WO2004051946A1 - 送信元アドレス偽装パケット検出装置、送信元アドレス偽装パケット検出方法、送信元アドレス偽装パケット検出プログラム - Google Patents
送信元アドレス偽装パケット検出装置、送信元アドレス偽装パケット検出方法、送信元アドレス偽装パケット検出プログラム Download PDFInfo
- Publication number
- WO2004051946A1 WO2004051946A1 PCT/JP2002/012583 JP0212583W WO2004051946A1 WO 2004051946 A1 WO2004051946 A1 WO 2004051946A1 JP 0212583 W JP0212583 W JP 0212583W WO 2004051946 A1 WO2004051946 A1 WO 2004051946A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- address
- source
- bucket
- spoofing
- ttl value
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/20—Hop count for routing purposes, e.g. TTL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Definitions
- Sender address spoofed bucket detection device source address spoofed bucket detection method, source address spoofed bucket detection program
- the present invention relates to a sender address that detects unauthorized intrusions or attacks due to spoofing of the sender address in a firewall (Firewall), a router having a filtering function, an intruder detection system (IDS), etc.
- the present invention relates to a spoofed bucket detection device, a source address spoofed bucket detection method, and a source address spoofed bucket detection program.
- FIG. 16 is a diagram showing an example of the operation of the FW.
- the inside of a LAN (Local Area Network) where the host 102 and the host 103 exist, and the outside of the LAN where the host 101 exists are connected via the FW100.
- the IP address of the host 101 is A
- the IP address of the host 102 is B
- the IP address of the host 103 is C.
- the host 102 and the host 103 have a trust relationship, and mutually use authentication of only the source IP address.
- rsh remote 'shell
- the UN IX-based OS establishes a trust relationship by writing a specific host name or source IP address in the rhosts file. Accessible without suede.
- the packet transmitted from the host 101 is transmitted from the host 102. It can be considered as a bucket that has been passed, and can access the host 103 through the FW 100, so that the host 103 can be used illegally.
- Filtering by FW is one of the means to prevent unauthorized intrusion of the source address spoofing bucket. Specifically, the FW determines whether the source IP address of the bucket going from the outside of the LAN to the inside is the IP address capability of the host inside the LAN, and the IP address of the host inside the LAN. If it is an address, the packet is discarded. However, such filtering by the FW can detect a packet spoofing the IP address of a host existing inside the LAN, but a bucket spoofing the source IP address of a host existing outside the LAN. Not detectable.
- FIG. 17 is a diagram showing an example of the operation of the FW having the filtering passage list.
- host 102 which has a trust relationship with host 103, exists outside the LAN, inside the LAN where host 103 exists, and between host 101 and host 1, The outside of the LAN where 0 2 exists is connected via FW 110.
- B is set as the source IP address of the bucket to be passed.
- the FW 110 passes the bucket having the source IP address B from the host 102 according to the filtering pass list, but the source IP address A from the host 101. Discard buckets with.
- the source IP address in the IP header of the bucket to be transmitted is impersonated to the IP address B of the host 102 in the configuration of FIG. 17 in the configuration of FIG.
- the present invention has been made in order to solve such a problem. By detecting a bucket impersonating the source IP address of a host outside the LAN, the intrusion or attack by spoofing the source IP address can be achieved. It is an object of the present invention to provide a source IP address spoofing bucket detection device, a source IP address spoofing bucket detection method, and a source IP address spoofing bucket detection program capable of protecting the inside of the LAN from the above. Disclosure of the invention
- the present invention relates to a source address spoofed packet detection device for detecting a packet in which a source address is spoofed.
- the source address spoofed packet detection device controls input / output of a packet, and detects a source address of an input packet and the input packet.
- a bucket control unit for acquiring the lifetime of the packet, a reference lifetime storage unit for storing a reference lifetime indicating a range of a normal lifetime and a source address in association with each other, and a lifetime of the input bucket.
- An address spoofing determination unit that compares the source packet of the input packet with a reference lifetime corresponding to the source address, and determines whether or not the source address is spoofed in the input packet based on a result of the comparison. It is.
