JP6679521B2 - Communication system and DDoS cooperation coping method - Google Patents

Description

  The present invention relates to a network technology that realizes sharing of DDoS (Distributed Denial of Service attack) attack information among multiple organizations and cooperating countermeasures.

  In recent years, DDoS attacks have become large in scale, and due to the exhaustion of network bandwidth of upstream ISPs (Internet Service Providers) and the resource limit of defense functions (for example, the mitigation device shown in Non-Patent Document 1), the target organization alone There are cases where it is difficult to deal with. Against such a DDoS attack, the resources of defense functions of multiple ASs (Autonomous System) are shared across the Internet, and each AS is targeted while the load is distributed so that the resource load is not concentrated on a specific defense function. A technique has been proposed in which the amount of attack that can be dealt with on the entire Internet is improved by sharing the attack and dealing with it (Non-Patent Document 2).

Arbor Networks, "DDOS PROTECTION BY ARBOR NETWORKS APS," http://www.arbornetworks.com/ddos-protection-products/arbor-aps Maeda, Hiroaki et al., "A Study on AS Cooperative Handling Method for Large-Scale DDoS Attacks," IEICE Tech., Vol. 116, no. 251, IN2016-58, pp. 55-60, October 2016 . Takanori Mizuguchi et al., "Traffic analysis system SAMURAI and service development," NTT Technical Journal, 2008.7, http://www.ntt.co.jp/journal/0807/files/jn200807016.pdf

  In the existing technology (Non-Patent Document 2), a target-addressed attack that is not handled by the upstream AS flows into the downstream AS, but the remaining capacity of the network band between ASs (link band between ASs) is considered. Instead, the amount of attack to be dealt with by each AS is calculated so that the usage rate of the defense function of each AS is leveled, so the amount of attack exceeding the remaining capacity flows into the downstream AS, and the link bandwidth between ASs becomes congested. However, it may affect other communication services that use this link (degraded quality or unavailability of service).

  In view of the above-mentioned problems, an object of the present invention is to provide a DDoS attack cooperation countermeasure technique between a plurality of ASs capable of simultaneously avoiding congestion of the link bandwidth between ASs and leveling the resource usage rate of the defense function of each AS. It is to be.

In order to solve the above problems, one aspect of the present invention is a communication system having a plurality of autonomous systems (AS), each autonomous system having a DDoS cooperation coping device and a mitigation device, and detected in a target AS. In order to deal with the DDoS attack in a coordinated manner, the response amount sent from the DDoS cooperation response device of the target AS is the minimum response amount, the total value of the communication amount addressed to the target AS flowing through the own AS, and the target AS being addressed. A readjustment request including the attack amount and the available resource amount of the mitigation device is transmitted from the AS closest to the attacking AS to the downstream AS, and the DDoS attack cooperation countermeasure device of the AS that received the readjustment request is the readjustment. Based on the request and the information of the own AS, the resource utilization rate is determined by solving the optimization problem for leveling the resources of each AS used for the cooperative handling, and the minimum handling amount of each AS is the neighboring AS. Available bandwidth of links between Is determined based on the amount, the resource utilization of resources used for the cooperation deal relates to a communication system that will be determined by solving an optimization problem including a minimum deal amount the determined as a constraint condition.

  According to the present invention, it is possible to provide a technique for coping with a DDoS attack cooperation between a plurality of ASs, which is capable of simultaneously avoiding the congestion of the link bandwidth between ASs and leveling the resource usage rate of the defense function of each AS.

FIG. 1 is a configuration diagram of a network according to an embodiment of the present invention. FIG. 2 is a configuration diagram of an AS having a DDoS cooperation coping device according to an embodiment of the present invention. FIG. 3 is a block diagram showing the configuration of the DDoS cooperation coping device according to the embodiment of the present invention. FIG. 4 is a simplified processing flowchart of the DDoS cooperation coping apparatus for each AS in the embodiment of the present invention. FIG. 5 is a diagram showing an example of a target IP address information table in the embodiment of the present invention. FIG. 6 is a diagram showing an example of the attack information table according to the embodiment of the present invention. FIG. 7 is a diagram showing an example of the adjacent AS information table according to the embodiment of the present invention. FIG. 8 is a diagram showing an example of a mitigation device information table according to the embodiment of the present invention. FIG. 9 is a diagram showing an example of an inter-AS link information table in the embodiment of the present invention. FIG. 10 is a sequence diagram showing an example of a cooperation handling procedure using the mitigation device according to the embodiment of the present invention. FIG. 11 is a sequence diagram showing an example of a cooperation handling procedure using the mitigation device according to the embodiment of the present invention. FIG. 12 is a sequence diagram showing an example of the cooperation handling procedure using the mitigation device according to the embodiment of the present invention.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  In the following embodiments, sharing of DDoS attack information between autonomous systems (hereinafter referred to as AS: Autonomous System) and adjustment of how much the defense function resources of each AS are allocated to attacks targeting each AS Discloses a DDoS cooperation handling device that plays a role of Further, as the architecture between the DDoS cooperation coping devices, for example, by applying a distributed architecture that directly communicates only with the DDoS cooperation coping device of the neighboring AS, such as the architecture of Non-Patent Document 2, scalability is improved and local By repeating such adjustments, uniform resource allocation can be realized throughout the Internet.

  When an attack is detected in the target AS (target AS), first, the target AS starts coordinating measures with other ASs, and measures including the target IP address in the upstream AS direction via the DDoS coordinating device. By propagating the request and receiving the request, the AS that is close to the attack source as long as the resources of the defense function allow To deal with attacks in. Next, in order to equalize the resource usage rate of the defense function of each AS, a readjustment request is propagated from the most upstream AS toward the downstream AS, and the AS that received the readjustment request and its adjacent AS By adjusting the optimization problem for leveling the resource usage of the defense function, the target communication volume handled by each AS is adjusted. At this time, based on the available bandwidth of the inter-AS link and the traffic to the target that flows into the local AS, the traffic to the target that must be handled by the local AS in order to avoid inter-AS link congestion ( The minimum value of the amount) is calculated and used as a constraint condition of the above-mentioned optimization problem, so that the congestion of the inter-AS link band is avoided and the resource utilization rate of the protection device of each AS is leveled at the same time. The distributed architecture repeatedly adjusts the local resource allocation in the downstream AS and upstream AS directions to avoid congestion of AS links across the entire Internet, while leveling the resource usage of defense functions. To achieve uniform resource allocation.

  First, a network (Internet) according to an embodiment of the present invention will be described with reference to FIG. FIG. 1 shows a block diagram of a network according to an embodiment of the present invention. It is assumed that a plurality of organizational networks (AS) that constitute a network (corresponding to the Internet) have the DDoS cooperation coping apparatus of the present invention. In addition, as an example, assuming that the system in AS1 (ISP network, etc.) becomes the target (target system) of the DDoS attack from the terminal of the attacker existing in another AS, Necessary for sharing DDoS attack information and parameter adjustment when coordinating countermeasures (a parameter is the amount of resource of defense function of each AS to be dealt with against an attack against a certain target), etc. A method of sharing information and adjusting coping parameters with other AS using the information will be described.

  As shown in FIG. 1, an arbitrary number of ASs (AS1 to AS5, etc.) are included in the network, and by interconnecting these ASs, the network topology of the network imitating the Internet is configured.

  As will be described later, the DDoS cooperation coping device 100 exchanges DDoS attack information and the like between each AS, adjusts the parameter for coping with the DDoS attack based on the exchanged information, and Request to deal with DDoS attack. Further, the parameter for dealing with the DDoS attack is, for example, when dealing with the attack for the target shared by AS1, AS2 and AS3, how many Gbps each target AS draws the communication volume for the target to the mitigation device 50. It is an amount that indicates how to deal with, and an amount that indicates how many Gbps each target AS reduces the communication addressed to the target when filtering (filtering threshold). These coping parameters are adjusted by calculating based on information such as the amount of communication addressed to the target flowing through each AS, the capacity (resource amount) of the mitigation device 50 held by each AS, and the available bandwidth amount of the inter-AS link. . Here, a more detailed description including a flow of information acquisition and a calculation formula when adjusting the communication amount to be handled by retracting to the mitigation device 50 will be described in more detail below.

  When any system in AS1 is suffering from a DDoS attack, AS1 sends its own AS number or the IP address of the target system (target system is the target system) to the DDoS cooperation coping device 100 of the adjacent AS (AS2 and AS3). If there is more than one, send DDoS attack information including information such as IP address list) and request for response to the attack. In addition, the DDoS cooperation coping device 100 of the adjacent AS acquires information on whether target-targeted communication is flowing from within its own network to the message source AS (AS1) based on the information received from the DDoS cooperation coping device 100 of AS1. , The communication to the target is dealt with, and the acquired information and the handling status are responded to the source AS (AS1) of the message. In addition, if the message addressed to the target AS is flowing from within its own network, the DDoS attack information will be sent to other adjacent ASs (AS4 in the case of AS2) except the message source (AS1). Send a request to deal with the attack. By repeating this in the upstream AS direction, the DDoS attack information and response request are propagated to the AS near the attack source. Here, it is assumed that each AS previously holds information such as the IP address of the DDoS cooperation coping device 100 of the adjacent AS necessary for communication with the DDoS cooperation coping device 100 of the adjacent AS. The timing at which the target AS starts the cooperation countermeasure (transmits attack information, countermeasure request, etc. from the target AS to other AS) is arbitrary. For example, when an attack targeting a system in the own AS is detected, cooperative action is started.When an attack is detected, first, only the defense function in the own AS acts to deal with the defense in the own AS. It is also envisaged to start the coping process when the functional resources and network bandwidth are tight, or to carry out the coping process at regular time intervals after detecting an attack.

