sophisticated attack, a DoS attack may be launched against the same site simultaneously from different locations. Such an attack from a plurality of places is called a DDoS (Distributed Denial of Service) attack. Hereinafter, a denial of service (DoS) attack and a distributed denial of service (DDoS) attack will be collectively referred to as a DoS / DDoS attack.

  By the way, various protocols used for communication on a network are handled by being layered into seven layers (hierarchies) by the OSI reference model. Correspondingly, packets used for DoS / DDoS attacks are also classified according to which layer the service is to be stopped. Recently, the processing of layer 5 (session layer) and higher in the OSI reference model, such as a SIP (Session Initiation Protocol) server used for relaying IP telephones and an SMTP (Simple Mail Transfer Protocol) server used for relaying e-mails. DoS / DDoS attacks are being performed on various end nodes.

  Conventionally, in order to protect these servers from DoS / DDoS attacks on end nodes (ie, servers) or end node groups that perform layer 5 or higher processing such as SIP servers and SMTP servers, (1) Detect and eliminate detected traffic, or (2) Information on layer 5 and above by installing a firewall device or IDS (Intrusion Detection System) in front of the machine where the protected server is built Measures such as detecting attacks by analyzing and eliminating detected traffic are taken.

  When an attack is detected and the corresponding traffic is eliminated, the exclusion setting is canceled when the attack traffic ends. However, since it is difficult to automatically detect the end of the attack traffic, In many cases, exclusion setting at the time of attack detection is automatically performed, but cancellation processing at the end of the attack is manually performed.

  Patent Document 1 (Japanese Unexamined Patent Application Publication No. 2003-283571, “Method and apparatus for preventing denial of service attack and its computer program”) discards an attack packet at a router close to an attacker in a network when a server is attacked. In order to do so, it has been proposed to install a dedicated device called a shield at each site in the network, to sequentially propagate the attack information between these dedicated devices, and to eliminate the attack traffic upstream. However, with this technique, attack information propagates between dedicated devices, but attack information is not propagated between nodes such as servers connected to the network.

Patent Document 2 (Japanese Patent Application Laid-Open No. 2002-158660, “Unauthorized Access Protection System”) discloses a network from an attack by disposing a dedicated blocking device in a network and operating the blocking device when an attack is detected in the network. We are proposing to protect you. However, the technique described in Patent Document 2 targets an attack of layer 4 or lower as a defense target.
JP 2003-283571 A Japanese Patent Laid-Open No. 2002-158660

  However, the above-described conventional defense method has the following problems especially when defense against an attack on layer 5 is performed.

  When defending an attack on the server machine itself, not only does the defense process itself require a heavy processing load, but also the attack traffic is concentrated on the line connected to the server machine. Service may be hindered. On the other hand, when a firewall device or IDS is installed in front of the server, in order to detect an attack of layer 5 or higher, the firewall device or IDS itself is a DoS / DDoS attack after performing processing of layer 5 or higher. Therefore, it is difficult to detect attacks of layer 5 and higher, and firewall devices and IDS itself may become a bottleneck in performance. In addition, the throughput is further limited, and the price of the apparatus itself is likely to be high.

  Therefore, an object of the present invention is an application that can effectively prevent a DoS / DDoS attack that transmits a packet to a server corresponding to a service of layer 5 or higher in the OSI reference model without causing a decrease in throughput or the like. It is an object to provide a denial-of-service attack prevention method and system.

  In the conventional denial of service prevention method described above, based on layer 5 or higher information, DoS / DDoS attack detection processing that is performed on layer 5 or higher processing of various end nodes (servers) is performed. However, since the process of detecting information of packet layer 5 or higher is a process that requires a large load, it causes a reduction in traffic throughput of the entire system and a high cost of the system. Therefore, in the present invention, the DoS / DDoS attack detection process for the process of layer 5 and higher is performed based on the traffic information based only on the information of layer 4 and lower.