- a lifetime storage unit for storing the source address of the input bucket and the lifetime in association with each other; And a reference lifetime calculation unit that calculates a reference lifetime for each transmission source address based on the determined lifetime.
- the reference lifetime for each source address can be calculated by using the lifetime collected for each source address.
- the bucket control unit passes the input bucket, and the address spoofing determination unit Is the source address When it is determined that there is impersonation, the bucket control unit discards the input bucket.
- the address spoofing determination unit determines that the source address is spoofed, the connection between the source address and the destination address in the input bucket is established. It is characterized by further comprising a connection cutting section for cutting.
- an alert information notification unit that transmits alert information to a previously designated address. Is further provided.
- the source address spoofing packet detection device when a source address spoofed packet is detected, alert information about the bucket is notified to the administrator, so that the administrator can grasp the unauthorized intrusion or attack due to the source address spoofing. , Can be dealt with.
- the source address spoofing packet detection device further includes a tag storage unit that stores alert information as a tag when the address spoofing determination unit determines that the source address is forged. It is characterized by the following.
- alert information regarding the bucket is stored as a log, thereby recording a record of unauthorized intrusion or attack due to spoofing of the source address. Can be used as evidence of intrusions or attacks.
- the source address is a source IP address
- the lifetime is a TTL value
- the reference lifetime is a reference TTL value indicating a range of a normal TTL value
- the reference lifetime storage unit stores a reference TTL value. It is a value storage unit.
- a bucket in which the source IP address is impersonated can be detected by comparing the pre-stored reference TTL value of each source IP address with the TTL value of the input bucket.
- a TTL value storage unit that stores the source IP address of the input packet in association with a TTL value, and a source IP address by the TTL value storage unit
- a reference TTL value calculation unit that calculates a reference TTL value for each source IP address based on the TTL value stored for each source.
- the reference TTL value calculation unit calculates a median value from the TTL values stored for each source IP address by the TTL value storage unit, and It is characterized in that a predetermined range including the value is set as a reference TTL value corresponding to the source IP address.
- the reference TTL value calculating unit calculates an average value from TTL values stored for each source IP address by the TTL value storage unit, and calculates the average value. It is characterized in that a predetermined range including the value is set as a reference TTL value corresponding to the source IP address.
- the reference TTL value for each source IP address can be calculated by using the TTL value collected for each source IP address.
- the bucket control unit passes the input bucket, and performs the address spoofing determination.
- the bucket control unit discards the input bucket when the unit determines that the source IP address is impersonated.
- the bucket when a source IP address spoofing bucket is detected, the bucket is discarded, so that the inside of the LAN can be protected in real time from unauthorized intrusion or attack due to source IP address spoofing.
- the address spoofing determination unit determines that the source IP address is forged, the source IP address and the destination IP address in the input packet are determined.
- a connection disconnecting unit for disconnecting the connection.
- the connection disconnecting unit disconnects the connection by transmitting a reset bucket to a source IP address and a destination IP address. It is.
- the source address spoofing packet detection device determines that the source IP address is forged, an alert that transmits alert information to a pre-designated address is provided.
- the alert information includes a source IP address, a destination IP address, a TTL value, and a reference TTL value of the input packet. is there.
- alert information regarding the packet is notified to the administrator, so that the administrator can grasp the unauthorized intrusion or attack due to the source IP address spoofing. And take action.
- the alert information can further include the date and time.
- the source address spoofed packet detection device further includes a log storage unit that stores alert information as a log when the address spoofing determination unit determines that the source IP address is forged. It is characterized by the following. Further, in the source address spoofed packet detection device according to the present invention, the alert information includes a source IP address, a destination IP address, a TTL value, and a reference TTL value of the input bucket. is there. According to such a configuration, when a source IP address spoofed packet is detected,
- the present invention also relates to a source address spoofing bucket detection method for detecting a packet in which a source IP address is forged, which controls input / output of the packet and a source IP address of the input bucket.
- Acquiring the TTL value of the input packet and the input bucket storing the source IP address of the input packet in association with the TTL value; based on the TTL value stored for each source IP address
- the value is compared with a reference TTL value corresponding to the source IP address of the input packet, and based on the result of the comparison, the source IP address in the input packet is compared.