  The mitigation device 50 may be, for example, the device described in Non-Patent Document 1, and handles the communication addressed to the target based on the received DDoS attack information and the like. Note that as techniques for dealing with DDoS attacks, in addition to the mitigation device 50, filtering of attack communication using ACL (Access Control List) by a transfer device such as a router, bandwidth limitation of communication targeted for attack (rate limit) Etc.) are also envisioned, and the present invention can be combined with these coping techniques. In the operation procedure in the present embodiment described later, a specific operation procedure in the case of cooperating with the mitigation device 50 will be described.

  Next, with reference to FIG. 2, a configuration of an AS having a DDoS cooperation coping device according to an embodiment of the present invention will be described. The present embodiment will be described below focusing on AS1, but it will be easily understood by those skilled in the art that the present embodiment is applicable to other ASs.

  As shown in FIG. 2, the AS includes a mitigation device 50, a DDoS cooperation coping device 100, a traffic information collection / DDoS attack detection device 200, a network control device 300, and a packet transfer device 400.

  The traffic information collection / DDoS attack detection device 200 periodically collects flow information (communication amount for each flow including a set of transmission / reception IP address / transmission / reception port number / protocol number) from the packet transfer device 400 such as a router. , Detect the occurrence of DDoS attack to a specific destination by analyzing the collected flow information. Further, at an arbitrary timing such as when an attack is detected, the attack detection message including the IP address of the target system is transmitted to the DDoS cooperation coping apparatus 100 of the own AS. Multiple target IP addresses included in the attack detection message may be notified if there are multiple target systems or if the target system has multiple IP addresses. The traffic information collection / DDoS attack detection device 200 may be realized by, for example, SAMURAI described in Non-Patent Document 3. Furthermore, the traffic information collection / DDoS attack detection device 200 determines the amount of communication to the target IP address, the maximum resource amount of the mitigation device 50, the available resources of the mitigation device 50 when a DDoS attack occurs or at any timing. It has a function of measuring the amount, the amount of available bandwidth of a link with an adjacent AS (link between ASs), storing it in an arbitrary table, and notifying the DDoS cooperation coping device 100 of its own AS.

  The mitigation device 50 is a device specialized in dealing with a DDoS attack, like the device described in Non-Patent Document 1, and distinguishes attack communication from normal communication from communication to a certain destination, and only attacks communication. It is possible to take measures such as shutting off. As described above, other means for dealing with DDoS attacks can be assumed, but in the present embodiment, as an example of means for dealing with DDoS attacks, the case where the AS has the mitigation device 50 is described.

  The network control device 300 has a function of controlling the packet transfer device 400 such as a router. The network control device 300 may be, for example, an SDN (Software-Defined Networking) controller. Further, the network control device 300 communicates with the DDoS cooperation coping device 100, and transfers packets based on the information notified from the DDoS cooperation coping device 100 (target IP address list, coping method, coping parameter, etc.). By controlling the device 400, the mitigation device 50 performs control such as bypassing the communication addressed to the target, setting of filtering in each packet transfer device 400, and control for terminating the traffic control that is being applied. Described below is a specific example in which the mitigation device 50 is used to deal with the problem. The network control device 300 uses BGP (Border Gateway Protocol) or OpenFlow to transfer the packet addressed to the target held by each packet transfer device 400. By temporarily rewriting the related routing information (changing the transfer destination to the IP address of the mitigation device 50), only the packet addressed to the target can be diverted to the mitigation device 50 to be inspected and dealt with.

  The DDoS cooperation coping device 100 communicates with the network control device 300, DDoS attack information including a list of target IP addresses, a DDoS attack coping method (for example, using the mitigation device 50), and a communication amount to be coping (mitigation device 50). Communication amount to the target). Further, the DDoS cooperation coping device 100 communicates with the traffic information collection / DDoS attack detection device 200, and communicates with the target IP address, the maximum resource amount of the mitigation device 50, the available resource amount, and the use of the inter-AS link. Get available bandwidth etc. When the attack detection message is received, the DDoS cooperation coping device 100 stores the target IP address included in the attack detection message in the target IP address table described later. Furthermore, the DDoS cooperation coping device 100 communicates with the DDoS cooperation coping device 100 of another AS, and performs DDoS attack information (a number (eg AS number) that can identify the target AS, a list of target IP addresses, etc.) and cooperation measures. Necessary information (value obtained by summing the communication volume to the target IP address flowing through each AS in units of destination AS, the available resource volume of the mitigation device 50, the communication volume to the target addressed by the mitigation device 50 of each AS, the inter-AS link The communication parameters such as communication volume to the target (minimum value of the communication volume) that must be handled by the AS in order to avoid congestion are exchanged. Here, the DDoS attack information is not limited to the above-mentioned information, and the attack type, the IP address information of the attack source, and the packet after the inspection by the mitigation device 50 are the It may include tunnel information for transferring to the AS.

  The DDoS cooperation coping device 100 may be typically realized by a server, and is composed of, for example, a drive device, an auxiliary storage device, a memory device, a processor, an interface device, and a communication device interconnected via a bus. . Various computer programs including programs that realize various functions and processes described later in the DDoS cooperation coping apparatus 100 are recorded by a recording medium such as a CD-ROM (Compact Disk-Read Only Memory), a DVD (Digital Versatile Disk), and a flash memory. May be provided. When the recording medium storing the program is set in the drive device, the program is installed from the recording medium to the auxiliary storage device via the drive device. However, the program is not necessarily installed on the recording medium, and may be downloaded from any external device via a network or the like. The auxiliary storage device stores the installed program and also stores necessary files and data. The memory device reads out a program or data from the auxiliary storage device and stores the program or data when an instruction to activate the program is given. The processor executes various functions and processes of the DDoS cooperation coping apparatus, which will be described later, according to various data such as a program stored in the memory device and parameters required to execute the program. The interface device is used as a communication interface for connecting to a network or an external device. The communication device executes various communication processes for communicating with a network such as the Internet.

  However, the DDoS cooperation handling device 100 is not limited to the above-described hardware configuration, and may be realized by any other appropriate hardware configuration. The configuration shown in the present embodiment is an example, and the traffic information collection / DDoS attack detection device 200 and the network control device 300 may be incorporated in the DDoS cooperation coping device 100, for example.

  Next, with reference to FIG. 3, the DDoS cooperation coping device in one embodiment of the present invention will be described in detail. FIG. 3 is a block diagram showing the configuration of the DDoS cooperation coping device according to the embodiment of the present invention.

  As shown in FIG. 3, the DDoS cooperation handling device 100 includes a processing unit 110, a storage unit 120, and a communication unit 130.

  As described in detail below, the processing unit 110 detects a target IP address of a DDoS attack and sends a coping request for cooperating with the DDoS attack to the AS of the transmission source of the communication addressed to the target IP address. . The handling request is further repeatedly propagated from the source AS to the attack source AS of the DDoS attack. In addition, the minimum handling amount of each AS is determined based on the available bandwidth amount of the link between adjacent ASs, and the resource usage rate of the resources used for cooperative handling includes the determined available bandwidth amount as a constraint condition. By solving the optimization problem, each AS from the relevant AS to the attacking AS is leveled.

  Specifically, the processing unit 110 includes a message reception unit 111, an attack detection message processing unit 112, a coping request message processing unit 113, a coping response message processing unit 114, and a readjustment request message processing unit 115, which will be described in detail below. A countermeasure end request message processing unit 116, a parameter adjusting unit 117, an attack countermeasure setting unit 118, and a countermeasure end judging unit 119.

  The storage unit 120 stores information regarding DDoS attacks of its own AS and cooperative AS, and specifically, target IP address information table, attack information table, cooperation destination AS information table, mitigation device information table, and inter-AS link information table. Have.

  The communication unit 130 communicates with the DDoS cooperation coping device 100 of another AS, the traffic information collection / DDoS attack detection device 200 of its own AS, and the network control device 300 of its own AS. Further, when directly acquiring or controlling information from the packet transfer device 400 or the mitigation device 50, the communication unit 130 also communicates with these devices.

  The message reception unit 111 has a function of waiting for various messages from the traffic information collection / DDoS attack detection device 200 and the other DDoS cooperation coping device 100, and distributing them to the corresponding message processing units according to the type of the received message. As shown in FIG. 4, in step S101, the message accepting unit 111 stores the received message in a queue and transfers it to the corresponding message processing unit using, for example, the FIFO method. There are five types of messages: attack detection message, countermeasure request message, countermeasure response message, readjustment request message, and countermeasure end request message. Details of the contents of each message will be described later.