  Specifically, a firewall device is installed in front of various end nodes or end node groups that perform layer 5 or higher processing such as a SIP server or SMTP server, and DoS / DDoS for layer 5 or higher processing is performed in this firewall device. Detect and respond to attacks. Preferably, the firewall apparatus is installed in-line on the exit line from the edge node that bundles the lines to these end nodes. In this case, since the firewall apparatus needs to have high throughput because it is installed on a line in which lines to various end nodes are bundled, if high throughput can be realized, the DoS / Since it can cope with a DDoS attack, low cost can be expected.

In order to enable high-speed processing, the firewall apparatus does not detect any information on the layer 5 or higher of the packet, but detects and copes with an attack only by information on the layer 4 or lower. This achieves high throughput for the firewall device. Such a firewall device is based on field information of layer 4 and below from the ingress side (the side where packets for the protected end node are input from the network) to the egress side (the side connected to the protected end node). A static packet filtering unit (first functional unit) that performs filtering on the first node and a TCP (transmission) that temporarily terminates TCP processing on behalf of the end node, performs three-way handshake processing, and then forwards traffic to the end node. control protocol) Intercept section (second functional section) and traffic that is forwarded to the end node by the TCP intercept section and that uses the end node address as the destination address are monitored for each source address. Based on the following information: An L4 unspecified detection unit (third function unit) that detects a DoS attack and requests countermeasures, and an L4ACL / rate limit that sets filtering or a rate limit for a flow specified by a request from the L4 unspecified detection unit A dynamic setting unit (fourth functional unit) is connected in series. Here, for example, when the traffic volume exceeds a certain threshold, the L4 unspecified detection unit instructs the L4 ACL / rate limiting dynamic setting unit to perform filtering or rate limiting of the flow as a request for countermeasures against the attack. Perform processing such as.

  In other words, the firewall device processes the packets input from the ingress side step by step based on the information contained in the packets below the layer 4 to narrow down the packets below the layer 4 transferring the information above the layer 5 In the final stage, the amount of traffic of the packet is measured, and if it exceeds the specified value, the attack packet is discarded by determining that it is a DoS / DDoS attack. In this way, by performing the processing below layer 4 step by step, it is possible to protect end nodes such as servers from DoS / DDoS attacks targeting layer 5 or higher, without performing processing of layer 5 or higher that requires a load. be able to.

  Specifically, in the L4 unspecified detection unit that is the third functional unit, traffic is detected based on information below layer 4, and based on the detected information, the L4 ACL / rate limiting that is the fourth functional unit The dynamic setting unit deals with attack traffic. The L4ACL / rate limiting dynamic setting unit that deals with the attack is provided behind the L4 unspecified detection unit that performs the detection because the functional unit that performs the countermeasure is located in front of the functional unit that performs the detection (the ingress side). ), The traffic after the response flows into the function unit that performs the detection, making it difficult to detect the end of the attack, and thus the cancellation processing of the response processing becomes difficult.

In the L4 unspecified detection unit, it is necessary to clearly distinguish layer 5 attack traffic (or layer 6, 7 attack traffic) and legitimate traffic. the following process does not include the extra traffic, such as attack traffic and target it is necessary. Therefore, in the static packet filtering unit, which is the first functional unit, and the TCP intercept unit, which is the second functional unit, the L4 non-specific detection unit, which is the third functional unit, is unnecessary for performing the detection process. Eliminates traffic.

The application service rejection attack prevention method of the present invention is an application service rejection for protecting an end node installed in an IP network from a DoS attack on TCP or a DDoS attack targeting a process of layer 5 or higher of the end node. The attack prevention method is a first process in which a firewall device installed in an exit line to an end node of an edge node that accommodates an end node performs filtering based on field information of layer 4 or lower; After the processing, the TCP processing is temporarily terminated on behalf of the end node, the second processing for transferring traffic to the end node after performing the three-way handshake processing, and the second processing is transferred to the end node. a traffic destination address the address of the end node For each source address, detects the attack based on information below layer 4 and requests countermeasures, and traffic for the flow specified by the request from the third process. And a fourth process for performing restriction (filtering, rate restriction, etc.).

  According to the present invention, it is possible to realize high throughput by performing all the processing for detecting a DoS / DDoS attack on processing of layer 5 or higher by detecting only information on layer 4 or lower of the packet, In addition, it is possible to perform such processing in the network. Further, in the case of a DoS / DDoS attack, not only the end node but also the network can be protected from packet concentration.