- the source IP address is determined by comparing the reference TTL value for each source address calculated using the TTL value collected for each source IP address with the TTL value of the input bucket. A forged bucket can be detected.
- the input packet is passed when it is determined that the source IP address is not forged, and the input bucket is transmitted when it is determined that the source IP address is forged.
- the method further comprises the step of discarding.
- the step of disconnecting the connection between the source IP address and the destination IP address in the input bucket when it is determined that the source IP address is forged, further It is characterized by having.
- the source address spoofed packet detection method further comprises a step of transmitting alert information to a pre-designated address when it is determined that the source IP address is forged. Things.
- the source address spoofed packet detection method further comprises a step of storing alert information as a log when it is determined that the source IP address is forged. is there.
- the alert information about the packet is stored as a log, thereby
- the present invention also relates to a source address spoofing bucket detection program stored in a computer-readable medium for causing a computer to detect a bucket in which a source IP address is forged.
- Storing the TTL value of the input bucket and the source IP of the input bucket A step of comparing with a reference TTL value corresponding to the address, and judging, based on a result of the comparison, whether or not the source IP address in the input bucket is impersonated.
- the source IP address is obtained. Can detect a forged bucket.
- the input bucket is passed when it is determined that the source IP address is not forged, and the input is performed when it is determined that the source IP address is forged.
- the method further comprises a step of discarding the bucket.
- the step of disconnecting the connection between the source IP address and the destination IP address in the input bucket when it is determined that the source IP address is forged comprising:
- the transmission source address spoofing packet detection program further comprises a step of, when it is determined that the transmission source IP address is forged, transmitting error information to a predetermined address. It is special. According to such a configuration, when a source IP address forgery bucket is detected, alert information on the packet is notified to the administrator, so that the administrator can grasp the unauthorized intrusion or attack due to the source IP address forgery. And can deal with You.
- the source address spoofed packet detection program further comprises a step of storing alert information as a log when it is determined that the source IP address is forged. is there.
- FIG. 1 is a diagram showing the structure of a packet.
- FIG. 2 is a diagram showing a configuration of an IP header.
- FIG. 3 is a block diagram showing an example of a function of the source IP address spoofing bucket detection device according to the first embodiment.
- FIG. 4 is a flowchart showing an example of processing of the source IP address spoofing bucket detection device according to the first embodiment.
- FIG. 5 is a diagram showing an example of a reference TTL value table.
- FIG. 6 is a diagram showing an example of a TTL value table.
- FIG. 7 is a block diagram illustrating an example of an operation of the FW including the source address spoofing bucket detection device according to the first embodiment.
- FIG. 8 is a block diagram showing an example of a function of a source IP address spoofing bucket detection device according to Embodiment 2.
- FIG. 9 is a diagram showing a configuration of a TCP header.
- FIG. 10 is a flowchart showing an example of processing of the source IP address spoofing bucket detection device according to the second embodiment.
- FIG. 11 is a block diagram showing an example of a function of the source IP address spoofed packet detection device according to the third embodiment.
- FIG. 12 is a flowchart showing an example of processing of the source IP address spoofing bucket detection device according to the third embodiment.
- FIG. 13 is a diagram showing an example of a log.
- FIG. 14 is a block diagram showing an example of a function of the source IP address spoofing bucket detection device according to the fourth embodiment.
- FIG. 15 is a flowchart showing an example of processing of the source IP address spoofing bucket detection device according to the fourth embodiment.
- FIG. 16 is a diagram showing an example of the operation of the FW.
- FIG. 17 is a diagram showing an example of the operation of the FW having the filtering passage list.
- a packet is composed of an Ethernet header, an IP header, a TCPZUDP (User Datagram Protocol) header, and data.
- the IP header consists of Ver. (Version), HL en (Header Length), TOS (Type of Service), total data length, identifier, flag, fragment offset, and TTL (Time To Live) value, protocol, checksum, source IP address, and destination IP address.
- the TTL value in the IP header is a time-to-live field in the IP header, and describes the limit value of the number of routers through which a packet can pass.
- the TTL value is given an initial value, and is decremented by 1 each time it passes through a router. When the value reaches 0, the packet is discarded and an I CMP type 11 error (time exceeded) packet is returned.