  The attack detection message processing unit 112 performs processing on the attack detection message from the traffic information collection / DDoS attack detection device 200. When the attack detection message is received (S110), the attack detection message processing unit 112 adds the target IP address included in the attack detection message to the target IP address information table of its own AS as shown in FIG. 5 (S111). ). Here, the target IP address information table is a table for managing the IP address of the system targeted by the own AS, and may have a table format as shown in FIG. In the example shown in FIG. 5, the target IP address information table is composed of information (“target AS number”) that can uniquely identify the AS that is the victim of the attack and the target IP address. The information of the target IP address in this table is notified and accumulated from the traffic information collection / DDoS attack detection device 200 each time an attack addressed to a new IP address is detected, or at an arbitrary timing such as every fixed time.

  Further, if there is no record of the attack targeting the own AS in the attack information table as shown in FIG. 6, the attack detection message processing unit 112 newly creates the record. Further, the attack detection message processing unit 112 acquires the communication amount addressed to each IP address included in the target IP address information table via the traffic information collection / DDoS attack detection device 200, and the attack information as shown in FIG. The sum of the communication volume addressed to the IP address (“total value of attack traffic volume for each target AS”) is stored in the table. Here, the attack information table is a table for managing an attack being handled by each AS, and may have a table format as shown in FIG. In the example shown in FIG. 6, the attack information table is information that can uniquely identify the AS that is the victim of the attack (“target AS number”), and the ID of the AS that is the direct source of the response request message described below. (“Requester (downstream) AS number”), “Target IP address”, own AS (AS3) for the attack, and cooperating AS (AS4, AS5 in the case of AS3 in the AS1 address attack countermeasure of this embodiment) It is composed of status information. In the attack information table, a record is prepared with the "target AS number" as the main key, and information on other AS exists for the number of cooperation destination AS. In addition, the response status information includes the ID of the AS that is implementing the response (“AS number”), the response method that is being implemented (“action method”), the “total value of attack traffic for each target AS”, and the response. Communication volume (“communication volume being handled”), minimum value of communication volume to target AS that must be handled by the AS to avoid inter-AS link congestion (“lowest handling volume”) , A state related to coping ("state"), a flag indicating whether the target AS is the most upstream AS for coping with communication ("most upstream AS flag"), and the like. In particular, as the handling status information, for example, when the handling method is a rate limit or the like, a threshold or the like indicating how much the limit is applied may be registered, and the handling status information is not limited to the above information. In addition, even if it is an attack to the same target AS, if you want to divide the control in detail according to the protocol used for the attack, it is assumed that you will prepare a record with "target AS + attack protocol etc." as the main key. The information for managing a certain attack is not limited to the illustrated information.

  In this process and similar processes thereafter, when the communication amount is specified and specified for each destination IP address, the load on the traffic information collection / DDoS attack detection device 200 becomes large, and it takes time to acquire it. there's a possibility that. Therefore, for example, refer to the information of the flow at the level assumed to be acquired by the ISP from normal times (only the information of the top few flows with the most traffic is stored) and refer to the target received in it. If there is traffic volume information addressed to an IP address included in the list of IP addresses, it is assumed that only that information is used. The attack detection message processing unit 112 carries out the following two processes.

  First, the attack detection message processing unit 112 sets, via the attack handling setting unit 118, communication to addresses included in the list of target IP addresses to the mitigation device 50 in its own AS to deal with it ( S112).

  Secondly, the attack detection message processing unit 112 refers to its own adjacent AS information table as shown in FIG. 7, and asks the DDoS cooperation coping device 100 of each adjacent AS to target AS number (own AS number). ), Target IP address list (all the contents of Fig. 5, or only the addition if it has been transmitted in the past to reduce the data size), requesting AS number (own AS number), flag (Flag = 1) A coping request message including the message is transmitted (S113). Here, the flag is a value used for branching the process on the receiving side, but the method for branching the process on the receiving side is not limited to this. If the attack response is not being performed (if it is not registered in the attack information table) or if a certain amount of time has passed since the attack was addressed to the target AS in the past, the processing of Flag = 1 is performed on the receiving side. Methods such as implementation may be considered. Similarly, the method of implementing other message processing branches described below is not limited to the above method (processing branch by flag).

  In addition, before the above-described second processing, the attack detection message processing unit 112 compares the total value of the attack volume to the target with a preset threshold value, and if the threshold value is less than the threshold value, executes the second processing. Instead, it is also assumed that the attack will be dealt with only by the own AS. Here, the adjacent AS information table is a table for managing information of the adjacent AS that is a direct communication destination in each AS, and may have a table format as shown in FIG. 7. In the example shown in FIG. 7, the “adjacent AS number”, the “IP address of the DDoS cooperation coping device”, and the “available resource amount of the mitigation device” are used. Depending on the communication mode, registration of other information such as the MAC address and port number of the DDoS cooperation coping device 100 is also envisioned. The method of acquiring the "IP address of the DDoS cooperation coping device" is arbitrary, but for example, when introducing this system to each AS, it is assumed that it will be shared among the system operators and stored in this table. Further, the “available resource amount of the mitigation apparatus” is updated based on the information notified from the DDoS cooperation coping apparatus 100 of another AS in the procedure of coping with the attack.

  The coping request message processing unit 113 processes the coping request message from another DDoS cooperation coping apparatus 100 (S120). First, the processing when the handling request message is received and the message includes Flag = 1 will be described. When the message includes Flag = 1, the handling request message processing unit 113 acquires the communication volume addressed to the IP address included in the received target IP address list via the traffic information collection / DDoS attack detection device 200. In addition, the coping request message processing unit 113 determines whether the communication addressed to the target is flowing from its own AS to the source AS of the coping request message by using the BGP route information and the like (S121). As a result of the determination, if the communication addressed to the target is flowing, the handling request message processing unit 113 determines the target AS number included in the handling request message, the target IP address list, and the AS number of the sender of the message (this AS is a downstream AS. Then, a value obtained by adding up the communication volumes addressed to the IP addresses in the acquired list in units of target ASs (total value of attack communication volumes in units of target ASs) is registered in its own attack information table (S122). In addition, as a result of the above determination, when not flowing, the coping request message processing unit 113 registers the target communication amount as 0, and the target AS number, its own AS number, and a flag (Flag = 1) in the requesting AS. , A handling response message including a handling status (Status = not handling) is sent) S126). As a result of the determination, when the communication addressed to the target is flowing, the handling request message processing unit 113 further executes the following three processes.

  First, the coping request message processing unit 113, via the attack coping setting unit 118, draws in the communication addressed to the addresses included in the list of target IP addresses up to the resource upper limit of the mitigation device 50 in its own AS and coping with it. Set (if the communication volume to the target is larger than the available resource amount of the mitigation device 50, set the coping amount so as to pull up to the available resource amount; otherwise, set the pulling amount without specifying the coping amount ) (S123). Here, the resource upper limit value of the mitigation device 50 refers to the value that is periodically collected by the traffic information collection / DDoS attack detection device 200 and registered in the mitigation device information table as shown in FIG. It is assumed that the collection / DDoS attack detection device 200 is instructed to acquire information and the latest information is acquired. Here, the mitigation device information table is a table for managing the information of the mitigation device 50 in each AS, and may have a table format as shown in FIG. In the embodiment shown in FIG. 8, the mitigation device information table is composed of information such as “maximum resource amount” and “available resource amount” which is a value obtained by subtracting the resource amount being used for attack countermeasures from the maximum resource amount. To be done. These pieces of information are collected and updated from the mitigation device 50 or the like via the traffic information collection / DDoS attack detection device 200 regularly or at any timing. Further, the maximum resource amount may be registered by an operator or the like when introducing the mitigation device 50. Here, when a plurality of mitigation devices 50 exist in one AS, it is assumed that the total value is registered, but it may be managed in units of mitigation devices.

  Secondly, the handling request message processing unit 113 handles the request source AS of the handling request message, including the target AS number, own AS number, flag (Flag = 1), and handling status (Status = under handling). A response message is transmitted (S124).

  Thirdly, the handling request message processing unit 113 sends the target AS number included in the received message to the DDoS cooperation handling apparatus 100 of the neighboring AS (excluding the requesting AS) included in the neighboring AS information table of the own AS. , A list of target IP addresses, and its own AS number and a flag (Flag = 1) are sent (S125). Note that the third process is, when the total value of the attack traffic volume of the target AS units is calculated, determines whether the value is equal to or more than a preset threshold value. It is also assumed that the measures in step 2 above are unnecessary and not implemented.