  Since the application service rejection attack protection method of the present invention can be executed by a fire device alone, it is only necessary to insert one such firewall device into an existing network, which is excellent in terms of cost and the like. Yes. In addition, since the attack traffic after setting the countermeasure processing can be detected, the release trigger can be detected with high accuracy, and the method is excellent in serviceability and maintainability.

  Next, a preferred embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 is a diagram showing an example of a network configuration to which an application service denial attack protection method of the present invention is applied. Here, as an example of an end node, a case will be described in which one SIP server and one SMTP server are each protected from a DoS / DDoS attack on TCP (transmission control protocol).

  An ISP (Internet Service Provider) core network 10 is provided, and edge routers 1 and 2 are provided at edges of the core network 10, respectively. The edge router 1 accommodates the SIP server 4 and the SMTP server 5 to be protected, and the exit line to the server 4, 5 side of the edge router 1 is connected via the exit interface 8 of the edge router 1. The firewall device 3 is inserted and connected inline. The SIP server 4 is a control server that controls the SIP (Session Initiation Protocol) protocol within the ISP. Similarly, the SMTP server 5 uses the SMTP (Simple Mail Transfer Protocol) and POP3 (Post Office Protocol 3) protocols within the ISP. It is a control server to control. User terminals 6 and 7 accommodated in the SIP server 4 and the SMTP server 5 are connected to the edge router 2.

  FIG. 2 is a block diagram showing the configuration of the firewall device 3. The firewall device 3 performs filtering from the ingress side (side connected to the edge router 1) to the egress side (side connected to the SIP server 4 and SMTP server 5 to be protected) based on field information of layer 4 and below. The static packet filtering unit 11 to perform, the TCP processing on behalf of each of the servers 4 and 5, the TCP intercept unit 12 that transfers traffic to the server after performing the three-way handshake processing, and the servers 4 and 4. L4 non-specific detection unit 13 that monitors traffic with destination address 5 for each source address, detects a DoS / DDoS attack based on information below layer 4 and requests countermeasures, and L4 non-specific detection Filtering or rate limiting for the flow specified by the request from the section 13 And L4ACL / rate limiting dynamic setting unit 14 for setting has a structure connected in series via the bus firewall device 3. For example, when the traffic volume exceeds a certain threshold value, the L4 non-specific detection unit 13 instructs the L4 ACL / rate limiting dynamic setting unit 14 to perform filtering or rate limit of the flow as the above-described request. Process.

  Specifically, the static packet filtering unit 11 performs traffic filtering based on the IP header and TCP header information of the packet input from the ingress side. For example, out of UDP (User Datagram Protocol) packets, ICMP (Internet Control Message Protocol) packets, and TCP packets, packets that do not have a reserved port number of the protocol to be processed by the servers 4 and 5 to be protected are discarded. Is done. The port number through which the packet is passed is set by a maintenance person (an administrator of the firewall device). Thereby, attack traffic such as UDP flood (flood) and ICMP scan can be eliminated. This is a function generally provided in a conventional firewall apparatus that protects against a DoS / DDoS attack at a low layer. Since IP is a layer 3 protocol and TCP is a layer 4 protocol, the static packet filtering unit 11 performs filtering based on field information of layer 4 and below.

  The TCP intercept unit 12 detects TCP in a stateful manner and not only discards attack packets based on TCP such as TCP-SYN flood (flood) and TCP port scan, but also checks the normality of the TCP sequence. Then forward the packet. Since the normality of the TCP sequence is confirmed, the packet for which the source address is spoofed is also discarded here, and the spoofed address packet is also protected here. Since TCP is a layer 4 protocol, the TCP intercept unit 12 performs processing at layer 4 based on information below layer 4.

  The L4 non-specific detection unit 13 detects a DoS / DDoS attack based on information below layer 4, and performs filtering or rate (transfer rate) restriction on the detected DoS / DDoS attack flow. / Instructs the rate limit dynamic setting unit 14. Here, attack detection by the L4 unspecified detection unit 13 and setting instructions to the L4 ACL / rate limiting dynamic setting unit 14 are collectively referred to as a detection / setting cooperation function. The L4 unspecified detection unit 13 detects, for example, traffic from each user terminal (or other node) to a preset end node (server) for each source address, and the amount of traffic exceeds a threshold value. When it is detected, it is determined as a DoS / DDoS attack and a DoS / DDoS attack is detected.