- the TTL value of a bucket impersonating the source IP address often differs from the TTL value of a normal packet.
- the reason is that the initial value of the TTL value often differs for each host, and the difference between the source host and the FW. The point is that the number of hops is often different.
- the present invention utilizes this property to detect a source IP address spoofed packet by comparing the TTL value of a passing bucket with a reference TTL value.
- the reference TTL value is obtained based on the history of the TTL value corresponding to a certain source IP address, and indicates a normal TTL value range.
- FIG. 3 is a block diagram showing an example of a function of the source IP address spoofed bucket detection device according to the first embodiment.
- the functions of the source IP address spoofing bucket detection device include a bucket control unit 1, an address spoofing determination unit 2, a TTL value storage unit 3, a reference TTL value calculation unit 4, and a reference TTL value storage section 5
- FIG. 4 is a flowchart showing an example of processing of the source IP address spoofing bucket detection device according to the first embodiment.
- the packet control unit 1 receives an input bucket from a network, acquires a source IP address and a TTL value from an IP header of the input bucket, and outputs the acquired IP address and the TTL value to the address spoofing determination unit 2 (S1).
- the address disguise determination unit 2 determines whether or not the reference TTL value corresponding to the source IP address of the input packet is set in the reference TTL value table (S2).
- the reference TTL value table will be described.
- the reference TTL value table is stored in the reference TTL value storage unit 5.
- FIG. 5 is a diagram showing an example of a reference TTL value table. As shown in FIG. 5, the reference TTL value table stores a reference TTL ⁇ I representing a normal TTL value range for each source IP address in association with the source IP address.
- the processing shifts to S4.
- the address disguise determination unit 2 uses the source IP address from the reference TTL value table. Obtain the reference TTL value corresponding to the address, and It is determined whether or not the TTL value of the unit is within the range of the reference TTL value (S3). If the TTL value of the input packet is not within the range of the reference TTL value (S3, N), the address disguise determination unit 2 notifies the packet control unit 1 that the input packet is the source IP address disguise packet.
- the bucket control unit 1 having received the notification that the input packet is the source IP address spoofed packet, discards the input bucket (S7), and ends this flow.
- the address forgery determination unit 2 notifies the bucket control unit 1 that the source IP address of the input packet is normal.
- the TTL value of the input bucket is stored in the TTL value table (S4).
- FIG. 6 is a diagram showing an example of a TTL value table. As shown in FIG. 6, the TTL value table stores TTL values collected for each source IP address in association with the source IP address.
- the reference TTL value calculation unit 4 calculates the reference TTL value by including the newly stored TTL value in the TTL value table, and stores the result in the reference TTL value table (S5).
- the reference TTL value is calculated, for example, as a median value or an average value of the TTL values for each source IP address in the TTL value table.
- the reference TTL value may have a range, for example, a median value of ⁇ 1 and an average value of ⁇ 1.
- the reference TTL value may be stored in the reference TTL value table in advance, and the TTL value storage unit 3 and the reference TTL value calculation unit 4 may be omitted.
- the bucket control unit 1 having received the notification that the source IP address is normal, transmits the input packet to the network (S6), and ends this flow.
- FIG. 7 is a block diagram showing an example of the operation of the FW provided with the source address spoofing bucket detection device according to the first embodiment.
- the host 102 that has a trust relationship with the host 103 exists outside the LAN, and the inside of the LAN where the host 103 exists and the outside of the LAN where the host 101 and the host 102 exist are connected via the FW120.
- the IP address of the host 101 is A
- the IP address of the host 102 is B
- the IP address of the host 103 is C.
- the FW 120 holds a filtering pass list and includes a source address spoofing bucket detection device 130 according to the present embodiment. B is set in the filtering pass list as the source IP address of the packets to be passed.
- the source address spoofing bucket detector 130 has a TTL value of the input bucket and a reference TTL value corresponding to the source IP address of the input bucket 251 soil.
- the packet transmitted from the host 102 is transmitted from the host 102 because the source IP address is B and the TTL value 251 is within the range of the reference TTL value 251 ⁇ 1.