  Next, a process when the handling request message is received and the message includes Flag = 0 will be described. When the message includes Flag = 0, the coping request message processing unit 113 calculates the difference value of the coping amount for the communication to the target AS (the message for the communication to the target AS calculated by the latest adjustment by the source AS of the message). A value obtained by subtracting the communication volume addressed to the target AS being processed by the message reception AS used by the message transmission AS from the communication volume handled by the reception AS of the message, that is, an additional request was made from the previous adjustment. (Amount) is used to update the available resource amount (subtraction of the difference value) in the mitigation device information table and the communication amount (addition of the difference value) addressed to the target AS being handled by the own AS in the attack information table (S127). In addition, when the countermeasure request message processing unit 113 is not the most upstream AS for handling the target AS (when the most upstream AS flag of the information regarding the own AS in the attack information table is False), the countermeasure request message processing unit 113 communicates with the cooperation destination AS. Parameter adjustment processing is performed by the parameter adjustment unit 117, which will be described later (S128). Further, the coping request message processing unit 113 uses the “communication amount handled by each AS for the communication to the target AS” obtained as a result of the parameter adjustment process, and the value of the available resource amount of the mitigation device information table. (Subtraction of traffic volume handled by own AS), total value of attack traffic volume per target AS of information about own AS in attack information table (subtraction of traffic volume handled by other AS) and information of own AS and other AS Update the value of the traffic volume being dealt with (set the value of the traffic volume handled by each AS), and set the minimum value of the traffic volume related to the communication to the target AS to the updated attack traffic volume of the target AS unit. It is calculated and updated from the total value and the available bandwidth amount of the inter-AS link (S129). Further, for the DDoS cooperation coping device 100 of the transmission source AS (downstream AS) of the coping request message (Flag = 0), the coping request message processing unit 113 sets the target AS number (the same value as that included in the received message). Setting), its own AS number, total value of attack traffic in units of target AS, available resource amount of the mitigation device 50, traffic volume of target AS being handled, minimum value of traffic volume related to the target AS communication, flag A readjustment request message including (Flag = 0) is transmitted (S130). Furthermore, the handling request message processing unit 113 sets the target AS number (sets the same value as the target AS number of the received message), its own AS number, and the destination AS of the message for the DDoS collaboration handling device 100 of the destination AS. The target AS communication volume to be dealt with (value obtained as a result of adjustment) and the target AS communication volume to be dealt with at the message destination AS (value obtained as a result of adjustment) are being dealt with at the destination AS of the message used for adjustment A handling request message including a value obtained by subtracting the target AS addressed communication amount (the difference value of the handled amount for the target AS addressed) and a flag (Flag = 0) is transmitted (S131). In addition, the difference value of the handling amount for the communication to the target AS is used to correct the deviation of the information when the plurality of attacks targeting different ASs are dealt with in parallel.

  The coping response message processing unit 114 processes the coping response message from the other DDoS cooperation coping apparatus 100 (S140). The coping response message processing unit 114 receives the coping response message and, when Flag = 1 and Status = coping, looking at the target AS number included in the message, the cooperating AS of the corresponding row in the attack information table Then, the source AS number of the response message is registered (S141). In addition, the coping response message processing unit 114 determines whether or not a response to the coping request message (Flag = 1) has been obtained from all the neighboring ASs, and if the coping response from all the neighboring ASs is Status = non-coping, the next processing is performed. Is carried out (S142).

  First, the coping response message processing unit 114 sets the most upstream AS flag of the information about its own AS in the attack information table to True. In addition, the coping response message processing unit 114 notifies the coping end determination unit 119 of the target AS number of the attack, and sets to monitor the end of the attack.

  Secondly, the coping response message processing unit 114 determines the total value of the attack communication amount of each target AS, the available resource amount of the mitigation device 50, the communication amount of the target AS being dealt with, and the link with the requesting AS. The available bandwidth amount is acquired, and the minimum value of the handling amount regarding the attack to the target AS is calculated (S143). Further, when the information in each table is not the latest, the coping response message processing unit 114 registers the information in the attack information table, the mitigation device information table, and the inter-AS link information table as shown in FIG. 9. Here, the inter-AS link information table is a table for managing link information between adjacent ASs in each AS, and may have a table format as shown in FIG. In the embodiment shown in FIG. 9, the inter-AS link information table is used for various communication services based on the “adjacent AS number”, “maximum bandwidth amount”, and maximum bandwidth amount for identifying which adjacent AS is the link. It is composed of information such as "usable bandwidth" which is a value obtained by subtracting the amount of communication bandwidth being used. These pieces of information are collected and updated from the packet transfer apparatus 400 via the traffic information collection / DDoS attack detection apparatus 200 regularly or at any timing. The maximum bandwidth amount may be registered by the operator or the like at the timing of laying a communication line or the like. Here, if there are multiple links with any adjacent AS in one AS, it is assumed that the total value will be registered for each adjacent AS, but it may be managed for each link. .

  Third, the coping response message processing unit 114 sets the coping request source (downstream) AS to the target AS number (sets the same value as that included in the received message), its own AS number, and the attack traffic of each target AS. Of the mitigation device 50, the available resource amount of the mitigation device 50, the communication amount addressed to the target AS being handled, the minimum value of the handling amount related to the target AS addressed communication, and a readjustment request message including a flag (Flag = 1) is transmitted ( S144).

  The readjustment request message processing unit 115 processes the readjustment message from the other DDoS cooperation coping apparatus 100 (S150). When the readjustment message is received (Flag = 0 and Flag = 1 are common), the readjustment request message processing unit 115 looks at the target AS number included in the received message and checks the other AS in the corresponding row in the attack information table. The information (part corresponding to the message transmission source AS number) is updated with the received information (S151). Specifically, the readjustment request message processing unit 115 updates the total value of the attack traffic in units of target ASs, the communication traffic addressed to the target AS under handling, and the minimum value of the traffic. In addition, the available resource amount of the mitigation device 50 (value of the message source AS) of the cooperation destination AS information table (Table 3) is updated.

  When Flag = 1 of the received readjustment request message and the readjustment request message has been received from all the cooperation destination ASs, the readjustment request message processing unit 115 calculates the total value of the attack traffic amount of the target AS unit, the mitigation device 50 The amount of available resources and the amount of communication to the target AS being handled are acquired, and when the information in each table is not the latest, those information are registered in the attack information table and the mitigation device information table. After that, the readjustment request message processing unit 115 uses the acquired information about the own AS and the information about the received cooperation destination AS to perform a parameter adjustment process by the parameter adjustment unit 117 described later with the cooperation destination AS. To do. The process after the parameter adjustment is almost the same as the process after the adjustment when the handling request (Flag = 0) is received, but only the flag when the readjustment request is transmitted to the downstream AS is Flag = 1.

  When Flag = 0 of the received readjustment request message and the readjustment process associated with the readjustment message received once or more in the past, the readjustment request message processing unit 115 will be described later with the cooperation destination AS. Parameter adjustment processing is performed by the parameter adjustment unit. The process after the parameter adjustment is the same as the process after the adjustment when the handling request (Flag = 0) is received, and the flag when transmitting the readjustment request to the downstream AS is Flag = 0.

  The coping end request message processing unit 116 processes the coping end request message from the coping end determination unit 119 and the other DDoS cooperation coping device 100 (S170). The coping termination request message processing unit 116, based on the target AS number included in the coping termination request message, addresses the information about its own AS in the attack information table that is regularly updated by the traffic information collection / DDoS attack detection device 200 to that AS. The total value of the communication volume of the attack is compared with the preset threshold value (S171). As a result, when it is below the threshold, the countermeasure end request message processing unit 116 ends the attack countermeasure for the target AS in its own AS via the attack countermeasure setting unit 118. In addition, the coping termination request message processing unit 116 notifies the coping termination determination unit 119 of the target AS number, and ends monitoring of the attack (S172). Furthermore, the coping termination request message processing unit 116 transmits a coping termination request message including the target AS number to the downstream AS (S173).

  The parameter adjustment unit 117 is called by another processing unit and stored in the attack information table, the cooperation AS information table, the mitigation device information table and / or the inter-AS link information table (targets of the own AS and the cooperation AS). Based on the total value of attack traffic in AS units, traffic volume being dealt with, minimum deal value, available resource amount of mitigation device 50, available bandwidth of inter-AS link) On the other hand, it has a function to calculate the amount of communication to be dealt between the own AS and the cooperation destination AS. Here, by grouping attacks in units of target ASs and adjusting the amount of communication handled by each AS, the number of necessary adjustments can be reduced compared to the case of adjusting each target IP address one by one. In the embodiment described later, when each AS uses the mitigation device 50 to deal with it, under the constraint condition that the inter-AS link is not congested, the usage rate of the mitigation device 50 of each AS is A method of adjusting the communication volume handled by each AS so that it is as uniform as possible is explained. However, the method of expressing the optimization problem that simultaneously realizes the avoidance of the inter-AS link congestion and the resource load distribution of the mitigation device 50 of each AS is not limited to the one described below.

  The attack countermeasure setting unit 118 is called by another processing unit, and by referring to the target IP address information table and / or the attack information table, a list of target IP addresses, a countermeasure method, and target AS addressed communication to be handled by the own AS. It has a function of acquiring the amount and notifying the network control device 300 of this information. As described above, the network control device 300 sends the communication to the target AS (of which, the communication to the IP address included in the list of target IP addresses) to the notified migration amount mitigation device 50 based on the received information. Retract and take action (or release the control being applied). The attack countermeasure setting unit 118 may be called by any other processing unit at any timing. For example, it is assumed that the attack handling setting unit 118 is called at the timing of receiving various messages or the timing at which the message processing unit completes the parameter adjustment processing. In the present embodiment, mainly when the attack detection message, the countermeasure request message, and the readjustment request message are received and when the parameter adjustment processing by the message processing unit is completed, the attack countermeasure setting unit 118 is called to take countermeasures with the latest information. Although the case where it is applied is described, in order to reduce the load on the system, the timing at which the communication volume handled by each AS has converged to some extent (for example, a certain time has elapsed since the last message related to the attack was received). Later), it is expected that the latest information will be reflected in the measures.