  The L4 ACL / rate limiting dynamic setting unit 14 performs filtering or rate limiting in accordance with a command from the L4 non-specific detection unit 13, and as a result, performs filtering or rate limiting based on the value of the field below layer 4. The filtering or rate limit setting in the static packet filtering unit 11 is performed by the maintainer. The filtering or rate limiting setting in the L4ACL / rate limiting dynamic setting unit 14 is basically performed by the L4 non-specific detection unit. Only 13 are doing. In other words, except for an exceptional case where it must be forcibly set in an emergency, the maintainer does not perform filtering or rate limit setting for the L4ACL / rate limit dynamic setting unit 14.

  Further, the firewall device 3 includes values and parameters used when processing is performed by each functional unit (static packet filtering unit 11, TCP intercept unit 12, L4 unspecified detection unit 13 and L4ACL / rate limiting dynamic setting unit 14). A setting unit 15 for setting the values, an input device 16 such as a keyboard and a mouse for inputting those values and parameters by the maintenance person, and a display device for displaying a screen for setting those values and parameters to the maintenance person 17. However, the value setting for the L4ACL / rate limiting dynamic setting unit 14 is performed only in exceptional cases as described above.

  Next, prior to the description of the operation of the present embodiment, the configuration of the IP header and the TCP header and the processing in SIP and SMTP will be described.

  FIG. 3 shows the fields of the IP header and the TCP header. The configurations of the IP header and the TCP header shown here are well known to those skilled in the art.

  FIG. 4 is a sequence diagram showing processing in SIP (see RFC3261), which is a TCP protocol used for relaying IP telephones. The figure shows processing when a call is made from a calling user terminal to a called user terminal. First, when an INVITE message is sent from the calling user terminal to the SIP server (step 401), the SIP server sends an INVITE message to the called user terminal (step 402). A Trying message is sent to the calling user terminal (step 403). The called user terminal sends a Trying message to the SIP server (step 404), and then sends a Ringing message corresponding to the ringing tone (step 405). In response, the SIP server sends a Ringing message to the calling user terminal (step 406). When the user terminal on the called side is ready for the incoming call, it sends an OK message to the SIP server (step 407). In response, the SIP server sends the OK server to the user terminal on the calling side (step 408). . Upon receiving the OK message, the calling terminal sends an ACK (acknowledgment) message to the SIP server (step 409), and the SIP server sends the ACK message to the called user terminal (step 410).

  With the above processing, since a connection path between the calling and called user terminals is established, communication between the calling and called user terminals starts (step 411). When the communication is completed, a BYE message that conveys the end of the call is sent from the calling user terminal to the SIP server (step 412), and the SIP server sends the BYE message to the called user terminal (step 413). In response, the called user sends an OK message to the SIP server (step 414), and the SIP server sends an OK message to the calling user terminal (step 415). Thus, a series of call processing ends.

  FIG. 5 is a sequence diagram showing processing in POP3 (see RFC 1939 et al.), Which is a TCP protocol used for relaying electronic mail.

  If an e-mail message for the user is already stored in the SMTP server and a USER message is sent from the user terminal to the SMTP server (step 501), the SMTP server returns a + OK response to the user terminal (step 502). The user authentication exchange is performed between the user terminal and the SMTP server (step 503), and after authentication, the message information in the server is confirmed (step 504). Subsequently, the user terminal downloads a message from the SMTP server (step 505), and after the download, a message deletion request is made from the user terminal to the SMTP server (step 506). Finally, a completion notification is transmitted from the user terminal to the SMTP server (step 507), and the communication disconnection processing is performed between the user terminal and the SMTP server (step 508).

  In this way, processing for taking in an e-mail message from the SMTP server to the user terminal is performed.