- the passed bucket is regarded as a normal packet and passed.
- the bucket sent from the host 101 has the source IP address B, but since the TTL value 123 is not within the range of the reference TTL value 251 ⁇ 1, the bucket sent from the host 101 is the source IP address. Regarded as an address spoofing bucket and discarded.
- FIG. 8 is a block diagram showing an example of a function of the source IP address spoofed packet detecting device according to the second embodiment.
- the same reference numerals as those in FIG. 3 denote the same or corresponding components as those shown in FIG. 3, and a description thereof will be omitted.
- the function of the source IP address spoofed packet detection device according to the present embodiment is different from the configuration shown in FIG. A notification unit 21 is provided.
- a packet control unit 1A is provided instead of the packet control unit 1 in the configuration shown in FIG. 3, and an address disguise determination unit 2A is provided instead of the address disguise determination unit 2.
- the packet control unit 1A receives the input bucket from the network, obtains the source IP address and TTL value of the input bucket, outputs it to the address spoofing determination unit 2A, obtains the connection information of the input bucket, and alerts the user. It outputs to the information notifying section 21 and transmits the input bucket to the network.
- the connection information includes a source IP address and a destination IP address obtained from the IP header, and a source port number and a destination port number obtained from the TCP header.
- the TCP header consists of a source port number, destination port number, sequence number, ACK (Acknowledge) number, offset, reservation, flag, window size, checksum, and urgent pointer. ing.
- FIG. 10 is a flowchart showing an example of processing of a source IP address spoofed packet detection device according to Embodiment 2. 10, the same reference numerals as those in FIG. 4 denote the same processes as in FIG. 4, and a description thereof will be omitted.
- the address spoofing determination unit 2A determines that the input packet is a source IP address spoofed packet. Alert information notification unit 21 is notified. At this time, the address forgery determination unit 2A passes the TTL value of the input bucket and the reference TTL value to the alert information notification unit 21.
- the alert information notifying unit 21 that has been notified that the input bucket is the source IP address spoofing bucket first creates alert information (S21).
- the alert information includes, for example, date and time, connection information of an input packet, a TTL value, and a reference TTL value.
- the alert information notifying unit 21 sends the alert information as an email to the email address of the administrator specified in advance (S22), and ends this flow.
- FIG. 11 is a block diagram showing an example of a function of the source IP address spoofed packet detection device according to the third embodiment.
- the same reference numerals as those in FIG. 8 denote the same or corresponding objects as those shown in FIG. 8, and a description thereof will be omitted.
- the function of the source IP address spoofing bucket detection device according to the present embodiment is such that a login storage unit 31 is provided instead of the alert information notification unit 21 shown in FIG. Prepare.
- FIG. 12 is a flowchart showing an example of processing of the source IP address spoofed bucket detecting device according to the third embodiment. 12, the same reference numerals as those in FIG. 4 denote the same processes as those shown in FIG. 4, and a description thereof will be omitted.
- the address spoofing determination unit 2A verifies that the input packet is the source IP address spoofed packet. Notify storage unit 31. At this time, the address spoofing determination unit 2A passes the TTL value of the input packet and the reference TTL value to the login storage unit 31.
- FIG. 13 is a diagram showing an example of a log. As shown in Fig. 13, the log records the date and time when the source IP address spoofed packet passed, the reference TTL value of the source IP address spoofing bucket, the TTL value, and the connection information. As described above, in the present embodiment, when a source IP address spoofed packet is detected, alert information about the packet is created and stored as a log. However, logs of unauthorized intrusions and attacks due to spoofing of the source IP address can be recorded, and logs can be used as evidence of unauthorized intrusions and attacks. Embodiment 4.
- FIG. 14 is a block diagram showing an example of a function of the source IP address spoofing bucket detecting device according to the fourth embodiment.
- the same reference numerals as those in FIG. 3 denote the same or corresponding objects as those shown in FIG. 3, and a description thereof will be omitted.
- the function of the source IP address spoofed packet detection device according to the present embodiment includes a connection disconnecting unit 41 in addition to the configuration shown in FIG.
- a packet control unit 1B is provided instead of the packet control unit 1 in the configuration shown in FIG. 3, and an address disguise determination unit 2B is provided instead of the address disguise determination unit 2.
