JP4977646B2 - Server apparatus and communication control method - Google Patents

Description

  The present invention relates to a server apparatus and a communication control method for performing communication control on signals transmitted and received via a network.

  The discussion on the next generation network (NGN) has become popular. NGN is a basic network that provides telephone services, services that combine fixed communication and mobile communication, and new information communication services that will be developed in the future.

  The NGN here is a packet-based network and has a structure in which a packet transfer function for transferring a packet and a service control function for controlling a service are separated. The packet transfer function is realized by a subscriber service edge or a relay border gateway device as a transfer device. The service control function controls the start and end of a session using a Session Initiation Protocol (SIP), and these controls are performed by a two-level controller of a subscriber session control server and a relay session control server. Realized.

  Hereinafter, the subscriber service edge (Subscriber Service Edge) is denoted as SSE, and the relay border gateway equipment (Intermediate Border gateway Equipment) is denoted as IBE. Further, the subscriber session control server (Subscriber Session Control server) is expressed as SSC, and the relay session control server (Intermediate Session Control server) is expressed as ISC. SSE, IBE, SSC and ISC are names used in NGN. In general, SSE is called a subscriber router, IBE is called a relay router, SSC is called a subscriber SIP server, and ISC is called a relay SIP server.

  In order to realize a network that provides the various information communication services described above, increasing safety is one of the important issues. In order to increase safety, the terminal of a user who is considered not to use normally is restricted so that the network cannot be used temporarily, so that the user who uses it normally will not be disturbed. It is necessary to. Regulating the use of a network to a terminal of a user who is not normally used is called “lockout”.

  An example of a lockout control technique for restricting communication to terminals of users who are not normally used among users who are subscribers of the information communication service will be described (see Patent Document 1). The SIP server measures the total number of INVITE signals received per unit time, and when the measured total number of INVITE signals exceeds a threshold, the number of INVITE signals for each source address is measured. If the number of source addresses whose measured number of INVITE signals exceeds a specific value is greater than a certain number, it is determined that the DDoS (Distributed Denial of Service attack) attack has occurred, and the number of INVITE signals exceeds a specific value. Restrict outgoing calls to source addresses. Thereby, DDoS can be prevented and traffic applied to the SIP server can be suppressed.

In addition, as another lockout control technique, a DDoS attack is detected by counting the number of terminal registration signals or / and session establishment request signals for a predetermined monitoring period for each IP (Internet Protocol) address for the session control device, There is a thing which locks out (refer patent document 2). Thereby, DDoS can be prevented and traffic applied to the SIP server can be suppressed.
JP 2007-060379 A JP 2004-320636 A

  In the method disclosed in Patent Document 1, since transmission restriction is applied to a device having a source address, when a plurality of terminal devices are connected under the device having the same source address, the device is normally used. This also suppresses the traffic of other terminal devices.

  Also, in the method disclosed in Patent Document 2, as in the case of Patent Document 1, when a plurality of terminal devices are connected under the device having the same source address, other terminal devices that are normally used The traffic of will be suppressed together.

  These lockout control techniques have a problem that lockout control cannot be performed for each terminal device when a plurality of terminal devices are connected under the device of one source address.

  The present invention has been made to solve the above-described problems of the technology, and a server device capable of locking out a plurality of terminal devices under the control of one gateway device for each terminal device. It is another object of the present invention to provide a communication control method.

A server device of the present invention for achieving the above object is a server device connected to a plurality of gateway devices via a network,
The plurality of pieces of connection information including information on a set of source address information for identifying the gateway device on the network and information on terminal identifiers that differ between the terminal devices for the plurality of terminal devices connected to the gateway device. A storage unit stored corresponding to the gateway device of
Upon receiving the connection request signal from one of the terminals of the plurality of terminal devices via the gateway device, it reads a set of information consisting of a source address and a terminal identifier indicating the source from the header of the connection request signal , it is determined whether or not the connection request signal is a communication restriction object, when the connection request signal is a communication restriction object retrieves the connection information including a set of information read by the storage unit, the When recognizing that there is connection information including information on a set, the terminal device that has transmitted the connection request signal that is subject to communication restriction is specified, and the terminal device specified by the terminal identifier of the information on the set is identified. A control unit that executes communication restriction by a terminal identifier or a source address ;
It is the structure which has.