  Next, the operation of the application service rejection attack protection method of this embodiment will be described. Here, in the network configuration shown in FIG. 1, it is assumed that the user terminal 6 is a user terminal that emits DoS / DDoS attack traffic, and the user terminal 7 is a legitimate user terminal. It is assumed that the SIP server 4 operates as a server for SIP, which is a protocol on TCP, and the SMTP server 5 operates as a server for POP3, which is a protocol on TCP. Hereinafter, the traffic from the user terminals 6 and 7 to the SIP server 4 or the SMTP server 5 is referred to as “upstream traffic”, and the traffic in the direction opposite to the “upstream traffic” is referred to as “downstream traffic”.

  Here, the user terminal 6 sends a large number of messages for layer 5 or higher processing to the servers 4 and 5, overloads the servers 4 and 5 and the network up to that, and uses the user terminal 7. To prevent legitimate users from receiving services.

  In the present embodiment, as shown in FIG. 1, a firewall device 3 is installed in-line to the exit interface 8 of the edge router 1, and a DoS / DDoS attack is detected and dealt with here.

  In the static packet filtering unit 11 of the firewall apparatus 3, first, the setting unit 15 performs the following on the upstream traffic: “IP header, source address = SIP server address, protocol field = 6 (TCP), TCP header, Destination port = 5060 (SIP protocol well-known port) and “IP header, source address = SMTP server address, protocol field = 6 (TCP), TCP header, destination port = 110 (well-known port of POP3 protocol) "is set so that it can pass only. Thereby, attack packets such as UDP flood (flood) and ICMP flood can be discarded.

  A specific processing sequence in the TCP intercept unit 12 is shown in FIG. The TCP intercept unit 12 performs a three-way handshake process between the user terminal and the end node. When a TCP-SYN packet from the user terminal is detected (step 601), the TCP intercept unit 12 can transfer it immediately. Instead, it temporarily holds and returns a TCP-SYN + ACK packet to the user terminal as a proxy for the end node (server) (step 602). When the user terminal spoofs the transmission source address and transmits a TCP-SYN packet, the TCP-SYN + ACK packet does not reach the user terminal.

  When the user terminal receives the TCP-SYN + ACK packet, the user terminal should transmit the TCP-ACK packet to the firewall device (step 603). However, when the TCP-SYN flood attack is performed, the user terminal does not return the TCP-ACK packet. . Therefore, when the TCP-ACK packet is returned from the user terminal, the TCP intercept unit 12 does not immediately transfer the TCP-ACK packet to the end node. Transfer to the end node (step 604). Thereafter, when the TCP-SYN + ACK packet is returned from the end node (step 605), the TCP-SYN + ACK packet is not transferred to the user terminal, but the retained TCP-ACK packet is transferred to the end node (step). 606). Thereafter, when a connection is established, the user terminal transmits TCP data (step 607), but the firewall device 3 transfers the TCP data as it is to the end node (step 608).

  In this way, the TCP intercept unit 12 monitors the state of the TCP session and discards packets that do not match the sequence from the user terminal. As a result, a packet in which the source address from the user is spoofed can be discarded, and an illegal TCP packet can also be discarded. Therefore, most DoS / DDoS attack packets using TCP packets can be discarded at the stage of the TCP intercept unit 12.

  FIG. 7 is a flowchart showing processing in the L4 non-specific detection unit 13. The L4 non-specific detection unit 13 includes a setting table for registering the source address when filtering or rate limiting is instructed to the L4 ACL / rate limiting dynamic setting unit 14 regarding traffic of a certain source address. The L4 unspecified detection unit 13 detects the traffic from the user terminal to the preset end node for each upstream source traffic for each source address, and for each source address for the end node targeted for attack. A value obtained by dividing the traffic volume per unit time T set in advance by the unit time is defined as C (step 701). Next, it is determined whether or not the detected source address is registered in the setting table (step 702). Here, if the source address is not registered in the setting table, it is determined whether or not the value C exceeds a preset threshold A (step 703). When C exceeds the threshold value A, the L4 unspecified detection unit 13 filters the packet having the source address or applies a rate limit with a predetermined threshold value D so that the firewall apparatus 3 is instructed to the L4ACL / rate limiting dynamic setting unit 14 via the bus (step 704), and the source address is registered in the setting table (step 705). Thereafter, for processing of the next packet. Then, the process returns to step 701. If C does not exceed the threshold value A in step 703, the process returns to step 701 as it is.