- the bucket control unit 1B receives the input bucket from the network, obtains the source IP address and TTL value of the input bucket, outputs it to the address spoofing determination unit 2B, and outputs the input bucket to the connection disconnecting unit 41. Output. Also, when receiving a notification that the input bucket is a source IP address spoofed packet, the bucket control unit 1B discards the input packet.
- FIG. 15 is a flowchart showing an example of processing of the source IP address spoofing bucket detection device according to the fourth embodiment.
- the same reference numerals as those in FIG. 4 denote the same processes as in FIG. 4, and a description thereof will be omitted.
- the address spoofing determination unit 2B determines that the input bucket is a source IP address spoofing packet. Notify the connection disconnecting unit 41 and the bucket control unit 1B.
- the connection disconnecting unit 41 Upon receiving the notification that the input packet is the source IP address spoofing bucket, the connection disconnecting unit 41 first refers to the input packet and refers to the source IP address and destination. A reset packet for the IP address is created (S41). The reset packet is a packet for forcibly terminating a connection in TCP, and specifically, a packet in which a RST flag bit is set in a TCP header flag. Next, the connection disconnecting unit 41 transmits a reset packet to the source IP address and the destination IP address (S42), and ends this flow.
- the packet when a source IP address spoofing bucket is detected, the packet is discarded, a reset packet is generated, and the reset packet is transmitted to the source IP address and the destination IP address, thereby disconnecting the TCP connection.
- the function of the source IP address spoofed packet detection device described in the first to fourth embodiments as a program, it can be implemented as a part of the function of FW, router, and IDS to implement other functions. Cooperate with functions to increase the detection rate of attacks and intrusions.
- a TTL value is collected for each source IP address of a passing bucket, a reference TTL value is generated, and a reference value of the passing bucket is generated.
- spoofing of the source IP address is detected, and if it is detected, an alert is raised or the packet is discarded, resulting in unauthorized intrusion by spoofing the source IP address And protect the inside of the LAN from attacks.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Description
Claims
Priority Applications (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2002/012583 WO2004051946A1 (ja) | 2002-12-02 | 2002-12-02 | 送信元アドレス偽装パケット検出装置、送信元アドレス偽装パケット検出方法、送信元アドレス偽装パケット検出プログラム |
JP2004556791A JP4014599B2 (ja) | 2002-12-02 | 2002-12-02 | 送信元アドレス偽装パケット検出装置、送信元アドレス偽装パケット検出方法、送信元アドレス偽装パケット検出プログラム |
AU2002349678A AU2002349678A1 (en) | 2002-12-02 | 2002-12-02 | Source address spoofing packet detecting apparatus, source address spoofing packet detecting method, and source address spoofing packet detecting program |
US11/094,247 US20050180421A1 (en) | 2002-12-02 | 2005-03-31 | Source address-fabricated packet detection unit, source address-fabricated packet detection method, and source address-fabricated packet detection program |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/JP2002/012583 WO2004051946A1 (ja) | 2002-12-02 | 2002-12-02 | 送信元アドレス偽装パケット検出装置、送信元アドレス偽装パケット検出方法、送信元アドレス偽装パケット検出プログラム |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US11/094,247 Continuation US20050180421A1 (en) | 2002-12-02 | 2005-03-31 | Source address-fabricated packet detection unit, source address-fabricated packet detection method, and source address-fabricated packet detection program |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2004051946A1 true WO2004051946A1 (ja) | 2004-06-17 |