A communication control method for achieving the above object is a communication control method by a server device connected to a plurality of gateway devices via a network,
Connection information including information on a set of source address information for identifying the gateway device on the network and terminal identifier information different between the terminal devices for the plurality of terminal devices connected to the gateway device; Store in advance in the storage unit corresponding to the plurality of gateway devices,
Upon receiving the connection request signal from one of the terminals of the plurality of terminal devices via the gateway device, it reads a set of information consisting of a source address and a terminal identifier indicating the source from the header of the connection request signal , Determine whether the connection request signal is subject to communication regulation ,
Wherein when the connection request signal is a communication restriction object retrieves the connection information including a set of information read by the storage unit,
As a result of the search, when recognizing that there is connection information including the read set information, the terminal device of the transmission source that has transmitted the connection request signal to be subject to communication regulation is specified, and the terminal identifier of the set information is The communication restriction is executed on the identified terminal device by the terminal identifier or the source address .

  ADVANTAGE OF THE INVENTION According to this invention, communication regulation can be performed for every terminal device about the some terminal device under the control of one gateway apparatus.

  The configuration of the communication system in the present embodiment will be described.

  FIG. 1 is a block diagram illustrating a configuration example of a communication system according to the present embodiment.

  The communication system according to the present embodiment includes an NGN 1 and a home gateway (Home Gateway, hereinafter referred to as HGW) 4. The HGW 4 is connected to the NGN 1, the terminal device 5a, and the terminal device 5b. Hereinafter, when one of the terminal device 5a and the terminal device 5b is not designated, the terminal device 5 is described.

  The HGW 4 is a gateway device that interfaces with the home network and NGN 1. A global IP address is assigned to the HGW 4. This address becomes a source address when signals are transmitted / received to / from the outside of the home. In this embodiment, in order to simplify the description, one HGW 4 is used and two terminal devices are connected to the HGW 4. However, there may be a plurality of HGWs 4 and the number of terminal devices connected to the HGW 4. Is not limited to two.

  The terminal device 5 is a terminal device operated by a user. The terminal device 5 has a function of transmitting and receiving voice data in packets, similar to an IP telephone.

  NGN 1 is a network having a packet transfer layer 2 and a service control layer 3. The packet transfer layer 2 is a collection of devices having a packet transfer function, including the SSE 21 and the IBE 22. The service control layer 3 is a collection of devices having a function of controlling various services including the SSC 31 and the ISC 32. In this embodiment, SSE 21 and IBE 22 are provided in the packet transfer layer 2, and SSC 31 and ISC 32 are provided in the service control layer 3.

  The SSE 21 is a transfer device that transmits and receives packets to and from the HGW 4. The IBE 22 is a transfer device that transmits and receives packets to and from another network (not shown) that is not NGN1. The ISC 32 is a server having a relay session control function and a connection control function with another network. The SSC 31 is a server having a subscriber system session control function.

  Next, the configuration of the SSC 31 shown in FIG. 1 will be described in detail. FIG. 2 is a block diagram showing a configuration example of the SSC shown in FIG. It should be noted that parts related to the features of the present invention will be described, and the configuration related to the normal session control function is shown in the drawing and detailed description thereof will be omitted.

  The SSC 31 includes a restriction unit 311 that determines whether or not a connection request signal received from the outside is subject to communication restriction. The restriction unit 311 includes a control unit 3111, an extraction unit 3112, an execution unit 3113, a notification unit 3114, and a user terminal database (hereinafter referred to as user terminal DB) 3115. The SIP signal of the INVITE message is a kind of connection request signal.