  The coping termination determination unit 119 is called by another processing unit, and is the total value of the attack traffic amount of each target AS of the information about the own AS in the attack information table that is regularly updated by the traffic information collection / DDoS attack detection device 200. And a preset threshold value are periodically compared, and when the value is below the threshold value, a response end request message including the target AS number is sent to the message accepting unit 111 of the DDoS cooperation handling apparatus 100 of the own AS. Send. Here, as a method of determining the handling completion, in addition to the periodical comparison using the above threshold, the handling request message or the like is attached with a lifetime indicating the expiration date of the handling and transmitted, and the lifetime is set to 0. In such a case, the coping termination determination unit 119 can also assume a method of transmitting a coping termination request message to its own message receiving unit 111 to perform coping termination processing. In particular, when managing the countermeasure end by lifetime, it is assumed that the countermeasure end message is not sent and received between ASs, and the countermeasure end for each specific AS attack is completed within each AS. .

  Next, with reference to FIGS. 10 to 12, when the AS has the mitigation device and the operation procedure between the DDoS cooperation coping devices according to the embodiment of the present invention, the coordinating process is performed between a plurality of ASs. An example of the handling logic in the case will be described. 10 to 12 are sequence diagrams showing an operation procedure between the DDoS attack information sharing devices according to the embodiment of the present invention. In this coping logic, even if a plurality of locations are attacked at the same time, it is not impossible to deal with it, the usage rate of the mitigation device 50 of each AS is made as uniform as possible, and the congestion of the inter-AS link is avoided. As described above, the measures are taken while adjusting the communication amount processed by each mitigation device 50.

  Here, it is assumed that the downstream AS is capable of distinguishing between the packets that have been inspected and the packets that have not been inspected by the mitigation device 50 of the upstream AS. The designated communication amount is drawn into the mitigation device 50 to deal with it. As a method of distinguishing the inspected packet from the uninspected packet, for example, by using OpenFlow or the like, the destination IP address of the target destination packet inspected by the mitigation device 50 in the upstream AS, Rewrite to an arbitrary IP address that is not normally used in the damaged AS and return it to the original IP address after reaching the damaged AS, or use tunneling technology such as GRE (Generic Routing Encapsulation) A method of encapsulating and transferring to any router of AS, etc. is conceivable, but it is not limited to these methods. (Either method, if it is already checked by mitigation device 50 of upstream AS, AS Then, since it looks like a packet having a destination IP address different from the target, it is possible to avoid double pulling into the mitigation device 50). In this case, between the DDoS cooperation coping device 100 of the damaged AS and the DDoS cooperation coping device 100 of the AS performing the coping, the IP address information used for rewriting and the IP addresses of the nodes that are the start and end points of the tunnel can be added. It is necessary to share, and it is conceivable to include it in a handling request message or a readjustment request message and share it.

  In the following, an operation procedure when the coordinating action between ASs is automatically performed by using the detection of an attack on the target system 1 and the target system 2 by the DDoS attack detection device 100 of AS1 as a trigger will be described. Here, the DDoS cooperation coping function of each AS always waits for a message from the traffic information collection / DDoS attack detection device 200 or the DDoS cooperation coping function of another AS, and when the message is received, the process for the message is performed. carry out. Also, when another message is received during the processing of a certain message, the received message is accumulated in a queue and the processing is performed one by one from the oldest message. In addition, although the following example describes the case where one AS (AS1) is targeted, even when a plurality of ASs are simultaneously attacked, each attack can be dealt with in parallel. it can. Further, the DDoS cooperation coping function operates asynchronously when sending a message to another DDoS cooperation coping function (that is, other processing is executed without waiting for a response to the sent message).

As shown in FIG. 10, in step S201, the traffic information collection / DDoS attack detection device 200 of AS1 detects the occurrence of an attack, and the DDoS cooperation coping device 100 of AS1 notifies the target system 1 and the IP of the target system 2 to each other. Send an attack detection message containing the address.
[Attack detection message processing (AS1)]
In step S202, the DDoS cooperation coping device 100 of AS1 adds the target IP address included in the attack detection message to the target IP address information table of its own AS, and registers the attack record in the attack information table.

  In step S203, the DDoS cooperation coping device 100 of AS1 notifies the network control device 300 of the target IP address list, and applies the coping process using the mitigation device 50 in its own AS (targets that have not been examined upstream. Settings are made so that all addressed communication is pulled into the mitigation device 50 for handling.

In step S204, the DDoS cooperation coping device 100 of AS1 refers to the adjacent AS information table, and the target AS number (AS1) and the target IP address list (for the DDoS cooperation coping device 100 of the adjacent AS (AS2, AS3)). 5), its own AS number (AS1), and a handling request message including Flag = 1.
[Handling action request message (AS2)]
In step S205, the DDoS cooperation coping device 100 of AS2 acquires the IP traffic addressed to the IP address included in the coping request message from AS1, and determines whether the communication is flowing from the own AS to AS1.

  In step S206, since the communication is flowing from AS2 to AS1, the DDoS cooperation coping device 100 of AS2 receives the target AS number (AS1), the list of target IP addresses, and the AS number of the sender of the message (AS1 ) Is registered in its own attack information table. At this time, the source AS of the handling request is registered as a downstream AS.

  In step S207, the DDoS cooperation coping device 100 of AS2 notifies the network control device 300 of the target IP address list, and applies the coping process using the mitigation device 50 in AS2 (to the target that has not been inspected upstream). The communication is set so as to be pulled in to the mitigation device 50 as long as the resources permit.

  In step S208, the DDoS cooperation coping device 100 of AS2 transmits a coping response message including a target AS number (AS1), its own AS number (AS2), Flag = 1, and Status = under handling to AS1.

In step S209, the DDoS cooperation coping device 100 of AS2 excludes the transmission source AS (AS1) of the coping request to the adjacent AS (AS4), the target AS number (AS1), the received target IP address list, and its own AS number ( AS2), and sends a handling request message containing Flag = 1.
[Handling response message processing (AS1)]
In step S210, the DDoS cooperation coping device 100 of AS1 registers the received information of AS2 in the item of cooperation destination AS in the row of the target AS number AS1 of the attack information table.
[Handling action request message (AS4)]
In step S211, the DDoS cooperation coping device 100 of AS4 acquires the IP traffic addressed to the IP address included in the coping request from AS2, and determines whether the communication is flowing from the own AS in the AS2 direction.

Since it has not flown, in step S212, the DDoS cooperation coping device 100 of AS4 transmits a coping response message including target AS number (AS1), own AS number (AS44), Flag = 1, and Status = not coping to AS2. .
[Handling response message processing (AS2)]
In step S213, the DDoS cooperation coping device 100 of AS2 has already received coping responses from all the neighboring ASs that have transmitted the coping request (Flag = 1) and all Status = coping is impossible, so the target AS in the attack information table Sets the most upstream AS flag in the row for AS1 to True.

  In step S214, the DDoS cooperation coping device 100 of AS2, the total value of the communication amount addressed to the IP addresses included in the target IP address list flowing in its own AS, the available resource amount of the mitigation device 50, the target addressed communication currently being addressed. Amount and / or the available bandwidth amount of the link between ASs (link between AS2 and AS1) is acquired from each table, and the minimum value of the target communication volume handled by the own AS is calculated. If the information in each table is not the latest, the DDoS cooperation coping device 100 of AS2 acquires the information via the traffic information collection / DDoS attack detection device 200, and the attack information table, the mitigation device information table, and / or the inter-AS link information. Update table values. In addition, the minimum value of the communication volume for the target addressed by the own AS may be calculated using the following formula, for example.

ステップＳ２１５において、AS2のDDoS連携対処装置１００は、AS1に標的AS番号（AS1）、自身のAS番号（AS2）、自AS（AS2）を流れる標的宛通信量の合計値、mitigation装置５０の利用可能リソース量、現在対処中の標的宛通信量、AS間リンクの利用可能帯域量、自AS（AS2）で対処する標的宛通信量の最低値、Flag=1を含む再調整要求メッセージを送信する。
［再調整要求メッセージ処理（AS1）］
ステップＳ２１６において、AS1のDDoS連携対処装置１００は、AS2から受信した情報を攻撃情報テーブル及び／又は隣接AS情報テーブルに格納する。
［対処要求メッセージ処理（AS3）］
ステップＳ２１７において、AS3のDDoS連携対処装置１００は、AS1からの対処要求メッセージに含まれるIPアドレス宛通信量を取得し、当該通信が自ASからAS1方向に流れているかを判定する。

In step S215, the DDoS cooperation coping device 100 of AS2 uses the target AS number (AS1) in AS1, the own AS number (AS2), the total value of the communication volume addressed to the target flowing through its own AS (AS2), and the use of the mitigation device 50. Send a readjustment request message that includes the available resource amount, the target communication amount currently being handled, the available bandwidth amount of the inter-AS link, the minimum target communication amount handled by the own AS (AS2), and Flag = 1 .
[Re-adjustment request message processing (AS1)]
In step S216, the DDoS cooperation coping device 100 of AS1 stores the information received from AS2 in the attack information table and / or the adjacent AS information table.
[Handling action request message (AS3)]
In step S217, the DDoS cooperation coping device 100 of AS3 acquires the IP traffic addressed to the IP address included in the coping request message from AS1 and determines whether the communication is flowing from the own AS to the AS1 direction.