  In step 702, if the source address is registered in the setting table, it is determined whether C is below a preset threshold B (step 706). If not lower, the process returns to step 701. If lower, the L4 unspecified detecting unit 13 instructs the L4ACL / rate limiting dynamic setting unit 14 to set the source address (filtering or rate). (Restriction) is released (Step 707), the source address is deleted from the setting table (Step 708), and the process returns to Step 701. Similarly, in step 702, when the packet having the source address registered in the setting table is not detected within the unit time T, the L4 non-specific detection unit 13 proceeds to step 707, The L4ACL / rate limiting dynamic setting unit 14 is instructed to cancel the contents set in the source address.

  In the above processing, the end node transmission destination address, unit time T, and threshold values A, B, and D in step 701 are all set for each transmission destination address (each end node) by the maintainer. Is.

  FIG. 8 shows an example of the maintenance person setting screen 21 displayed on the display device 16 when the maintenance person uses the setting unit 15 to make settings for the L4 non-specific detection unit 13. In the example shown in FIG. 8, the SIP server address, the traffic detection unit time T = 1000 msec as the IP address designated by the target end node, and 10 threshold values A are detected for 10 SIP protocol INVITE messages per second. Assuming that it is determined as an attack, the traffic amount for 10 INVITE messages (including traffic for lower layer sequences such as TCP) and the threshold value B are set to about 80% of the threshold value A. Traffic volume for 8 messages, filtering selected as processing for handling at the time of detection ”and“ IP address of target end node specified as SMTP server address, traffic detection unit time T = 1000 msec, threshold A POP3 protocol U per second Assuming that an attack is detected when 10 ER messages are detected, the traffic amount for 10 USER messages (including traffic for lower layer sequences such as TCP) and the threshold B are threshold A The amount of traffic corresponding to eight USER messages is set to about 80% of the message, and “filtering is selected as a handling process at the time of detection” is set in advance. By performing such a setting, when an attack to the SIP server or the SMTP server occurs, it can be automatically defended against and can be automatically released when the attack ends.

  The L4 ACL / rate limiting dynamic setting unit 14 performs filtering (specifically, filtering based on a source address) or rate limiting for the DoS / DDoS attack flow discovered by the L4 unspecified detection unit 13 for upstream traffic. When selecting the rate limit, the rate limit is performed based on the threshold value D specified in advance as described above. Furthermore, when the L4 unspecified detection unit 13 detects the end of the DoS / DDoS attack, the L4 ACL / rate limiting dynamic setting unit 14 cancels the setting of filtering or rate limiting based on the detection.

According this way the present embodiment, by passing traffic to the end node from the user terminal to Faiau O Lumpur apparatus 3 constructed as described above, be detection and prevention of DoS / DDoS attacks with high precision it can.

  The firewall device described above can also be realized by causing a computer program such as a server computer to read a computer program for realizing it and executing the program. Such a program is read into a computer by a recording medium such as a CD-ROM or via a network. Such a computer generally includes a CPU (Central Processing Unit), a hard disk device for storing programs and data, a main memory, an input device such as a keyboard and a mouse, a display device such as a CRT, a CD- It comprises a reading device that reads a recording medium such as a ROM, and an interface for connecting to a network. In this computer, a program for realizing the firewall device is read from a recording medium or downloaded through a network and stored in the hard disk device, and the CPU executes the program stored in the hard disk device to function as the firewall device. Will do.

It is a figure which shows an example of the structure of the network to which the application service rejection attack protection method of this invention is applied. It is a block diagram which shows the structure of a firewall apparatus. It is a figure explaining each field in an IP header and a TCP header. It is a sequence diagram which shows a SIP protocol. It is a sequence diagram which shows a SMTP protocol. It is a sequence diagram which shows an example of the process in a TCP intercept part. It is a flowchart which shows the process in a L4 non-specific detection part. It is a figure which shows an example of the maintenance person setting screen for setting the value used with a L4 non-specific detection part and a L4ACL / rate restriction dynamic setting part.