  The user terminal DB 3115 is a storage unit for registering connection information, which is information described by associating the global IP address of the HGW 4 with the identifiers of terminal devices under the HGW 4. Below, the identifier of a terminal device is called terminal ID. When there are a plurality of terminal devices connected to one HGW 4, the terminal IDs are different among the terminal devices. The terminal ID is a telephone number of the terminal, a URL (Uniform Resource Locators), a private IP address, or the like. The type of terminal ID registered together with the global IP address of HGW 4 is not limited to one, and may be plural. When there are a plurality of HGWs 4, connection information is registered in the user terminal DB 3115 for each HGW 4.

  The control unit 3111 controls the extraction unit 31112, the execution unit 3113, the notification unit 3114, and the user terminal DB 3115 in the regulation unit 311. The control unit 3111 is provided with a CPU (Central Processing Unit) (not shown) that executes predetermined processing according to a program, and a memory (not shown) for storing the program. The control unit 3111 starts control of communication restriction when restriction information that is information related to determination of a communication restriction target is input from the outside. Examples of a method for determining a communication restriction target are disclosed in Patent Literature 1 and Patent Literature 2.

  It should be noted that once restriction information is input from the outside, it may be once incorporated into the program, and control of communication restriction may be started upon input of control start from the maintenance person. Further, the regulation information may be input by a maintenance person or may be received from another device in the NGN 1.

  In this embodiment, there are two types of operation modes for communication regulation control. That is, a mode for performing lockout control for each terminal device and a mode for performing lockout control in units of source addresses. Hereinafter, a mode in which lockout control is performed for each terminal device is referred to as a first mode, and a mode in which lockout control is performed in units of source addresses is referred to as a second mode.

Control unit 3111 receives the information of the communication regulated by the terminal from the extraction unit 3112, to execute the communication restriction on the execution unit 3113, and notifies the alarm to the maintenance personnel. At that time, the operation mode is the first mode, and notifies the information terminal of the communication regulated to the execution unit 3113. When the operation mode is the second mode, the source address registered together with the terminal ID is read with reference to the user terminal DB 3115 and notified to the execution unit 3113, and the connection information is referred to and the other than the communication regulation target The terminal ID of the terminal is transmitted to the notification unit 3114.

  In addition, when there is an input for instructing the change of the operation mode from the maintenance person, the control unit 3111 changes the operation mode being executed to another operation mode. Further, when an instruction to cancel the communication restriction is input from the maintenance person, the execution unit 3113 is instructed to release the communication restriction.

  The extraction unit 3112 reads the source address and terminal ID from the header from the SIP signal received from the outside, and identifies the transmission source. Based on the restriction information, it is determined whether or not the SIP signal specifying the transmission source is a target for communication restriction. If it is determined that the communication should be restricted, the terminal device that has transmitted the SIP signal that causes the communication restriction is specified. Specifically, the identification is performed as follows.

  The source address of the HGW 4 is described in the header of the SIP signal. Further, the SDP (Session Description Protocol) included in the header of the SIP signal describes the terminal ID of the terminal device 5 that has transmitted the SIP signal. When the extraction unit 3112 compares the connection information registered in the user terminal DB 3115 with information on a set of the global IP address and terminal ID described in the header of the SIP signal and finds connection information including the information on the set. The terminal having the terminal ID is specified as a terminal whose communication should be restricted.

  Here, the reason why the extraction unit 3112 searches the user terminal DB 3115 for connection information including a set of information including the source address of the HGW 4 and the terminal ID will be described. If the terminal ID is a telephone number that is different among the terminal devices regardless of which HGW 4 is connected, the extracting unit 3112 can identify the terminal device without referring to the user terminal DB 3115. However, if the terminal ID is a private IP address, there may be other terminals having the same private IP address under different HGW 4. For this reason, the extraction unit 3112 needs to refer to the user terminal DB 3115 to identify connection information including information on a combination of a source address and a terminal ID, and finally to identify a terminal that is subject to communication restriction.