  In step S218, since the communication is flowing from AS3 to AS1, the DDoS cooperation coping device 100 of AS3 receives the target AS number (AS1), the list of target IP addresses, and the AS number (AS1 of the message sender). ) Is registered in its own attack information table. At this time, the source AS of the handling request is registered as a downstream AS.

  In step S219, the DDoS cooperation coping device 100 of AS3 notifies the network control device 300 of the target IP address list, and applies the coping process using the mitigation device 50 in AS3 (to the target that has not been inspected upstream). The communication is set so as to be pulled in to the mitigation device 50 as long as the resources permit.

  In step S220, the DDoS cooperation coping device 100 of AS3 transmits a coping response message including a target AS number (AS1), its own AS number (AS3), Flag = 1, and Status = under handling to AS1.

In step S221, the DDoS cooperation coping device 100 of AS3 excludes the transmission source AS (AS1) of the coping request to the adjacent AS (AS4, AS5), the target AS number (AS1), the received target IP address list, and its own AS. Send a response request message that includes the number (AS3) and Flag = 1.
[Handling action request message (AS4)]
In step S222, the DDoS cooperation coping device 100 of AS4 acquires the IP traffic addressed to the IP address included in the coping request message from AS3, and determines whether the communication is flowing from the own AS toward AS3.

  In step S223, since the communication is flowing from AS4 to AS3, the DDoS cooperation coping device 100 of AS4 receives the target AS number (AS1), the list of target IP addresses, and the AS number (AS3 of the message sender). ) Is registered in its own attack information table. At this time, the DDoS cooperation coping apparatus 100 of AS4 registers the transmission source AS of the coping request as a downstream AS.

  In step S224, the DDoS cooperation coping device 100 of AS4 notifies the network control device 300 of the target IP address list, and applies the coping process using the mitigation device 50 in AS4 (addressing targets that have not been examined upstream). The communication is set so as to be pulled in to the mitigation device 50 as long as the resources permit.

  In step S225, the DDoS cooperation coping device 100 of AS4 transmits a coping response message including the target AS number (AS1), its own AS number (AS4), Flag = 1, and Status = under handling to AS3.

  In step S226, the DDoS cooperation coping device 100 of AS4 excludes the transmission source AS (AS3) of the coping request to the adjacent AS (AS2, AS5), the target AS number (AS1), the received target IP address list, and its own AS. Send a response request message that includes the number (AS4) and Flag = 1.

After that, the DDoS cooperation coping device 100 of AS4 receives a response including Status = unsolvable from AS2 and AS5, and proceeds to step S234.
[Handling response message processing (AS3)]
In step S227, the DDoS cooperation coping device 100 of AS3 registers the received information of AS4 in the item of cooperation destination AS in the row of the target AS number AS1 of the attack information table.
[Handling request message (AS5)]
In step S228, the DDoS cooperation coping device 100 of AS5 acquires the IP traffic addressed to the IP address included in the coping request message from AS3, and determines whether the communication is flowing from the own AS toward AS3.

  In step S229, since the communication is flowing from AS5 to AS3, the DDoS cooperation coping device 100 of AS5 receives the target AS number (AS1), the list of target IP addresses, and the AS number (AS3 of the sender of the message). ) Is registered in its own attack information table. At this time, the source AS of the handling request is registered as a downstream AS.

  In step S230, the DDoS cooperation coping device 100 of AS5 notifies the network control device 300 of the target IP address list and applies the coping process using the mitigation device 50 in AS5 (to the target that has not been inspected upstream). The communication is set so as to be pulled in to the mitigation device 50 as long as the resources permit.

  In step S231, the DDoS cooperation coping device 100 of AS5 transmits a coping response message including a target AS number (AS1), its own AS number (AS5), Flag = 1, and Status = under handling to AS3.

  In step S232, the DDoS cooperation coping device 100 of AS5 excludes the transmission source AS (AS3) of the coping request to the adjacent AS (AS4), the target AS number (AS1), the received target IP address list, and its own AS number ( AS5), and sends a handling request message containing Flag = 1.

After that, the DDoS cooperation coping device 100 of AS5 receives a response including Status = not coping from AS4, and proceeds to step S238.
[Handling response message processing (AS3)]
In step S233, the DDoS cooperation coping device 100 of AS3 registers the received information of AS5 in the item of cooperation destination AS in the row of the target AS number AS1 of the attack information table.

By the procedure up to this point, the countermeasure using the resources of the mitigation device 50 of the AS closest to the attack source to the maximum extent (the countermeasure to minimize the bandwidth consumed by the attack communication on the entire Internet) is completed. In the following procedure, adjustment for leveling the resource usage rate of the mitigation device 50 of each AS within a range in which the inter-AS link is not congested will be described.
[Handling response message processing (AS4)]
In step S234, the DDoS cooperation coping apparatus 100 of AS4 has already received coping responses from all the neighboring ASs that have transmitted the coping request (Flag = 1), and all Status = non coping, so the target AS in the attack information table Sets the most upstream AS flag in the row for AS1 to True.

  In step S235, the DDoS cooperation coping device 100 of the AS4, the total value of the communication amount of the IP addresses included in the target IP address list flowing in the self AS, the available resource amount of the mitigation device 50, the target addressed communication currently being handled. Volume, the available bandwidth of the inter-AS link (the link between AS4 and AS3) is acquired from each table, and the minimum value of the target-destined communication volume handled by the own AS is calculated. If the information in each table is not the latest, the DDoS cooperation coping device 100 of AS4 acquires the information via the traffic information collection / DDoS attack detection device 200, and the attack information table, the mitigation device information table, and / or the inter-AS link information. Update table values. The minimum value of the target-target communication traffic handled by the own AS may be calculated using, for example, the above-described formula for calculating the minimum target-target communication traffic to be handled.

In step S236, the DDoS cooperation coping apparatus 100 of AS4 uses the target AS number (AS1) to AS3, the own AS number (AS4), the total value of the communication volume for the target flowing through its own AS (AS4), and the use of the mitigation apparatus 50. Send a readjustment request message that includes the available resource amount, the target communication amount currently being handled, the available bandwidth amount of the inter-AS link, the target target communication amount handled by the own AS (AS4), and Flag = 1 .
[Re-adjustment request message processing (AS3)]
In step S237, the DDoS cooperation coping device 100 of AS3 stores the information received from AS4 in the attack information table and / or the adjacent AS information table.
[Handling response message processing (AS5)]
In step S238, the DDoS cooperation coping device 100 of AS5 has already received coping responses from all the neighboring ASs that have transmitted the coping request (Flag = 1), and since all Status = non coping, the target AS in the attack information table Sets the most upstream AS flag in the row for AS1 to True.

  In step S239, the DDoS cooperation coping device 100 of the AS5, the total value of the communication amount addressed to the IP addresses included in the target IP address list flowing in the self AS, the available resource amount of the mitigation device 50, the target addressed communication currently being addressed. Volume, the available bandwidth of the inter-AS link (the link between AS5-AS3) is acquired from each table, and the minimum value of the target-target communication traffic handled by the own AS is calculated. If the information in each table is not the latest, the DDoS cooperation coping device 100 of AS5 acquires the information via the traffic information collection / DDoS attack detection device 200, and the attack information table, the mitigation device information table, and / or the inter-AS link information. Update table values. The minimum value of the target-target communication traffic handled by the own AS may be calculated using, for example, the above-described formula for calculating the minimum target-target communication traffic to be handled.

In step S240, the DDoS cooperation coping device 100 of AS5 uses the target AS number (AS1) in AS3, its own AS number (AS5), the total value of the communication volume addressed to the target flowing through its own AS (AS5), and the use of the mitigation device 50. Send a readjustment request message including available resource amount, target communication amount currently being handled, available bandwidth amount of inter-AS link, target target communication amount handled by own AS (AS5), Flag = 1 .
[Re-adjustment request message processing (AS3)]
In step S241, the DDoS cooperation coping device 100 of AS3 stores the information received from AS5 in the attack information table and / or the adjacent AS information table.

  In step S242, since the DDoS cooperation coping device 100 of AS3 has received the readjustment request (Flag = 1) from all the cooperation destination ASs, the total value of the communication amount addressed to the IP addresses included in the target IP address list flowing in the own AS. , The available resource amount of the mitigation device 50 and the target communication amount currently being dealt with are acquired from each table. If the information in each table is not the latest, the DDoS cooperation coping device 100 of AS3 acquires the information via the traffic information collection / DDoS attack detection device 200 and updates the values of the attack information table and / or the mitigation device information table. .

  In step S243, the DDoS cooperation coping device 100 of AS3 solves the following optimization problem, so that the resource usage rate of the mitigation device 50 of each AS (AS3, AS4, AS5) is equalized Calculate the combination of. In generalized terms, the optimization problem can be:

AS3、AS4、AS5で調整する場合には、以下の最適化問題を解くことになる。

When adjusting with AS3, AS4, and AS5, the following optimization problem will be solved.

ステップＳ２４４において、AS3のDDoS連携対処装置１００は、パラメータ調整の結果得られた、「その標的AS宛通信に対して各ASで対処する通信量（x_AS）を用いて、mitigation装置情報テーブルの利用可能リソース量の値（自ASで対処する通信量分減算）、攻撃情報テーブルの自ASに関する情報の標的AS単位の攻撃通信量の合計値（他ASで対処する通信量分減算）と自ASと他ASの情報内の対処中の通信量の値（それぞれのASで対処する通信量の値を設定）を更新する。また、AS3のDDoS連携対処装置１００は、自ASで対処する標的宛通信量の最低値を、更新した標的AS単位の攻撃通信量の合計値とAS間リンクの利用可能帯域量から算出して更新する。

In step S244, the DDoS cooperation coping device 100 of AS3 obtains the result of the parameter adjustment, “using the communication amount (x _AS ) to be dealt with by each AS for the communication to the target AS, in the mitigation device information table”. Value of available resource amount (subtraction of communication amount handled by own AS), total value of attack communication amount of target AS unit of information about own AS in attack information table (subtraction of communication amount handled by other AS) and self The value of the communication volume being dealt with in the information of the AS and other AS (set the value of the communication volume dealt with by each AS) is updated, and the DDoS cooperation coping device 100 of AS3 is the target dealt with by its own AS. The minimum value of the traffic to be addressed is calculated and updated from the total value of the updated attack traffic for each target AS and the available bandwidth of the inter-AS link.

At this time, the DDoS cooperation coping device 100 of AS3 notifies the network control device 300 of the target IP address and the communication volume (x _AS1 ) addressed to the target AS to be dealt with by its own AS, so as to deal with the attack with the latest information. Apply. The network control device 300 pulls in the communication addressed to the target IP address described in the attack information table for x _{AS3 to} the mitigation device 50 to handle it.

In step S245, the DDoS cooperation coping device 100 of AS3 sends the target AS number (AS1), its own AS number (AS3), and the destination AS of the message to the DDoS cooperation coping device 100 of the cooperation destination AS (AS4, AS5). In the target AS addressed communication amount (x _AS obtained as a result of adjustment), the difference value of the handling amount for the target AS addressed (x _AS -X _AS ), and a handling request message including Flag = 0 is transmitted.

In step S246, the DDoS cooperation coping device 100 of AS3 has the target AS number (AS1), the AS number of its own (AS3), and the total value of the communication volume addressed to the target flowing through its own AS (AS3) to the downstream AS (AS1), Readjustment including the available resource amount of the mitigation device 50, the target communication amount currently being handled, the available bandwidth amount of the inter-AS link, the minimum target communication amount handled by the own AS (AS3), and Flag = 1 Send a request message.
[Handling action request message (AS4)]
In step S247, the DDoS cooperation coping device 100 of AS4 uses the difference value of the coping amount for the target AS-addressed communication included in the received message, using the available resource amount (difference value subtraction) of the mitigation device information table, the attack information. Update the communication volume (adding the difference value) addressed to the target AS that is being handled by the own AS in the table.

In step S248, the DDoS cooperation coping device 100 of AS4 takes in the communication for the target IP address to the requesting mitigation device 50 via the network control device 300 to deal with it.
[Handling request message (AS5)]
In step S249, the DDoS cooperation coping device 100 of AS5 uses the difference value of the coping amount for the communication to the target AS, which is included in the received message, by using the available resource amount (difference value subtraction) of the mitigation device information table, the attack information. Update the communication volume (adding the difference value) addressed to the target AS that is being handled by the own AS in the table.

In step S250, the DDoS cooperation coping device 100 of AS5 draws in communication for the target IP address to the requesting mitigation device 50 via the network control device 300 to deal with it.
[Re-adjustment request message processing (AS1)]
In step S251, the DDoS cooperation coping device 100 of AS1 stores the information received from AS3 in the attack information table and / or the adjacent AS information table.

  In step S252, the DDoS cooperation coping device 100 of AS1 receives the readjustment request (Flag = 1) from all the cooperation destination ASs (AS2, AS3), and therefore, the destination IP address included in the target IP address list flowing in the own AS is addressed. The total value of the communication amount, the available resource amount of the mitigation device 50, and the target addressed communication amount currently being dealt with are acquired from each table. If the information in each table is not the latest, the DDoS cooperation coping device 100 of AS1 acquires the information via the traffic information collection / DDoS attack detection device 200 and updates the values of the attack information table and / or the mitigation device information table. .

  In step S253, the DDoS cooperation coping device 100 of AS1 solves the above-described optimization problem, so that the resource usage rate of the mitigation device 50 of each AS (AS1, AS2, AS3) is leveled, and the value of the coping amount is set. Calculate the combination of.

In step S254, the DDoS cooperation coping device 100 of AS1 obtains the result of the parameter adjustment, “using the communication volume (x _AS ) that each AS deals with for the communication to the target AS, in the mitigation device information table. Value of available resource amount (subtraction of communication amount handled by own AS), total value of attack communication amount of target AS unit of information about own AS in attack information table (subtraction of communication amount handled by other AS) and self Update the value of the traffic volume being handled in the information of AS and other AS (set the value of the traffic volume handled by each AS), and update the minimum value of the target traffic volume handled by own AS Calculated from the total value of the attack traffic volume of each target AS and the available bandwidth of the inter-AS link, and update it.

In step S255, the DDoS cooperation coping device 100 of AS1 sends the target AS number (AS1), its own AS number (AS1), and the destination AS of the message to the DDoS cooperation coping device 100 of the cooperation destination AS (AS2, AS3). In the target AS addressed communication amount (x _AS obtained as a result of adjustment), the difference value of the handling amount for the target AS addressed (x _AS -X _AS ), and a handling request message including Flag = 0 is transmitted.
[Handling action request message (AS2)]
In step S256, the DDoS cooperation coping device 100 of AS2 uses the difference value of the coping amount for the communication to the target AS, which is included in the received message, by using the available resource amount (difference value subtraction) of the mitigation device information table, the attack information. Update the communication volume (adding the difference value) addressed to the target AS that is being handled by the own AS in the table.

In step S257, the DDoS cooperation coping device 100 of AS2 takes in the communication for the target IP address to the requesting mitigation device 50 via the network control device 300 to deal with it.
[Handling action request message (AS3)]
In step S258, the DDoS cooperation coping device 100 of AS3 uses the difference value of the coping amount for the target AS-addressed communication included in the received message, using the available resource amount (difference value subtraction) of the mitigation device information table, the attack information. Update the communication volume (adding the difference value) addressed to the target AS that is being handled by the own AS in the table.

  In step S259, the DDoS cooperation coping device 100 of AS3 draws in communication for the target IP address to the requesting mitigation device 50 via the network control device 300 to deal with it.

  In step S260, the DDoS cooperation coping device 100 of AS3 solves the above-described optimization problem by using the updated information, so that the resource usage rate of the mitigation device 50 of each AS (AS3, AS4, AS5) is leveled. The combination of the values of the coping amount that will be changed is calculated.

In step S261, the DDoS cooperation coping device 100 of AS3 uses the “communication amount (x _AS ), which is dealt with by each AS for the communication to the target AS” obtained as a result of the parameter adjustment, to the mitigation device information table. Of the available resource amount of the target AS (subtracting the communication amount handled by the own AS), the total value of the attack communication amount of the target AS unit of the information about the own AS in the attack information table (subtracting the communication amount handled by other AS), and Update the value of the traffic volume being handled in the information of the own AS and other AS (set the value of the traffic volume handled by each AS). Further, the DDoS cooperation coping device 100 of AS3 calculates the minimum value of the target communication traffic to be dealt with by its own AS from the updated total value of the attack traffic of each target AS and the available bandwidth of the inter-AS link. Update.

At this time, the DDoS cooperation coping device 100 of AS3 notifies the network control device 300 of the target IP address and the communication volume (x _AS1 ) addressed to the target AS to be dealt with by its own AS, so as to deal with the attack with the latest information. You may apply. The network control device 300 pulls in the communication addressed to the target IP address described in the attack information table for x _{AS3 to} the mitigation device 50 to handle it.

In step S262, the DDoS cooperation coping device 100 of AS3 sends the target AS number (AS1), its own AS number (AS3), and the destination AS of the message to the DDoS cooperation coping device 100 of the cooperation destination AS (AS4, AS5). In the target AS addressed communication amount (x _AS obtained as a result of adjustment), the difference value of the handling amount for the target AS addressed (x _AS -X _AS ), and a handling request message including Flag = 0 is transmitted.

In step S263, the DDoS cooperation coping device 100 of AS3 has the target AS number (AS1), the AS number of its own (AS3), and the total value of the communication volume addressed to the target flowing through its own AS (AS3) to the downstream AS (AS1), Readjustment including mitigation device 50 available resource amount, target target communication amount currently being handled, inter-AS link available bandwidth amount, minimum target target communication amount handled by own AS (AS3), Flag = 0 Send a request message.
[Handling action request message (AS4)]
In step S264, the DDoS cooperation coping device 100 of AS4 uses the difference value of the coping amount for the communication to the target AS, which is included in the received message, by using the available resource amount (difference value subtraction) of the mitigation device information table, the attack information. Update the communication volume (adding the difference value) addressed to the target AS that is being handled by the own AS in the table.

In step S265, the DDoS cooperation coping device 100 of AS4 takes in the communication for the target IP address to the requested mitigation device 50 via the network control device 300 to deal with it.
[Handling request message (AS5)]
In step S266, the DDoS cooperation coping device 100 of AS5 uses the difference value of the coping amount for the target AS-addressed communication included in the received message, using the available resource amount (difference value subtraction) of the mitigation device information table, the attack information. Update the communication volume (adding the difference value) addressed to the target AS that is being handled by the own AS in the table.

In step S267, the DDoS cooperation coping device 100 of AS5 takes in the target IP address communication to the requesting mitigation device 50 via the network control device 300 for coping.
[Re-adjustment request message processing (AS1)]
In step S268, the DDoS cooperation coping device 100 of AS1 executes the readjustment request message (Flag = 0) process. After that, until the convergence condition described below is satisfied, the process associated with the reception of the message in each AS and the message transmission to other AS are repeatedly performed, thereby preventing the inter-AS link congestion as a whole of the Internet, and mitigation device 50 of each AS. The attack to the target AS can be shared and dealt with so that the resource usage rate of each is leveled.

  As a convergence condition for preventing infinite parameter adjustment, for example, in each AS, the difference between the value of F and the value of G calculated with the input value at the time of performing adjustment for a certain target addressed communication ( preF-preG) and the difference between the F and G values (F-G) obtained as a result of the adjustment, and if there is no improvement over a preset threshold value, that parameter adjustment is not performed. It is assumed that the message processing will be terminated. The convergence condition is arbitrary and is not limited to this method.

  Further, in order to follow changes in the amount of attack and the like, the DDoS cooperation coping device 100 of the target AS is triggered by the reception of the attack detection message, the transmission of the first coping request message (Flag = 1), etc. By retransmitting the countermeasure request (Flag = 1) to the cooperation destination AS each time, the contents of the cooperation countermeasure against the target AS attack currently being dealt with are updated using the latest communication volume information etc. It is also possible to do.

  In the above-described embodiment, the DDoS cooperation coping device 100 is introduced, which is responsible for sharing the DDoS attack information and adjusting how much the resource of the defense function of each AS is assigned to each attack. As an architecture between the DDoS cooperation coping devices 100, a distributed architecture in which each AS directly communicates with each other is limited to the neighborhood. In this architecture, a method of starting cooperation from a target AS and then preferentially coping with an AS close to the attack source (coping with priority on bandwidth) is applied. Next, in order to equalize the resource usage rate, readjustment is performed from the most upstream AS, and from the link bandwidth information with the downstream AS, at least the own AS must take action to avoid congestion. The amount that must be calculated is calculated and used as a constraint in the optimization problem. As a result, when coping with DDoS attacks on the entire Internet, it is possible to avoid congestion of the link band between ASs and level the resource usage rate of the protection device of each AS at the same time. According to the above-described embodiment, even when applied to the entire Internet, it is possible to share the DDoS attack information with high scalability and cooperate with it. Also, when coordinating against DDoS attacks by sharing defense device resources across the Internet, avoiding congestion of inter-AS link bandwidths, while suppressing the impact on other communication services, the protection device of each AS By balancing the resource usage of the Internet, more DDoS attacks can be dealt with on the Internet as a whole.

  Although the examples of the present invention have been described above in detail, the present invention is not limited to the above-described specific embodiments, and various modifications can be made within the scope of the gist of the present invention described in the claims. -Can be changed.

10 network 50 mitigation device 100 DDoS cooperation coping device 110 processing unit 120 storage unit 130 communication unit 200 traffic information collection / DDoS attack detection device 300 network control device 400 packet transfer device

Claims (6)

A communication system having a plurality of autonomous systems (AS), comprising:
Each autonomous system has a DDoS cooperation handling device and a mitigation device,
In order to cooperate with the DDoS attack detected in the target AS, in response to the countermeasure request sent from the DDoS cooperation countermeasure device of the target AS, the minimum countermeasure amount, the total value of the communication amount addressed to the target AS flowing through the own AS, the countermeasure A readjustment request including the attack volume to the target AS and the available resource volume of the mitigation device is sent from the AS closest to the attacking AS to the downstream AS,
Receiving the readjustment request, the DDoS attack cooperation countermeasure device of the AS, based on the information of the readjustment request and the own AS, solve the optimization problem for leveling the resources of each AS used for the cooperation countermeasure. by determining the resource utilization,
The minimum handling amount of each AS is determined based on the available bandwidth of the link between adjacent ASs,
The cooperative resource usage of resources used for addressing a communication system that will be determined by solving an optimization problem including a minimum deal amount the determined as a constraint condition. A communication system having a plurality of autonomous systems (AS), comprising:
Each autonomous system has a DDoS cooperation handling device and a mitigation device,
In order to cooperate with the DDoS attack detected in the target AS, in response to the countermeasure request sent from the DDoS cooperation countermeasure device of the target AS, the minimum countermeasure amount, the total value of the communication amount addressed to the target AS flowing through the own AS, the countermeasure A readjustment request including the attack volume to the target AS and the available resource volume of the mitigation device is sent from the AS closest to the attacking AS to the downstream AS,
Receiving the readjustment request, the DDoS attack cooperation countermeasure device of the AS, based on the information of the readjustment request and the own AS, solve the optimization problem for leveling the resources of each AS used for the cooperation countermeasure. Determines resource usage by
The minimum coping amount determines the coping usage amount used for coping with the DDoS attack among the available bandwidth of the link between adjacent ASs, and a list of target IP addresses for each AS to which the target IP address of the DDoS attack belongs. A communication system that is determined to be greater than or equal to the difference between the total value of the inflow traffic to the IP address included in the above and the coping usage volume . DDoS cooperation handling device of the target AS, when receiving the attack notification message indicating the target IP address, stores the target IP address in the list of target IP addresses for each AS to which the target IP address belongs, the target IP address of Determine the total traffic of the IP addresses included in the list, and deal with the mitigation device provided in the AS based on the determined traffic, or deal with the cooperation AS of the sender of the DDoS attack The communication system according to claim 1 , wherein the communication system determines whether to send a request. Resource utilization is the leveling is determined as the difference between the maximum value and the minimum value of the ratio of target AS addressed traffic to deal with the AS for the available resource amount of mitigation devices of the AS is minimized The communication system according to claim 1, wherein A method for coping with DDoS cooperation in a communication system having a plurality of autonomous systems (AS),
Each autonomous system has a DDoS cooperation handling device and a mitigation device,
The method is
Detecting DDoS attacks,
In order to coordinately deal with the DDoS attack, a step of transmitting a countermeasure request from the DDoS collaboration countermeasure device of the target AS,
A re-adjustment request that includes the minimum handling amount, the total amount of communication to the target AS flowing through the own AS, the amount of attack to the target AS being handled, and the amount of available resources of the mitigation device The step of sending to
The DDoS attack cooperation countermeasure device of the AS that has received the readjustment request, based on the information of the readjustment request and own AS, solve the optimization problem for leveling the resources of each AS used for the cooperation countermeasure Determining the resource utilization by
Have a,
The minimum handling amount of each AS is determined based on the available bandwidth of the link between adjacent ASs,
The cooperative resource usage of resources used for addressing, the method that will be determined by solving an optimization problem including a minimum deal amount the determined as a constraint condition. A method for coping with DDoS cooperation in a communication system having a plurality of autonomous systems (AS),
  Each autonomous system has a DDoS cooperation handling device and a mitigation device,
The method is
  Detecting DDoS attacks,
  In order to coordinately deal with the DDoS attack, a step of transmitting a countermeasure request from the DDoS collaboration countermeasure device of the target AS,
  A readjustment request including the minimum handling amount, the total amount of communication to the target AS flowing through the own AS, the amount of attack to the target AS being handled, and the amount of resources available to the mitigation device is used as a downstream AS from the AS closest to the attacking AS. The step of sending to
  Receiving the readjustment request, the DDoS attack cooperation countermeasure device of the AS, based on the information of the readjustment request and the own AS, solve the optimization problem for leveling the resources of each AS used for the cooperation countermeasure. Determining the resource utilization by
Have
  The minimum coping amount determines the coping usage amount used for coping with the DDoS attack among the available bandwidth of the link between adjacent ASs, and a list of target IP addresses for each AS to which the target IP address of the DDoS attack belongs. The method is determined so as to be equal to or more than the difference between the total value of the communication traffic flowing into the IP address included in the above and the coping usage volume.

Images