Explanation of symbols

DESCRIPTION OF SYMBOLS 1, 2 Edge router 3 Firewall apparatus 4 SIP server 5 SMTP server 6,7 User terminal 8 Egress interface 10 Core network 11 Static packet filtering part 12 TCP intercept part 13 L4 non-specific detection part 14 L4ACL / rate restriction dynamic setting part 15 setting Part 16 Input device 17 Display device 21 Maintenance person setting screen

Claims (11)

An application service denial-of-service attack defense method for protecting an end node installed in an IP network from a DoS attack or a DDoS attack on TCP targeting a process of layer 5 or higher of the end node,
A firewall apparatus installed in an exit line to the end node of the edge node accommodating the end node performs filtering based on field information of layer 4 or lower, and after the first process, A TCP process is temporarily terminated on behalf of the end node, a three-way handshake process is performed, and then a second process for transferring traffic to the end node and a transfer to the end node by the second process A third process of monitoring traffic for each source address, the traffic having the address of the end node as a destination address, detecting an attack based on information of layer 4 and below, and requesting a countermeasure; A fourth process for restricting traffic to the flow designated by the request from the process;
An application denial-of-service attack defense method is executed.   The said 3rd process detects that there exists the said attack, when the traffic amount for every said transmission origin address exceeds a fixed threshold value as the information below the said layer 4, The said attack is detected. Application service denial attack protection method.   The application service denial-of-service attack prevention method according to claim 2, wherein when the amount of traffic from the source address related to the attack falls below a return threshold, the traffic restriction is released.   The application service denial attack protection method according to any one of claims 1 to 3, wherein the traffic restriction is filtering or rate restriction of a corresponding flow. An application denial-of-service attack defense system for protecting an end node installed in an IP network from a DoS attack on TCP or a DDoS attack targeting a process of layer 5 or higher of the end node,
A firewall device installed in an exit line to the end node of the edge node that accommodates the end node;
The firewall device is
A static packet filtering unit that is provided at the ingress end of the firewall device and performs filtering based on field information of layer 4 and below;
A TCP intercept unit that temporarily terminates TCP processing on behalf of the end node for traffic that has passed through the static packet filtering unit, performs a 3-way-handshake process, and then forwards the traffic to the end node;
The traffic intercepted by the TCP intercept unit to the end node and having the end node address as the destination address is monitored for each source address, and a DoS / DDoS attack is performed based on the information of the layer 4 and below. An L4 unspecified detection unit that detects and requests countermeasures;
An L4ACL / rate limiting dynamic setting unit that limits traffic to a flow designated by a request from the L4 unspecified detection unit;
An application service denial-of-service attack defense system.   The L4 non-specific detection unit detects that there is the attack when the traffic amount for each source address exceeds a certain threshold as the information of the layer 4 or lower. Application service denial attack protection system.   The L4 unspecified detecting unit requests the L4 ACL / rate limiting dynamic setting unit to release the traffic limitation when the traffic volume from the source address related to the attack falls below a return threshold. The application service denial-of-service attack defense system according to claim 6.   The application service denial attack protection system according to claim 7, further comprising a setting unit configured to set the constant threshold and the return threshold.   The application service denial attack protection system according to any one of claims 5 to 8, wherein the traffic restriction is filtering or rate restriction of a corresponding flow.   In the firewall device, the static packet filtering unit, the TCP intercept unit, the L4 unspecified detection unit, and the L4 ACL / rate limiting dynamic setting unit are serially arranged in this order from the ingress side to the egress side of the firewall device. The application service denial-of-service attack defense system according to any one of claims 5 to 8, provided in the system. To a computer constituting a firewall device installed in an exit line to an end node of an edge node that accommodates an end node installed in an IP network,
A first process for performing filtering based on field information of layer 4 and below;
After the first process, a second process for temporarily terminating the TCP process on behalf of the end node, performing a three-way handshake process, and then forwarding traffic to the end node;
The traffic that is transferred to the end node by the second process and that has the end node address as the destination address is monitored for each source address, and an attack is detected based on information of layer 4 and below. The third process to request
A fourth process for restricting traffic to the flow designated by the request from the third process;
A program that executes

Images