Execution unit 3113 in the case of the first mode, when receiving the information of the control unit 3111 whether we end end ID, discard the SIP signal its terminal ID is written in the SDP header, the second mode In this case, when the information of the source address is received from the control unit 3111, the SIP signal in which the source address is written in the header is discarded. When receiving an instruction from the control unit 3111 to cancel the communication restriction, the SIP signal subject to communication restriction is no longer discarded.

  When the notification unit 3114 receives the terminal ID information from the control unit 3111, the notification unit 3114 transmits a message indicating that communication is restricted to the terminal ID.

  Next, the operation of the communication system of this embodiment will be described.

  3 and 4 are sequence diagrams showing the operation procedure of the communication system of this embodiment. FIG. 3 shows a case where the operation mode is the first mode, and FIG. 4 shows a case where the operation mode is the second mode. Here, it is assumed that the terminal device 5a transmits a SIP signal that causes communication restriction. The illustration of the SSE 21 in FIGS. 3 and 4 is omitted.

  First, the case where the operation mode is the first mode will be described with reference to FIG.

  When the user operates the terminal device 5b to make a call to a terminal device (not shown) connected to another network, the terminal device 5b uses the SDP in which its terminal ID is described as information indicating the transmission source in the header. The SIP signal of the included INVITE message is transmitted to the HGW 4 (step A1). The HGW 4 writes its own IP address as information indicating the transmission source in the header of the SIP signal received from the terminal device 5b and transmits it to the SSC 31 via the SSE 21 (step A2).

  On the other hand, when the user of the terminal device 5a operates the terminal device 5a in an abnormal usage manner, the terminal device 5a transmits a SIP signal that causes communication restriction to the HGW 4 (step A3). At that time, the terminal device 5a inserts the SDP describing its own terminal ID as information indicating the transmission source into the header of the SIP signal. The HGW 4 writes its own IP address as information indicating the transmission source in the header of the SIP signal received from the terminal device 5a, and transmits it to the SSC 31 via the SSE 21 (step A4).

  When the restriction unit 311 of the SSC 31 receives a plurality of SIP signals from the SSE 21 (step A5), it reads out the source address described in the header of each SIP signal and the terminal ID described in the SDP. The SIP signals are classified according to the set of information consisting of the read source address and terminal ID, and it is determined whether there is a SIP signal that causes communication restriction based on the restriction information. When there is a SIP signal that causes communication restriction, the connection information including a set of information indicating the source of the SIP signal is searched in the user terminal DB 3115.

  Subsequently, when the restricting unit 311 finds connection information including the set information in the user terminal DB 3115, the restricting unit 311 sets the terminal device 5a specified by the terminal ID of the set information as a communication restriction target (step A6). And communication regulation is performed with respect to the specified terminal device 5a (step A7). The communication restriction here is to discard the SIP signal received from the terminal device 5a without transferring it to the destination. Since the processing is not directly performed on the terminal device 5a, FIG. 3 shows that communication restriction on the terminal device 5a is indicated by a broken line.

  Next, a case where the operation mode is the second mode will be described with reference to FIG. Steps B1 to B6 are the same as steps A1 to A6 described with reference to FIG.

  When the restriction unit 311 of the SSC 31 specifies the terminal device 5a subject to communication restriction in step B6, the restriction unit 311 executes communication restriction on the HGW 4 that is a higher-level device of the specified terminal device 5a (step B7). The communication restriction is to discard the SIP signal received from the HGW 4 without transferring it to the destination. For the same reason as in FIG. 3, in FIG. 4, communication restriction for the HGW 4 is indicated by a broken line.

  Subsequently, the regulation unit 311 refers to the connection information of the user terminal DB 3115 and checks the terminal device connected to the HGW 4. In this embodiment, since the terminal devices 5a and 5b are connected to the HGW 4, the restriction unit 311 sends a message indicating that communication is restricted to the terminal devices 5b other than the terminal device 5a subject to communication restriction. Transmit (step B8).