Family
ID=32448986
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2002/012583 WO2004051946A1 (ja) | 2002-12-02 | 2002-12-02 | 送信元アドレス偽装パケット検出装置、送信元アドレス偽装パケット検出方法、送信元アドレス偽装パケット検出プログラム |
Country Status (3)
Country | Link |
---|---|
JP (1) | JP4014599B2 (ja) |
AU (1) | AU2002349678A1 (ja) |
WO (1) | WO2004051946A1 (ja) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007074734A (ja) * | 2005-09-08 | 2007-03-22 | Internatl Business Mach Corp <Ibm> | 悪意あるネットワーク・メッセージのソースを識別するためのシステム、方法、およびプログラム |
JP2007143020A (ja) * | 2005-11-22 | 2007-06-07 | Nippon Telegr & Teleph Corp <Ntt> | 中継装置および中継装置用プログラム |
JP2008028740A (ja) * | 2006-07-21 | 2008-02-07 | Secure Ware:Kk | 通信制御装置、通信制御方法、及びコンピュータプログラム |
JP2009200801A (ja) * | 2008-02-21 | 2009-09-03 | Oki Electric Ind Co Ltd | パケット中継装置 |
JP2016051935A (ja) * | 2014-08-29 | 2016-04-11 | セコム株式会社 | 通信機器及び通信サーバ |
JP2018148506A (ja) * | 2017-03-09 | 2018-09-20 | 三菱電機株式会社 | パケット交換装置 |
WO2019021995A1 (ja) * | 2017-07-26 | 2019-01-31 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | 通信装置、通信方法及び通信システム |
US10999323B2 (en) * | 2017-09-22 | 2021-05-04 | Nec Corporation | Network gateway spoofing detection and mitigation |
Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10271154A (ja) * | 1997-03-21 | 1998-10-09 | Nec Eng Ltd | 不正アクセス防止方法およびシステム |
JP2002176454A (ja) * | 2000-12-05 | 2002-06-21 | Nec Corp | パケット転送制御装置、パケット転送制御方法およびパケット転送制御システム |
-
2002
- 2002-12-02 JP JP2004556791A patent/JP4014599B2/ja not_active Expired - Fee Related
- 2002-12-02 AU AU2002349678A patent/AU2002349678A1/en not_active Abandoned
- 2002-12-02 WO PCT/JP2002/012583 patent/WO2004051946A1/ja active Application Filing
Patent Citations (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JPH10271154A (ja) * | 1997-03-21 | 1998-10-09 | Nec Eng Ltd | 不正アクセス防止方法およびシステム |
JP2002176454A (ja) * | 2000-12-05 | 2002-06-21 | Nec Corp | パケット転送制御装置、パケット転送制御方法およびパケット転送制御システム |
Non-Patent Citations (1)
Title |
---|
KIYOYUKI KAWASHIMA ET AL: "Network Profiling ni Yoru Ijo Kenshutsu Shuho no Teian", INFORMATION PROCESSING SOCIETY OF JAPAN DAI 63 KAI (HEISEI 13 NEN KOKI) ZENKOKU TAIKAI, 26 September 2001 (2001-09-26), pages 3-487 - 3-488, XP002979139 * |
Cited By (18)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2007074734A (ja) * | 2005-09-08 | 2007-03-22 | Internatl Business Mach Corp <Ibm> | 悪意あるネットワーク・メッセージのソースを識別するためのシステム、方法、およびプログラム |
US9455995B2 (en) | 2005-09-08 | 2016-09-27 | International Business Machines Corporation | Identifying source of malicious network messages |
US9191396B2 (en) | 2005-09-08 | 2015-11-17 | International Business Machines Corporation | Identifying source of malicious network messages |
JP4551316B2 (ja) * | 2005-11-22 | 2010-09-29 | 日本電信電話株式会社 | 中継装置および中継装置用プログラム |
JP2007143020A (ja) * | 2005-11-22 | 2007-06-07 | Nippon Telegr & Teleph Corp <Ntt> | 中継装置および中継装置用プログラム |
JP2008028740A (ja) * | 2006-07-21 | 2008-02-07 | Secure Ware:Kk | 通信制御装置、通信制御方法、及びコンピュータプログラム |
JP2009200801A (ja) * | 2008-02-21 | 2009-09-03 | Oki Electric Ind Co Ltd | パケット中継装置 |
JP4692557B2 (ja) * | 2008-02-21 | 2011-06-01 | 沖電気工業株式会社 | パケット中継装置 |
JP2016051935A (ja) * | 2014-08-29 | 2016-04-11 | セコム株式会社 | 通信機器及び通信サーバ |
JP2018148506A (ja) * | 2017-03-09 | 2018-09-20 | 三菱電機株式会社 | パケット交換装置 |
WO2019021995A1 (ja) * | 2017-07-26 | 2019-01-31 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | 通信装置、通信方法及び通信システム |