  According to the present embodiment, since the terminal device that is subject to communication restriction is specified based on the information of the source address and the terminal identifier, the terminal device is used for a plurality of terminal devices under the gateway device of one source address. It becomes possible to perform lockout control every time.

  In addition, when lockout control is performed on the gateway device of the source address, it is possible to notify the terminal device that is not transmitting the SIP signal that causes lockout that the communication device is in a communication restriction state. become.

  In addition, if a plurality of types of terminal IDs are registered in the connection information for one terminal device, the terminal can be specified regardless of which terminal ID is written in the SDP of the SIP signal.

  In the above-described embodiment, the SSE 21, IBE 22, SSC 31, ISC 32, and HGW 4 are each one for ease of explanation, but a plurality of devices may be provided. One device may have the functions of other devices. For example, instead of providing SSE 21 and SSC 31 separately, an apparatus in which SSE 21 and SSC 31 are integrated may be provided.

  In addition, each of the notification unit 3114, the execution unit 3113, and the extraction unit 3112 may be configured by a dedicated circuit, or may be configured by the CPU executing a program, like the control unit 3111. Furthermore, the notification unit 3114, the execution unit 3113, the extraction unit 3112, and the control unit 3111 in the regulation unit 311 may be a control unit that combines these functions into one.

It is a block diagram which shows the example of 1 structure of the communication system of this embodiment. It is a block diagram which shows the example of 1 structure of SSC shown in FIG. It is a sequence diagram which shows the operation | movement procedure of the communication system of this embodiment. It is a sequence diagram which shows another operation | movement procedure of the communication system of this embodiment.

Explanation of symbols

1 NGN
4 HGW
31 SSC
311 Regulatory Department

Claims (4)

A server device connected to a plurality of gateway devices via a network,
The plurality of pieces of connection information including information on a set of source address information for identifying the gateway device on the network and information on terminal identifiers that differ between the terminal devices for the plurality of terminal devices connected to the gateway device. A storage unit stored corresponding to the gateway device of
Upon receiving the connection request signal from one of the terminals of the plurality of terminal devices via the gateway device, it reads a set of information consisting of a source address and a terminal identifier indicating the source from the header of the connection request signal , it is determined whether or not the connection request signal is a communication restriction object, when the connection request signal is a communication restriction object retrieves the connection information including a set of information read by the storage unit, the When recognizing that there is connection information including information on a set, the terminal device that has transmitted the connection request signal that is subject to communication restriction is specified, and the terminal device specified by the terminal identifier of the information on the set is identified. A control unit that executes communication restriction by a terminal identifier or a source address ;
A server device.   The server device according to claim 1, wherein the communication restriction is to discard the connection request signal received from the identified terminal device without transferring the connection request signal. A communication control method by a server device connected to a plurality of gateway devices via a network,
Connection information including information on a set of source address information for identifying the gateway device on the network and terminal identifier information different between the terminal devices for the plurality of terminal devices connected to the gateway device; Store in advance in the storage unit corresponding to the plurality of gateway devices,
Upon receiving the connection request signal from one of the terminals of the plurality of terminal devices via the gateway device, it reads a set of information consisting of a source address and a terminal identifier indicating the source from the header of the connection request signal , Determine whether the connection request signal is subject to communication regulation ,
Wherein when the connection request signal is a communication restriction object retrieves the connection information including a set of information read by the storage unit,
As a result of the search, when recognizing that there is connection information including the read set information, the terminal device of the transmission source that has transmitted the connection request signal to be subject to communication regulation is specified, and the terminal identifier of the set information is A communication control method for performing communication restriction on a specified terminal device using a terminal identifier or a source address .   The communication control method according to claim 3, wherein the communication restriction is to discard the connection request signal received from the identified terminal device without transferring the connection request signal.

Images