WO2019021402A1 (ja) * | 2017-07-26 | 2019-01-31 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | 通信装置、通信方法および通信システム |
US20190239221A1 (en) * | 2017-07-26 | 2019-08-01 | Panasonic Intellectual Property Corporation Of America | Communication device, communication method, and communication system |
JPWO2019021995A1 (ja) * | 2017-07-26 | 2020-05-28 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカPanasonic Intellectual Property Corporation of America | 通信装置、通信方法及び通信システム |
US10904883B2 (en) * | 2017-07-26 | 2021-01-26 | Panasonic Intellectual Property Corporation Of America | Communication device, communication method, and communication system |
JP7017520B2 (ja) | 2017-07-26 | 2022-02-08 | パナソニック インテレクチュアル プロパティ コーポレーション オブ アメリカ | 通信装置、通信方法及び通信システム |
US11553484B2 (en) | 2017-07-26 | 2023-01-10 | Panasonic Intellectual Property Corporation Of America | Communication device, communication method, and communication system |
US10999323B2 (en) * | 2017-09-22 | 2021-05-04 | Nec Corporation | Network gateway spoofing detection and mitigation |
Also Published As
Publication number | Publication date |
---|---|
AU2002349678A1 (en) | 2004-06-23 |
JPWO2004051946A1 (ja) | 2006-04-06 |
JP4014599B2 (ja) | 2007-11-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7970894B1 (en) | Method and system for monitoring of wireless devices in local area computer networks | |
JP5524737B2 (ja) | 偽装されたネットワーク情報を検出する方法および装置 | |
US7007302B1 (en) | Efficient management and blocking of malicious code and hacking attempts in a network environment | |
US9003527B2 (en) | Automated method and system for monitoring local area computer networks for unauthorized wireless access | |
JP4545647B2 (ja) | 攻撃検知・防御システム | |
EP1817685B1 (en) | Intrusion detection in a data center environment | |
US20070033645A1 (en) | DNS based enforcement for confinement and detection of network malicious activities | |
US7596097B1 (en) | Methods and apparatus to prevent network mapping | |
US20050180421A1 (en) | Source address-fabricated packet detection unit, source address-fabricated packet detection method, and source address-fabricated packet detection program | |
EP1722535A2 (en) | Method and apparatus for identifying and disabling worms in communication networks | |
US7475420B1 (en) | Detecting network proxies through observation of symmetric relationships | |
US20030226032A1 (en) | Secret hashing for TCP SYN/FIN correspondence | |
WO2006046345A1 (ja) | サービス不能攻撃検知システムおよびサービス不能攻撃検知方法 | |
US7596808B1 (en) | Zero hop algorithm for network threat identification and mitigation | |
US20170019426A1 (en) | Method for attribution security system | |
WO2006040892A1 (ja) | サービス不能攻撃防御方法、サービス不能攻撃防御システム、サービス不能攻撃防御装置、中継装置、サービス不能攻撃防御プログラムおよび中継装置用プログラム | |
JP2004140524A (ja) | DoS攻撃検知方法、DoS攻撃検知装置及びプログラム | |
Saad et al. | A study on detecting ICMPv6 flooding attack based on IDS | |
CN109327465B (zh) | 一种安全抵御网络劫持的方法 | |
WO2004051946A1 (ja) | 送信元アドレス偽装パケット検出装置、送信元アドレス偽装パケット検出方法、送信元アドレス偽装パケット検出プログラム | |
EP2007066A9 (en) | A policy enforcement point and a linkage method and system for intrude detection system | |
JP5153779B2 (ja) | 1つまたは複数のパケット・ネットワーク内で望まれないトラフィックの告発をオーバーライドする方法および装置 | |
JP5551061B2 (ja) | 情報処理装置、アドレス重複対処方法およびアドレス重複対処用プログラム | |
Wang et al. | DoS attacks and countermeasures on network devices | |
CN113206852B (zh) | 一种安全防护方法、装置、设备及存储介质 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR IE IT LU MC NL PT SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2004556791 Country of ref document: JP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 11094247 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase |