WO2006075378A1 - Network management program, server control program, network management device, server, and network management method - Google Patents

Network management program, server control program, network management device, server, and network management method Download PDF

Info

Publication number
WO2006075378A1
WO2006075378A1 PCT/JP2005/000335 JP2005000335W WO2006075378A1 WO 2006075378 A1 WO2006075378 A1 WO 2006075378A1 JP 2005000335 W JP2005000335 W JP 2005000335W WO 2006075378 A1 WO2006075378 A1 WO 2006075378A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
server
network management
client
access control
Prior art date
Application number
PCT/JP2005/000335
Other languages
French (fr)
Japanese (ja)
Inventor
Nobuhiro Kawamura
Hiroshi Nishida
Takashi Imai
Daiji Ito
Yoshiyuki Iijima
Original Assignee
Fujitsu Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Fujitsu Limited filed Critical Fujitsu Limited
Priority to PCT/JP2005/000335 priority Critical patent/WO2006075378A1/en
Publication of WO2006075378A1 publication Critical patent/WO2006075378A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • Network management program server control program, network management apparatus, server, network management method
  • the present invention relates to a network management program, a server control program, a network management device, a server, and a network management method that perform access control against a DoS attack on a server.
  • client Z server systems In recent years, there has been an increasing demand for client Z server systems in which many users enjoy services such as file distribution and information disclosure.
  • the user accesses the server from a client via a wide area communication network such as the Internet or a mobile phone.
  • a wide area communication network such as the Internet or a mobile phone.
  • an IP telephone service is implemented in which call control is implemented by a user accessing a VoIP (Voice over Internet Protocol) server.
  • VoIP Voice over Internet Protocol
  • FIG. 9 is a block diagram showing an example of the configuration of a conventional IP telephone system.
  • This IP phone system consists of client 1, IP (Internet Protocol) network 2, FW (firewall) 3, SCS (SIP control server: Session Initiation Protocol control server) 111, IMS (instant message server) 112, Web server 113 Speak.
  • SCS Session Initiation Protocol control server
  • IMS instant message server
  • Web server 113 Web server 113 Speak.
  • the SGS111, IMS 112, and Web Sano 113 "servers work together to provide IP phone services.
  • the client 1 normally accesses each server via the IP network 2 and the FW 3 for processing related to an IP telephone such as a call.
  • the SCS 111 provides call processing including SIP protocol control, routing storage location information management, and the like.
  • IMS 112 provides Presence Z messaging service call control, subscriber data management, and Web-IF favorites list and user information management.
  • the Web server 113 provides a password change, a nickname change, and a stock communication front end.
  • Patent Document 1 As a related art related to the present invention, for example, Patent Document 1 shown below is known.
  • This line connection permission device registers connection permission information of the partner computer in advance. This determines whether or not the partner computer can be connected.
  • Patent Document 1 Japanese Patent Laid-Open No. 1-293040 (Page 2, Figure 1)
  • the server has a DoS attack detection function, and if it is determined to be a DoS attack, the server regulates access to the transmission source client.
  • FIG. 10 is a sequence diagram showing an example of operation during a DoS attack in the conventional IP telephone system. Even if the server monitors the attack, detects the attack, and regulates it, if the server is not attacked for a predetermined time, the server automatically releases the regulation. Therefore, when repeated attacks are performed, the operations of regulation and deregulation are repeated, and this operation alone increases the load on the server.
  • DoS attacks in the IP phone system include DoS attacks by legitimate SIP signals, DoS attacks by illegal SIP signals, DoS attacks by one-off, and DoS attacks on Web servers.
  • a DoS attack by one-off is a case where the operation of canceling immediately after a call is repeated in large numbers.For example, when a cancel operation is repeated 17 times or more in 180 seconds, the server to decide.
  • the present invention has been made to solve the above-described problems, and includes a network management program, a server control program, and a network for performing appropriate access control in accordance with the DoS attack situation on the server. The purpose is to provide a management device, server, and network management method.
  • the present invention is a network management program for causing a computer to execute a network management method in a system including a client and a server, and there is a DoS attack from the client to the server.
  • the attack notification including the information for identifying the client that has performed the DoS attack from the server
  • the attack notification receiving step and the attack notification received by the attack notification receiving step.
  • An access control determination step for determining access control for restricting or releasing access to the server from the client that has performed the DoS attack, and the outside based on the determination by the access control determination step.
  • An access control instruction step for instructing the access control is executed on a computer. Is shall.
  • the access control determination step displays a display for performing the access control operation to a maintenance person, and performs the operation of the maintenance person. Based on the above, the access control is determined.
  • the access control step changes the access list to a firewall or router connected between the client and the server. It is characterized by making it.
  • the access control step performs deletion of user information on the user of the client who has performed the DoS attack or suspension of login to the server. It is characterized by making it.
  • the access control step may access the server from the client that has performed the DoS attack, and may perform an external simulation from the client that has performed the DoS attack.
  • a routing setting that replaces access to a server is performed by a firewall or a router connected between the client and the server.
  • the pseudo server delays communication with the client.
  • the access control determination step is configured to link a client subject to the restriction for a certain server when a plurality of servers to be linked exist. Connect to other servers! It is characterized by being regulated.
  • the access control determination step counts the number of attack notifications within a predetermined period, and based on the number of attack notifications within the predetermined period. And determining the access control.
  • the attack notification includes a priority of the access control, and the access control is based on the number of the attack notifications within the predetermined period and the priority. It is characterized by making a judgment.
  • the access control determination step is performed when an attack notification for a client being restricted is not received during a predetermined restriction release time.
  • it is characterized by making a decision to deregulate
  • the access control determination step sets the restriction release time based on the number of times the restricted client has been restricted in the past. It is characterized by determining.
  • the attack notification is transmitted using any one of SNM P-Trap, Syslog, and Telnet.
  • the information for specifying the client is information for identifying a network device such as an IP address.
  • the information for specifying the client is information for identifying a user, such as a login ID.
  • the present invention provides a server control program for causing a computer to execute a server control method in a system including a client and a server, the attack detection step for detecting a Do S attack from the client, and the attack Based on the detection in the detection step, the computer executes an attack notification transmission step of transmitting an attack notification including information for identifying the client that has performed the DoS attack to the outside.
  • the present invention is a network management apparatus for managing a system including a client and a server, and when a DoS attack is made from the client to the server, the client that has performed the DoS attack is specified.
  • An attack notification receiving unit that receives an attack notification including information to be received from the server, and an access to the server from a client that has performed the DoS attack based on the attack notification received by the attack notification receiving unit V
  • An access control determination unit for determining access control for restricting or releasing the control, and an access control instruction unit for instructing the access control to the outside based on the determination by the access control determination unit It is.
  • the present invention is a server that provides a service to a client, and is based on an attack detection unit that detects a DoS attack from the client, and detection by the attack detection unit. And an attack notification transmission unit that transmits an attack notification including information for identifying the client that has performed the DoS attack to the outside.
  • the present invention is a network management method in a system including a client and a server, and when a DoS attack is made from the client to the server, the client that performed the DoS attack is specified.
  • An attack notification receiving step for receiving an attack notification including information to be received from the server, and an access to the server from the client that has performed the DoS attack based on the attack notification received by the attack notification receiving step.
  • An access control determination step for determining access control for restriction or deregulation, and an access control instruction step for instructing the access control to the outside based on the determination by the access control determination step. It is a thing.
  • the present invention is a server control method in a system including a client and a server, the attack detection step for detecting a DoS attack from the client, and the detection based on the attack detection step. Identifies the client that made the DoS attack An attack notification transmission step for transmitting an attack notification including information to be transmitted to the outside.
  • FIG. 1 is a block diagram showing an example of the configuration of an IP telephone system according to the present invention.
  • FIG. 2 is a block diagram showing an example of the configuration of a server according to the present invention.
  • FIG. 3 is a block diagram showing an example of a configuration of a network management device according to the present invention.
  • FIG. 4 is a sequence diagram showing an example of an operation during a DoS attack in the IP telephone system according to the present invention.
  • FIG. 5 is a flowchart showing an example of the operation of the network monitoring apparatus according to the present invention.
  • FIG. 6 is a screen showing an example of an attack monitoring screen according to the present invention.
  • FIG. 7 is a flowchart showing an example of an operation when access control is automatically performed in the network management device according to the present invention.
  • FIG. 8 is a block diagram showing an example of a configuration when a pseudo server is used in the IP telephone system according to the present invention.
  • FIG. 9 is a block diagram showing an example of the configuration of a conventional IP telephone system.
  • FIG. 10 is a sequence diagram showing an example of an operation during a DoS attack in a conventional IP telephone system.
  • IP telephone system will be described as an example of the client Z server system according to the present invention.
  • FIG. 1 is a block diagram showing an example of the configuration of the IP telephone system according to the present invention.
  • the same reference numerals as those in FIG. 9 denote the same or corresponding parts as those in FIG. 9, and the description thereof is omitted here.
  • the IP phone system in Fig. 1 has a new network management device 10.
  • the IP telephone system of FIG. 1 includes SCSI 1 instead of SCSI 11, IMS 112 instead of IMS 112, and Web server 13 instead of Web Sano 113.
  • FW3 may be a router.
  • FIG. 2 is a block diagram showing an example of the configuration of the server according to the present invention.
  • the server represents any one of S CS11, IMS 12, and Web server 13.
  • This server includes a service processing unit 21, an attack detection unit 22, and an attack notification transmission unit 23.
  • FIG. 3 is a block diagram showing an example of the configuration of the network management apparatus according to the present invention.
  • the network management device 10 includes an attack notification receiving unit 31, an access control determining unit 32, a maintenance input / output unit 33, and an access control instruction unit 41.
  • FIG. 4 is a sequence diagram showing an example of an operation at the time of DoS attack in the IP telephone system according to the present invention.
  • FIG. 5 is a flowchart showing an example of the operation of the network monitoring apparatus according to the present invention.
  • the server attack detection unit 22 monitors a Do S attack from the client 1 (Ti l) (T31).
  • the setting items of the attack detection unit 22 include, for example, a flag indicating the power / unavailability of releasing the server restriction on the DoS attack, the time to release the server restriction on the DoS attack, the DoS attack monitoring target, There is a flag indicating whether to monitor for each type of DoS attack, time to monitor consecutive DoS attacks, frequency threshold for detecting DoS attacks, etc.
  • the attack notification transmission unit 23 transmits an attack notification representing information on the DoS attack to the network management device 10 (T12). (T32).
  • the attack notification includes information such as the client IP address, user ID, and DoS attack type.
  • the SCS 11 and the IMS 12 transmit an attack notification to the network management apparatus 10 using SNMP-Trap or Telnet.
  • the Web server 13 transmits an attack notification to the network management apparatus 10 using Syslog or Telnet.
  • the attack notification receiving unit 31 determines whether or not an attack notification has been received (S11). If no attack notification has been received (Sl l, N), the process returns to step S11 and waits. On the other hand, when an attack notification is received (Sl l, Y), the access control determination unit 32 stores the attack notification content as an attack history (S 12) (T21) (T41), It is determined whether or not (S13). Restricted objects are clients whose access to the corresponding server is restricted by blocking or reducing their tolerance. Where The access control determination unit 32 counts the number of attack notifications within a predetermined period for each server and each client using the attack history, and determines whether or not the client is subject to regulation according to this number of times. Determine the type of control.
  • the FW 3 regulates access from the client to be regulated to the server by changing the access list in accordance with the regulation instruction received from the network management device 10 (T51). Further, the server changes the user information or stops the login for the client user to be regulated in accordance with the regulation instruction received from the network management device 10 ( ⁇ 52).
  • FIG. 6 is a screen showing an example of the attack monitoring screen according to the present invention.
  • This attack monitoring screen includes items such as a filter setting button, subscriber IP address, initial reception date and time, latest reception date and time, access count, status, restriction Z restriction release date and deletion button. These items are displayed for each client notified by the attack notification.
  • the filter setting button is a restriction button unless the corresponding client is under restriction.
  • a filter for restriction is set. If the corresponding client is under restriction, it becomes a release button, and when pressed, the restriction filter is released.
  • the subscriber IP address represents the IP address of the corresponding client.
  • the first received date / time indicates the date / time when the corresponding client attack notification was first received, and the latest received date / time indicates the last received date / time.
  • the access count represents the access count from the corresponding client. The status usually indicates either monitoring or regulation.
  • Restriction Z The date and time when the restriction is released is the date and time when the restriction was released in the past if it is not under restriction, and the date and time when the restriction was started if it is under restriction.
  • Delete When the button is pressed, the corresponding client is removed from the list. Clients may be sorted in the order in which they receive the attack notifications. In addition, clients that have received the attack notification more than a predetermined number of times may be highlighted.
  • the maintenance input / output unit 33 being regulated displays a release button for the restriction target on the above-described attack monitoring screen, and waits for an operation for releasing the restriction by the maintenance person.
  • the access control instruction unit 41 instructs the FW and the server to release the regulation according to the operation by the maintenance person.
  • attack notification sent from the server to the network management device 10 is a restriction priority.
  • Regulation Priority is information that indicates the necessity of dealing with the reported DoS attack.
  • the maintenance person input / output unit 33 ranks emergency, warning, caution, information, etc. on the attack monitoring screen based on the regulation priority, the number of attack notifications notified within a predetermined period, the number of affected users, etc. By displaying as, it is easy for the maintenance person to determine the power that needs to be dealt with immediately and whether continuous monitoring is acceptable.
  • the urgency of response is maintained early by sorting and displaying clients in the order in which they need to be handled, or by highlighting clients that require urgent action even when sorted by other items. Can be notified.
  • the access control determination unit 32 may determine a time until the restriction is released and notify the maintenance person of the restriction release time.
  • This deregulation time is determined according to the maliciousness of the DoS attack, such as the frequency of DoS attacks that can be obtained from the date and time when the attack notification was received, and the number of times the regulated client has been regulated.
  • a deregulation priority indicating whether or not deregulation is possible may be displayed on the attack monitoring screen.
  • deregulation Priority is determined according to the maliciousness of DoS attacks. By displaying this deregulation priority, it is possible to prevent an operator from performing an erroneous deregulation operation.
  • the maintenance person performs a restriction operation or a restriction release operation based on the attack monitoring screen.
  • network management without the need for maintenance
  • the device 10 may automatically issue a restriction instruction or a restriction release instruction. The operation of the network management device in this case will be described.
  • FIG. 7 is a flowchart showing an example of an operation when access control is automatically performed in the network management apparatus according to the present invention.
  • Processes S11 to S13 are the same as in FIG.
  • the access control instruction unit 41 instructs the FW and the server to restrict the restriction target (S31).
  • the access control determination unit 32 determines the restriction release time by the method described above (S41), and determines whether or not the restriction release time has elapsed (S42). If the deregulation time has not elapsed (S42, N), return to process S42 and wait.
  • the access control determination unit 32 determines whether or not an attack notification is received during the deregulation time (S43). If an attack notification has been received (S43, Y), this flow ends. On the other hand, if no attack notification has been received (S43, N), the access control instruction unit 41 issues a restriction release instruction (S44), and this flow is terminated. Further, the network management device 10 repeats this flow.
  • the network management device 10 can automatically perform regulation and deregulation without requiring the operation of a maintenance person.
  • network management device 10 performs access control only to a server based on a DoS attack on a server.
  • a DoS attack may be performed on multiple servers. Therefore, if the network management device 10 has a list of multiple servers with which it is linked and a client is subject to regulation for one of the multiple servers that are linked, It may be determined that all of a plurality of servers are regulated.
  • the attack history for a certain client is collected for all linked servers V, and the number of attack notifications for a certain client! / Is also linked for all supported servers. Is summed for the server.
  • the network management device 10 can perform efficient regulation when multiple servers provide services in cooperation.
  • the IP telephone system according to the present embodiment may further include a pseudo server.
  • FIG. 8 is a block diagram showing an example of the configuration when a pseudo server is used in the IP telephone system according to the present invention.
  • the same reference numerals as those in FIG. 1 denote the same or corresponding parts as those in FIG. 1, and the description thereof is omitted here.
  • the IP phone system in Fig. 8 has a new pseudo server 14.
  • the operation when the IP telephone system according to the present embodiment includes a pseudo server will be described. Changed the routing table for FW3 or router so that access to SCS11, IMS12, Web server 13 !, or any of them is replaced with access to pseudo server 14 in the control instruction by access control instruction unit 41 Set the routing to be used. Furthermore, the pseudo server 14 intentionally delays communication with the client. By providing the pseudo server 14 in this way, it is possible to prevent attacks to the server and reduce the frequency of DoS attacks without being known to the client that performs the DoS attack.
  • the client 1 may include, for example, a workstation, a personal computer, a PDA (Personal Digital Assistant), a mobile phone, and the like.
  • a program for causing a computer constituting the network management apparatus to execute the above steps can be provided as a network management program.
  • the above-described program can be executed by a computer constituting the network management apparatus by storing the program in a computer-readable recording medium.
  • the recording medium readable by the computer includes a portable storage medium such as a CD-ROM, a flexible disk, a DVD disk, a magneto-optical disk, an IC card, a database holding a computer program, or other Computers and their databases, as well as transmission media on the line.
  • the access control determination unit or the access control determination step corresponds to the access control determination unit 32 and the maintenance input / output unit 33 in the embodiment.
  • system congestion can be avoided by the network management device performing access control using FW and router based on the attack notification from Sano-kun that received DoS attack. It becomes.
  • the server also identifies clients and manages the network When the device controls access to the client, pinpoint access control is possible. Since the server transmits an attack notification using a general-purpose communication means, the present invention can be easily applied regardless of the model, vendor, and server specifications. Also, by performing access control according to the history, frequency, and priority of DoS attacks, effective access control according to the situation becomes possible. When performing access control to a client that has performed a DoS attack on a server, it is possible to minimize the impact on multiple servers by controlling access to multiple servers in cooperation. . In addition, the network management device automatically performs access control, so that maintenance operations can be omitted.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

A network management program causes a computer to execute a network management method in a system having a client (1) and a server. The program causes the computer to execute: an attack report reception step for receiving an attack report including information for identifying a client which has executed a DoS attack when one is caused from the client (1) to the server; an access control judgment step for judging access control to limit or release limit of access from the client which has executed the DoS attack to the server according to the attack report received in the attack report reception step; and an access control instruction step for executing an instruction of access control to outside according to the judgment in the access control judgment step.

Description

明 細 書  Specification
ネットワーク管理プログラム、サーバ制御プログラム、ネットワーク管理装置 、サーバ、ネットワーク管理方法  Network management program, server control program, network management apparatus, server, network management method
技術分野  Technical field
[0001] 本発明は、サーバへの DoS攻撃に対してアクセス制御を行うネットワーク管理プロ グラム、サーバ制御プログラム、ネットワーク管理装置、サーバ、ネットワーク管理方法 に関するものである。  The present invention relates to a network management program, a server control program, a network management device, a server, and a network management method that perform access control against a DoS attack on a server.
背景技術  Background art
[0002] 近年、多数の利用者がファイル配信や情報公開等のサービスを享受するクライアン ト Zサーバシステムの需要が高まっている。ここで、利用者は、クライアントからインタ 一ネットや携帯電話等の広域通信網を介してサーバにアクセスする。クライアント Z サーバシステムの一例として、利用者が VoIP (Voice over Internet Protocol)サーバ にアクセスすることにより呼制御が実施される IP電話サービスが実現されている。  In recent years, there has been an increasing demand for client Z server systems in which many users enjoy services such as file distribution and information disclosure. Here, the user accesses the server from a client via a wide area communication network such as the Internet or a mobile phone. As an example of a client Z server system, an IP telephone service is implemented in which call control is implemented by a user accessing a VoIP (Voice over Internet Protocol) server.
[0003] 従来の IP電話システムの構成について説明する。図 9は、従来の IP電話システム の構成の一例を示すブロック図である。この IP電話システムは、クライアント 1、 IP ( Internet Protocol)網 2、 FW (ファイアウォール) 3、 SCS (SIPコントロールサーバ: Session Initiation Protocolコントロールサーノ ) 111、 IMS (インスタントメッセージサ ーノ ) 112、 Webサーノ 113を ϋる。 SGS111、 IMS 112、 Webサーノ 113の^" サーバが連携して IP電話サービスを提供して 、る。 [0003] The configuration of a conventional IP telephone system will be described. FIG. 9 is a block diagram showing an example of the configuration of a conventional IP telephone system. This IP phone system consists of client 1, IP (Internet Protocol) network 2, FW (firewall) 3, SCS (SIP control server: Session Initiation Protocol control server) 111, IMS (instant message server) 112, Web server 113 Speak. The SGS111, IMS 112, and Web Sano 113 ^ "servers work together to provide IP phone services.
[0004] クライアント 1は、通常、発呼等の IP電話に関する処理のために、 IP網 2と FW3を介 して各サーバへアクセスを行う。 SCS111は、 SIPプロトコル制御、ルーティングゃ収 容加入者位置情報管理等を含む呼処理を提供するものである。 IMS 112は、プレゼ ンス Zメッセージングサービス呼制御、加入者データ管理、 Web— IFとしてのお気に 入りリストやユーザ情報の管理を提供するものである。 Webサーバ 113は、パスヮー ドの変更、ニックネームの変更、ストック通信のフロントエンドを提供するものである。  [0004] The client 1 normally accesses each server via the IP network 2 and the FW 3 for processing related to an IP telephone such as a call. The SCS 111 provides call processing including SIP protocol control, routing storage location information management, and the like. IMS 112 provides Presence Z messaging service call control, subscriber data management, and Web-IF favorites list and user information management. The Web server 113 provides a password change, a nickname change, and a stock communication front end.
[0005] なお、本発明の関連ある従来技術として、例えば、下記に示す特許文献 1が知られ ている。この回線接続許可装置は、予め相手コンピュータの接続可否情報を登録し ておくことにより、相手コンピュータの接続可否を判断するものである。 [0005] As a related art related to the present invention, for example, Patent Document 1 shown below is known. This line connection permission device registers connection permission information of the partner computer in advance. This determines whether or not the partner computer can be connected.
特許文献 1 :特開平 1-293040号公報 (第 2頁、第 1図)  Patent Document 1: Japanese Patent Laid-Open No. 1-293040 (Page 2, Figure 1)
発明の開示  Disclosure of the invention
発明が解決しょうとする課題  Problems to be solved by the invention
[0006] し力しながら、上述したようなサービスにおいては、利用者は増加傾向にあると共に 、特定のサーバに多数のクライアントが不定期にアクセスすることにより、一時的なァ クセス集中等が発生する。また、 IP電話サービスにおいては、サービス提供者による サーノリセット等を契機として、一時的に大量の制御メッセージ送受信が発生する。 また、利用者が不正アクセスを行った場合にも、同様の状況が発生する。このような アクセス集中の結果、中継ネットワークやサーバの負荷が増大し、サービス品質ゃレ スポンスの悪化、サービス停止等が発生する。  [0006] However, in the services described above, the number of users is increasing, and temporary access concentration occurs when a large number of clients access a specific server irregularly. . In IP phone service, a large amount of control messages are temporarily transmitted and received in response to a sano reset by the service provider. A similar situation occurs when a user performs unauthorized access. As a result of such concentration of access, the load on the relay network and server increases, resulting in service quality degradation, service interruption, and so on.
[0007] また、上述した従来の IP電話システムにおいて、クライアント 1力ら SCSI 11、 IMS [0007] In addition, in the above-described conventional IP telephone system, clients 1 and others SCSI 11, IMS
112、 Webサーバ 113の各サーバへ DoS (Denial of Service)攻撃があつたとする。 FAssume that a DoS (Denial of Service) attack is made on each of the servers 112 and Web server 113. F
W3に予め設定可能な FW透過条件に合わな ヽデータ形式は FW3により防御するこ とができる力 近年に見られる正規のデータ形式による DoS攻撃は FW3を透過し、 サーバへ到達してしまう。 力 Data format suitable for FW transmission conditions that can be set in advance in W3 can be protected by FW3 DoS attacks with regular data formats seen in recent years pass through FW3 and reach the server.
[0008] さらに、サーバは DoS攻撃検知の機能を持っており、 DoS攻撃と判断した場合、サ ーバは送信元のクライアントに対してアクセスの規制を行う。図 10は、従来の IP電話 システムにおける DoS攻撃時の動作の一例を示すシーケンス図である。サーバが、 攻撃を監視し、攻撃を検知し、規制を行ったとしても、所定の時間、攻撃を受けなか つた場合、サーバは自動的に規制解除を行う。従って、繰り返し攻撃が行われる場合 は規制と規制解除の動作を繰り返すことになり、この動作だけでもサーバの負荷は上 昇してしまう。  [0008] Furthermore, the server has a DoS attack detection function, and if it is determined to be a DoS attack, the server regulates access to the transmission source client. FIG. 10 is a sequence diagram showing an example of operation during a DoS attack in the conventional IP telephone system. Even if the server monitors the attack, detects the attack, and regulates it, if the server is not attacked for a predetermined time, the server automatically releases the regulation. Therefore, when repeated attacks are performed, the operations of regulation and deregulation are repeated, and this operation alone increases the load on the server.
[0009] ここで、 IP電話システムにおける DoS攻撃には、正規 SIP信号による DoS攻撃、不 正 SIP信号による DoS攻撃、ワン切りによる DoS攻撃、 Webサーバへの DoS攻撃が ある。ワン切りによる DoS攻撃とは、発信後即座に Cancelを行う動作を多量に繰り返 す場合であり、例えば、 180秒間に 17回以上の Cancel動作を繰り返した場合に、サ ーバは DoS攻撃と判断する。 [0010] 本発明は上述した問題点を解決するためになされたものであり、サーバへの DoS 攻撃の状況に応じて適切なアクセス制御を行うためのネットワーク管理プログラム、サ ーバ制御プログラム、ネットワーク管理装置、サーバ、ネットワーク管理方法を提供す ることを目的とする。 [0009] Here, DoS attacks in the IP phone system include DoS attacks by legitimate SIP signals, DoS attacks by illegal SIP signals, DoS attacks by one-off, and DoS attacks on Web servers. A DoS attack by one-off is a case where the operation of canceling immediately after a call is repeated in large numbers.For example, when a cancel operation is repeated 17 times or more in 180 seconds, the server to decide. The present invention has been made to solve the above-described problems, and includes a network management program, a server control program, and a network for performing appropriate access control in accordance with the DoS attack situation on the server. The purpose is to provide a management device, server, and network management method.
課題を解決するための手段  Means for solving the problem
[0011] 上述した課題を解決するため、本発明は、クライアントとサーバを備えたシステムに おけるネットワーク管理方法をコンピュータに実行させるネットワーク管理プログラムで あって、前記クライアントから前記サーバへの DoS攻撃があった場合に、前記 DoS攻 撃を行ったクライアントを特定する情報を含む攻撃通知を、前記サーバから受信する 攻撃通知受信ステップと、前記攻撃通知受信ステップが受信した前記攻撃通知に基 づ 、て、前記 DoS攻撃を行ったクライアントから前記サーバへのアクセスの規制また は規制解除を行うアクセス制御の判断を行うアクセス制御判断ステップと、前記ァク セス制御判断ステップによる判断に基づ 、て、外部へ前記アクセス制御の指示を行う アクセス制御指示ステップとをコンピュータに実行させるものである。 [0011] In order to solve the above-described problem, the present invention is a network management program for causing a computer to execute a network management method in a system including a client and a server, and there is a DoS attack from the client to the server. In response to the attack notification including the information for identifying the client that has performed the DoS attack from the server, the attack notification receiving step, and the attack notification received by the attack notification receiving step. An access control determination step for determining access control for restricting or releasing access to the server from the client that has performed the DoS attack, and the outside based on the determination by the access control determination step. An access control instruction step for instructing the access control is executed on a computer. Is shall.
[0012] また、本発明に係るネットワーク管理プログラムにお 、て、前記アクセス制御判断ス テツプは、保守者に対して前記アクセス制御の操作を行うための表示を行い、前記保 守者の操作に基づいて前記アクセス制御の判断を行うことを特徴とするものである。  [0012] Further, in the network management program according to the present invention, the access control determination step displays a display for performing the access control operation to a maintenance person, and performs the operation of the maintenance person. Based on the above, the access control is determined.
[0013] また、本発明に係るネットワーク管理プログラムにお 、て、前記アクセス制御ステツ プは、アクセスリストの変更を、前記クライアントと前記サーバの間に接続されているフ アイァウォールまたはルータに行わせることを特徴とするものである。  [0013] In the network management program according to the present invention, the access control step changes the access list to a firewall or router connected between the client and the server. It is characterized by making it.
[0014] また、本発明に係るネットワーク管理プログラムにお 、て、前記アクセス制御ステツ プは、前記 DoS攻撃を行ったクライアントのユーザについてのユーザ情報の削除ま たはログイン停止を、前記サーバに行わせることを特徴とするものである。  [0014] Further, in the network management program according to the present invention, the access control step performs deletion of user information on the user of the client who has performed the DoS attack or suspension of login to the server. It is characterized by making it.
[0015] また、本発明に係るネットワーク管理プログラムにお 、て、前記アクセス制御ステツ プは、前記 DoS攻撃を行ったクライアントから前記サーバへのアクセスを、前記 DoS 攻撃を行ったクライアントから外部の疑似サーバへのアクセスに置き換えるようなルー ティング設定を、前記クライアントと前記サーバの間に接続されているファイアウォー ルまたはルータに行わせることを特徴とするものである。 [0016] また、本発明に係るネットワーク管理プログラムにおいて、前記疑似サーバは、前記 クライアントとの通信を遅延させることを特徴とするものである。 [0015] Further, in the network management program according to the present invention, the access control step may access the server from the client that has performed the DoS attack, and may perform an external simulation from the client that has performed the DoS attack. A routing setting that replaces access to a server is performed by a firewall or a router connected between the client and the server. [0016] In the network management program according to the present invention, the pseudo server delays communication with the client.
[0017] また、本発明に係るネットワーク管理プログラムにお 、て、前記アクセス制御判断ス テツプは、連携する複数のサーバが存在する場合に、あるサーバについて前記規制 の対象となったクライアントを、連携する他のサーバにつ!ヽても規制の対象とすること を特徴とするものである。 [0017] Further, in the network management program according to the present invention, the access control determination step is configured to link a client subject to the restriction for a certain server when a plurality of servers to be linked exist. Connect to other servers! It is characterized by being regulated.
[0018] また、本発明に係るネットワーク管理プログラムにお 、て、前記アクセス制御判断ス テツプは、所定期間内の前記攻撃通知の回数をカウントし、前記所定期間内の前記 攻撃通知の回数に基づいて前記アクセス制御の判断を行うことを特徴とするものであ る。 [0018] Also, in the network management program according to the present invention, the access control determination step counts the number of attack notifications within a predetermined period, and based on the number of attack notifications within the predetermined period. And determining the access control.
[0019] また、本発明に係るネットワーク管理プログラムにおいて、前記攻撃通知は、前記ァ クセス制御の優先度を含み、前記所定期間内の前記攻撃通知の回数と前記優先度 とに基づいて前記アクセス制御の判断を行うことを特徴とするものである。  [0019] Also, in the network management program according to the present invention, the attack notification includes a priority of the access control, and the access control is based on the number of the attack notifications within the predetermined period and the priority. It is characterized by making a judgment.
[0020] また、本発明に係るネットワーク管理プログラムにお 、て、前記アクセス制御判断ス テツプは、予め決定された規制解除時間の間、規制中のクライアントについての攻撃 通知が受信されな力つた場合に、規制解除の判断を行うことを特徴とするものである  [0020] Further, in the network management program according to the present invention, the access control determination step is performed when an attack notification for a client being restricted is not received during a predetermined restriction release time. In addition, it is characterized by making a decision to deregulate
[0021] また、本発明に係るネットワーク管理プログラムにお 、て、前記アクセス制御判断ス テツプは、前記規制の対象となったクライアントが過去に規制を受けた回数に基づい て、前記規制解除時間を決定することを特徴とするものである。 [0021] Further, in the network management program according to the present invention, the access control determination step sets the restriction release time based on the number of times the restricted client has been restricted in the past. It is characterized by determining.
[0022] また、本発明に係るネットワーク管理プログラムにおいて、前記攻撃通知は、 SNM P— Trap、 Syslog、 Telnetのいずれかを用いて送信されることを特徴とするものであ る。  [0022] In the network management program according to the present invention, the attack notification is transmitted using any one of SNM P-Trap, Syslog, and Telnet.
[0023] また、本発明に係るネットワーク管理プログラムにお 、て、前記クライアントを特定す る情報は、 IPアドレス等、ネットワーク機器を識別する情報であることを特徴とするもの である。  [0023] In the network management program according to the present invention, the information for specifying the client is information for identifying a network device such as an IP address.
[0024] また、本発明に係るネットワーク管理プログラムにお 、て、前記クライアントを特定す る情報は、ログイン ID等、ユーザを識別する情報であることを特徴とするものである。 [0025] また、本発明は、クライアントとサーバを備えたシステムにおけるサーバ制御方法を コンピュータに実行させるサーバ制御プログラムであって、前記クライアントからの Do S攻撃の検知を行う攻撃検知ステップと、前記攻撃検知ステップによる検知に基づい て、前記 DoS攻撃を行った前記クライアントを特定する情報を含む攻撃通知を外部 へ送信する攻撃通知送信ステップとをコンピュータに実行させるものである。 [0024] In the network management program according to the present invention, the information for specifying the client is information for identifying a user, such as a login ID. [0025] Further, the present invention provides a server control program for causing a computer to execute a server control method in a system including a client and a server, the attack detection step for detecting a Do S attack from the client, and the attack Based on the detection in the detection step, the computer executes an attack notification transmission step of transmitting an attack notification including information for identifying the client that has performed the DoS attack to the outside.
[0026] また、本発明は、クライアントとサーバを備えたシステムを管理するネットワーク管理 装置であって、前記クライアントから前記サーバへの DoS攻撃があった場合に、前記 DoS攻撃を行ったクライアントを特定する情報を含む攻撃通知を、前記サーバから 受信する攻撃通知受信部と、前記攻撃通知受信部が受信した前記攻撃通知に基づ V、て、前記 DoS攻撃を行ったクライアントから前記サーバへのアクセスの規制または 規制解除を行うアクセス制御の判断を行うアクセス制御判断部と、前記アクセス制御 判断部による判断に基づ 、て、外部へ前記アクセス制御の指示を行うアクセス制御 指示部とを備えたものである。  [0026] Further, the present invention is a network management apparatus for managing a system including a client and a server, and when a DoS attack is made from the client to the server, the client that has performed the DoS attack is specified. An attack notification receiving unit that receives an attack notification including information to be received from the server, and an access to the server from a client that has performed the DoS attack based on the attack notification received by the attack notification receiving unit V An access control determination unit for determining access control for restricting or releasing the control, and an access control instruction unit for instructing the access control to the outside based on the determination by the access control determination unit It is.
[0027] また、本発明は、クライアントに対してサービスを提供するサーバであって、前記クラ イアントからの DoS攻撃の検知を行う攻撃検知部と、前記攻撃検知部による検知に 基づ!ヽて、前記 DoS攻撃を行った前記クライアントを特定する情報を含む攻撃通知 を外部へ送信する攻撃通知送信部とを備えたものである。  [0027] Further, the present invention is a server that provides a service to a client, and is based on an attack detection unit that detects a DoS attack from the client, and detection by the attack detection unit. And an attack notification transmission unit that transmits an attack notification including information for identifying the client that has performed the DoS attack to the outside.
[0028] また、本発明は、クライアントとサーバを備えたシステムにおけるネットワーク管理方 法であって、前記クライアントから前記サーバへの DoS攻撃があった場合に、前記 D oS攻撃を行ったクライアントを特定する情報を含む攻撃通知を、前記サーバから受 信する攻撃通知受信ステップと、前記攻撃通知受信ステップが受信した前記攻撃通 知に基づいて、前記 DoS攻撃を行ったクライアントから前記サーバへのアクセスの規 制または規制解除を行うアクセス制御の判断を行うアクセス制御判断ステップと、前 記アクセス制御判断ステップによる判断に基づ 、て、外部へ前記アクセス制御の指 示を行うアクセス制御指示ステップとを備えたものである。  [0028] Further, the present invention is a network management method in a system including a client and a server, and when a DoS attack is made from the client to the server, the client that performed the DoS attack is specified. An attack notification receiving step for receiving an attack notification including information to be received from the server, and an access to the server from the client that has performed the DoS attack based on the attack notification received by the attack notification receiving step. An access control determination step for determining access control for restriction or deregulation, and an access control instruction step for instructing the access control to the outside based on the determination by the access control determination step. It is a thing.
[0029] また、本発明は、クライアントとサーバを備えたシステムにおけるサーバ制御方法で あって、前記クライアントからの DoS攻撃の検知を行う攻撃検知ステップと、前記攻撃 検知ステップによる検知に基づいて、前記 DoS攻撃を行った前記クライアントを特定 する情報を含む攻撃通知を外部へ送信する攻撃通知送信ステップとを備えたもので ある。 [0029] Further, the present invention is a server control method in a system including a client and a server, the attack detection step for detecting a DoS attack from the client, and the detection based on the attack detection step. Identifies the client that made the DoS attack An attack notification transmission step for transmitting an attack notification including information to be transmitted to the outside.
図面の簡単な説明  Brief Description of Drawings
[0030] [図 1]本発明に係る IP電話システムの構成の一例を示すブロック図である。  FIG. 1 is a block diagram showing an example of the configuration of an IP telephone system according to the present invention.
[図 2]本発明に係るサーバの構成の一例を示すブロック図である。  FIG. 2 is a block diagram showing an example of the configuration of a server according to the present invention.
[図 3]本発明に係るネットワーク管理装置の構成の一例を示すブロック図である。  FIG. 3 is a block diagram showing an example of a configuration of a network management device according to the present invention.
[図 4]本発明に係る IP電話システムにおける DoS攻撃時の動作の一例を示すシーケ ンス図である。  FIG. 4 is a sequence diagram showing an example of an operation during a DoS attack in the IP telephone system according to the present invention.
[図 5]本発明に係るネットワーク監視装置の動作の一例を示すフローチャートである。  FIG. 5 is a flowchart showing an example of the operation of the network monitoring apparatus according to the present invention.
[図 6]本発明に係る攻撃監視画面の一例を示す画面である。  FIG. 6 is a screen showing an example of an attack monitoring screen according to the present invention.
[図 7]本発明に係るネットワーク管理装置において自動的にアクセス制御を行う場合 の動作の一例を示すフローチャートである。  FIG. 7 is a flowchart showing an example of an operation when access control is automatically performed in the network management device according to the present invention.
[図 8]本発明に係る IP電話システムにお 、て疑似サーバを用いる場合の構成の一例 を示すブロック図である。  FIG. 8 is a block diagram showing an example of a configuration when a pseudo server is used in the IP telephone system according to the present invention.
[図 9]従来の IP電話システムの構成の一例を示すブロック図である。  FIG. 9 is a block diagram showing an example of the configuration of a conventional IP telephone system.
[図 10]従来の IP電話システムにおける DoS攻撃時の動作の一例を示すシーケンス 図である。  FIG. 10 is a sequence diagram showing an example of an operation during a DoS attack in a conventional IP telephone system.
発明を実施するための最良の形態  BEST MODE FOR CARRYING OUT THE INVENTION
[0031] 以下、本発明の実施の形態について図面を参照しつつ説明する。 Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[0032] 背景技術と同様、本発明に係るクライアント Zサーバシステムの一例として IP電話 システムについて説明する。 Similar to the background art, an IP telephone system will be described as an example of the client Z server system according to the present invention.
[0033] まず、本発明に係る IP電話システムの構成にっ 、て説明する。  First, the configuration of the IP telephone system according to the present invention will be described.
[0034] 図 1は、本発明に係る IP電話システムの構成の一例を示すブロック図である。図 1 において、図 9と同一符号は図 9に示された対象と同一又は相当物を示しており、こ こでの説明を省略する。図 9と比較すると図 1の IP電話システムは、新たにネットヮー ク管理装置 10を備える。また、図 9と比較すると図 1の IP電話システムは、 SCSI 11 の代わり【こ SCSI 1を備え、 IMS112の代わり【こ IMS12を備え、 Webサーノ 113の 代わりに Webサーバ 13を備える。ここで、 FW3はルータでも良い。 [0035] 図 2は、本発明に係るサーバの構成の一例を示すブロック図である。サーバとは、 S CS11、 IMS 12、 Webサーバ 13のいずれかを表す。このサーバは、サービス処理部 21、攻撃検知部 22、攻撃通知送信部 23を備える。図 3は、本発明に係るネットヮー ク管理装置の構成の一例を示すブロック図である。ネットワーク管理装置 10は、攻撃 通知受信部 31、アクセス制御判断部 32、保守用入出力部 33、アクセス制御指示部 41を備える。 FIG. 1 is a block diagram showing an example of the configuration of the IP telephone system according to the present invention. In FIG. 1, the same reference numerals as those in FIG. 9 denote the same or corresponding parts as those in FIG. 9, and the description thereof is omitted here. Compared to Fig. 9, the IP phone system in Fig. 1 has a new network management device 10. Compared with FIG. 9, the IP telephone system of FIG. 1 includes SCSI 1 instead of SCSI 11, IMS 112 instead of IMS 112, and Web server 13 instead of Web Sano 113. Here, FW3 may be a router. FIG. 2 is a block diagram showing an example of the configuration of the server according to the present invention. The server represents any one of S CS11, IMS 12, and Web server 13. This server includes a service processing unit 21, an attack detection unit 22, and an attack notification transmission unit 23. FIG. 3 is a block diagram showing an example of the configuration of the network management apparatus according to the present invention. The network management device 10 includes an attack notification receiving unit 31, an access control determining unit 32, a maintenance input / output unit 33, and an access control instruction unit 41.
[0036] 次に、本発明に係る IP電話システムの DoS攻撃時の動作について説明する。  Next, the operation at the time of DoS attack of the IP telephone system according to the present invention will be described.
[0037] 図 4は、本発明に係る IP電話システムにおける DoS攻撃時の動作の一例を示すシ 一ケンス図である。また、図 5は、本発明に係るネットワーク監視装置の動作の一例を 示すフローチャートである。まず、サーバの攻撃検知部 22は、クライアント 1からの Do S攻撃を監視している (Ti l) (T31)。攻撃検知部 22の設定項目には例えば、 DoS 攻撃に対するサーバによる規制を時限解除する力否力を表すフラグ、 DoS攻撃に対 するサーバによる規制を時限解除するまでの時間、 DoS攻撃の監視対象、 DoS攻 撃の種類毎に監視するか否かを表すフラグ、連続する DoS攻撃を監視する時間、 D oS攻撃と検知するための頻度の閾値等がある。 FIG. 4 is a sequence diagram showing an example of an operation at the time of DoS attack in the IP telephone system according to the present invention. FIG. 5 is a flowchart showing an example of the operation of the network monitoring apparatus according to the present invention. First, the server attack detection unit 22 monitors a Do S attack from the client 1 (Ti l) (T31). The setting items of the attack detection unit 22 include, for example, a flag indicating the power / unavailability of releasing the server restriction on the DoS attack, the time to release the server restriction on the DoS attack, the DoS attack monitoring target, There is a flag indicating whether to monitor for each type of DoS attack, time to monitor consecutive DoS attacks, frequency threshold for detecting DoS attacks, etc.
[0038] クライアント 1がサーバへ DoS攻撃を行い、攻撃検知部 22が DoS攻撃と判断すると 、攻撃通知送信部 23はネットワーク管理装置 10へ DoS攻撃に関する情報を表す攻 撃通知を送信する(T12) (T32)。攻撃通知には、クライアント IPアドレス、ユーザ ID 、 DoS攻撃種別等の情報が含まれる。ここで、 SCS11、 IMS 12は、 SNMP— Trapま たは Telnetを用いて攻撃通知をネットワーク管理装置 10へ送信する。また、 Webサ ーバ 13は、 Sy slogまたは Telnetを用 、て攻撃通知をネットワーク管理装置 10へ送 信する。 [0038] When the client 1 makes a DoS attack to the server and the attack detection unit 22 determines that the DoS attack has occurred, the attack notification transmission unit 23 transmits an attack notification representing information on the DoS attack to the network management device 10 (T12). (T32). The attack notification includes information such as the client IP address, user ID, and DoS attack type. Here, the SCS 11 and the IMS 12 transmit an attack notification to the network management apparatus 10 using SNMP-Trap or Telnet. Further, the Web server 13 transmits an attack notification to the network management apparatus 10 using Syslog or Telnet.
[0039] ネットワーク管理装置 10において、攻撃通知受信部 31は、攻撃通知を受信したか 否かの判断を行う(S 11)。攻撃通知を受信していないと(Sl l, N)、処理 S 11へ戻り 、待機する。一方、攻撃通知を受信すると(Sl l, Y)、アクセス制御判断部 32は、攻 撃通知の内容を攻撃履歴として保存し (S 12) (T21) (T41)、該当するクライアントが 規制対象となるか否かの判断を行う(S13)。規制対象とは、該当するサーバへのァク セスが遮断または許容度の縮小により規制されるクライアントのことである。ここで、ァ クセス制御判断部 32は、攻撃履歴を用いてサーバ毎、クライアント毎に所定期間内 の攻撃通知の回数をカウントし、この回数に応じてクライアントが規制対象となるか否 かを判断すると共に、アクセス制御の種類を決定する。 [0039] In the network management device 10, the attack notification receiving unit 31 determines whether or not an attack notification has been received (S11). If no attack notification has been received (Sl l, N), the process returns to step S11 and waits. On the other hand, when an attack notification is received (Sl l, Y), the access control determination unit 32 stores the attack notification content as an attack history (S 12) (T21) (T41), It is determined whether or not (S13). Restricted objects are clients whose access to the corresponding server is restricted by blocking or reducing their tolerance. Where The access control determination unit 32 counts the number of attack notifications within a predetermined period for each server and each client using the attack history, and determines whether or not the client is subject to regulation according to this number of times. Determine the type of control.
[0040] 規制対象とならない場合 (S13, N) (T22)、このフローを終了する。一方、規制対 象となった場合 (S13, Y) (T42)、保守用入出力部 33は攻撃監視画面の表示を行 い、保守者に規制対象を示す (S21) (Τ43)。次に、保守用入出力部 33は、保守者 による規制の操作があった力否力の判断を行う(S22)。規制の操作がな力 た場合 (S22, N)、このフローを終了する。規制の操作があった場合 (S22, Y)、アクセス制 御指示部 41は FWとサーバへ規制の指示を行い(S23) (T44)、このフローを終了 する。さらに、ネットワーク管理装置 10は、このフローを繰り返す。  [0040] If not subject to restriction (S13, N) (T22), this flow ends. On the other hand, if it is subject to regulation (S13, Y) (T42), the maintenance input / output unit 33 displays the attack monitoring screen and indicates the subject of regulation to the maintenance person (S21) (Τ43). Next, the maintenance input / output unit 33 determines whether the maintenance force has been operated or not (S22). When the operation of the regulation is insufficient (S22, N), this flow is finished. When there is a restriction operation (S22, Y), the access control instruction unit 41 gives a restriction instruction to the FW and the server (S23) (T44), and this flow ends. Furthermore, the network management device 10 repeats this flow.
[0041] FW3は、ネットワーク管理装置 10から受信した規制の指示に従ってアクセスリスト の変更を行うことにより、規制対象であるクライアントからサーバへのアクセスの規制を 行う (T51)。また、サーバは、ネットワーク管理装置 10から受信した規制の指示に従 つて、規制対象であるクライアントのユーザについて、ユーザ情報の変更またはログ インの停止を行う(Τ52)。  [0041] The FW 3 regulates access from the client to be regulated to the server by changing the access list in accordance with the regulation instruction received from the network management device 10 (T51). Further, the server changes the user information or stops the login for the client user to be regulated in accordance with the regulation instruction received from the network management device 10 (Τ52).
[0042] 次に、攻撃監視画面について説明する。  Next, the attack monitoring screen will be described.
[0043] 図 6は、本発明に係る攻撃監視画面の一例を示す画面である。この攻撃監視画面 には、項目として、フィルタ設定ボタン、加入者 IPアドレス、初回受信日時、最新受信 日時、アクセス回数、状態、規制 Z規制解除日時、削除ボタンがある。また、これらの 項目は、攻撃通知により通知されたクライアント毎に表示される。  FIG. 6 is a screen showing an example of the attack monitoring screen according to the present invention. This attack monitoring screen includes items such as a filter setting button, subscriber IP address, initial reception date and time, latest reception date and time, access count, status, restriction Z restriction release date and deletion button. These items are displayed for each client notified by the attack notification.
[0044] フィルタ設定ボタンは、対応するクライアントの規制中でなければ規制ボタンとなり、 押されると規制のためのフィルタの設定を行う。対応するクライアントの規制中であれ ば解除ボタンとなり、押されると規制のためのフィルタの解除を行う。加入者 IPァドレ スは、対応するクライアントの IPアドレスを表す。初回受信日時は、対応するクライア ントの攻撃通知を最初に受信した日時、最新受信日時は、最後に受信した日時を表 す。アクセス回数は、対応するクライアントからのアクセス回数を表す。状態は、通常 、監視中、規制中のいずれかを表す。規制 Z規制解除日時は、規制中でなければ 過去に規制解除を行った日時を、規制中であれば規制を開始した日時を表す。削除 ボタンは、押されると対応するクライアントを一覧から外す。また、攻撃通知を受けた 順番にクライアントをソートしても良い。また、攻撃通知を受信した回数が所定の回数 以上となったクライアントは強調表示しても良い。 [0044] The filter setting button is a restriction button unless the corresponding client is under restriction. When the button is pressed, a filter for restriction is set. If the corresponding client is under restriction, it becomes a release button, and when pressed, the restriction filter is released. The subscriber IP address represents the IP address of the corresponding client. The first received date / time indicates the date / time when the corresponding client attack notification was first received, and the latest received date / time indicates the last received date / time. The access count represents the access count from the corresponding client. The status usually indicates either monitoring or regulation. Restriction Z The date and time when the restriction is released is the date and time when the restriction was released in the past if it is not under restriction, and the date and time when the restriction was started if it is under restriction. Delete When the button is pressed, the corresponding client is removed from the list. Clients may be sorted in the order in which they receive the attack notifications. In addition, clients that have received the attack notification more than a predetermined number of times may be highlighted.
[0045] 次に、規制中における規制解除の動作について説明する。  Next, the operation of releasing the restriction during the restriction will be described.
[0046] 規制中の保守用入出力部 33は上述の攻撃監視画面において規制対象における 解除ボタンの表示を行い、保守者による規制解除の操作を待つ。次に、保守用入出 力部 33において保守者による規制解除の操作があった場合、アクセス制御指示部 4 1は、保守者による規制解除の操作に従って FWとサーバへ規制解除の指示を行う。  The maintenance input / output unit 33 being regulated displays a release button for the restriction target on the above-described attack monitoring screen, and waits for an operation for releasing the restriction by the maintenance person. Next, when the maintenance input is performed by the maintenance person at the maintenance input / output unit 33, the access control instruction unit 41 instructs the FW and the server to release the regulation according to the operation by the maintenance person.
[0047] なお、サーバからネットワーク管理装置 10へ送信される攻撃通知は、規制 Priority  [0047] Note that the attack notification sent from the server to the network management device 10 is a restriction priority.
(優先度)を含んでも良い。規制 Priorityとは、通知する DoS攻撃に対する対処の必 要性を示す情報である。保守者入出力部 33が、規制 Priority,所定の期間内に通 知された攻撃通知の回数、影響が及ぶユーザ数等に基づき、攻撃監視画面におい て、緊急、警報、注意、情報等のランクとして表示することにより、保守者は対処をす ぐに行う必要があるの力、継続監視でよいのかを判断することが容易となる。また、対 処が必要な順番にクライアントをソートして表示したり、他の項目でソートされた場合 でも緊急対処の必要なクライアントを強調表示したりすることにより、対処の緊急性を 早期に保守者に通知することができる。  (Priority) may be included. Regulation Priority is information that indicates the necessity of dealing with the reported DoS attack. The maintenance person input / output unit 33 ranks emergency, warning, caution, information, etc. on the attack monitoring screen based on the regulation priority, the number of attack notifications notified within a predetermined period, the number of affected users, etc. By displaying as, it is easy for the maintenance person to determine the power that needs to be dealt with immediately and whether continuous monitoring is acceptable. In addition, the urgency of response is maintained early by sorting and displaying clients in the order in which they need to be handled, or by highlighting clients that require urgent action even when sorted by other items. Can be notified.
[0048] なお、本実施の形態においては、規制中に保守者が解除ボタンを押すことにより、 規制解除の指示を行うとした。ここで、規制時にアクセス制御判断部 32が、規制解除 までの時間を決定し、この規制解除時間を保守者に通知しても良い。この規制解除 時間は、攻撃通知の受信日時から得られる DoS攻撃の実施頻度、規制対象のクライ アントが過去に規制を受けた回数等、 DoS攻撃の悪意性に応じて決定する。また、 攻撃監視画面において規制解除可能カゝ否かを示す規制解除 Priorityを表示しても 良い。規制解除 Priorityも同様に、 DoS攻撃の悪意性に応じて決定する。この規制 解除 Priorityを表示することにより、保守者による誤った規制解除の操作を防止する ことができる。  [0048] In the present embodiment, it is assumed that a maintenance person issues a restriction release instruction by pressing a release button during the restriction. Here, at the time of restriction, the access control determination unit 32 may determine a time until the restriction is released and notify the maintenance person of the restriction release time. This deregulation time is determined according to the maliciousness of the DoS attack, such as the frequency of DoS attacks that can be obtained from the date and time when the attack notification was received, and the number of times the regulated client has been regulated. In addition, a deregulation priority indicating whether or not deregulation is possible may be displayed on the attack monitoring screen. Similarly, deregulation Priority is determined according to the maliciousness of DoS attacks. By displaying this deregulation priority, it is possible to prevent an operator from performing an erroneous deregulation operation.
[0049] なお、本実施の形態においては、保守者が攻撃監視画面に基づいて規制の操作 や規制解除の操作を行う。ここで、保守者の操作を必要とせずに、ネットワーク管理 装置 10が自動的に規制の指示や規制解除の指示を行っても良い。この場合のネット ワーク管理装置の動作にっ 、て説明する。 In the present embodiment, the maintenance person performs a restriction operation or a restriction release operation based on the attack monitoring screen. Here, network management without the need for maintenance The device 10 may automatically issue a restriction instruction or a restriction release instruction. The operation of the network management device in this case will be described.
[0050] 図 7は、本発明に係るネットワーク管理装置において自動的にアクセス制御を行う 場合の動作の一例を示すフローチャートである。処理 S11から処理 S13までは、図 5 と同様である。規制対象がある場合 (S13, Y)、アクセス制御指示部 41は、 FWとサ ーバへ規制対象に対する規制の指示を行う(S31)。次に、アクセス制御判断部 32は 、上述した方法で規制解除時間の決定を行い (S41)、規制解除時間が経過したか 否かの判断を行う(S42)。規制解除時間が経過していない場合 (S42, N)、処理 S4 2へ戻り、待機する。一方、規制解除時間が経過した場合 (S42, Y)、アクセス制御 判断部 32は、規制解除時間中に攻撃通知が受信されたか否力の判断を行う(S43) 。攻撃通知が受信されていれば(S43, Y)、このフローを終了する。一方、攻撃通知 が受信されていなければ (S43, N)、アクセス制御指示部 41は、規制解除の指示を 行い(S44)、このフローを終了する。さらに、ネットワーク管理装置 10は、このフロー を繰り返す。  [0050] FIG. 7 is a flowchart showing an example of an operation when access control is automatically performed in the network management apparatus according to the present invention. Processes S11 to S13 are the same as in FIG. When there is a restriction target (S13, Y), the access control instruction unit 41 instructs the FW and the server to restrict the restriction target (S31). Next, the access control determination unit 32 determines the restriction release time by the method described above (S41), and determines whether or not the restriction release time has elapsed (S42). If the deregulation time has not elapsed (S42, N), return to process S42 and wait. On the other hand, when the deregulation time has elapsed (S42, Y), the access control determination unit 32 determines whether or not an attack notification is received during the deregulation time (S43). If an attack notification has been received (S43, Y), this flow ends. On the other hand, if no attack notification has been received (S43, N), the access control instruction unit 41 issues a restriction release instruction (S44), and this flow is terminated. Further, the network management device 10 repeats this flow.
[0051] ネットワーク管理装置 10がこの動作を行うことにより、保守者の操作を必要とせず、 自動的に規制と規制解除を行うことができる。  [0051] By performing this operation, the network management device 10 can automatically perform regulation and deregulation without requiring the operation of a maintenance person.
[0052] なお、本実施の形態において、ネットワーク管理装置 10は、あるサーバへの DoS攻 撃に基づいてそのサーバのみへのアクセス制御を行った。ここで、複数のサーバが 連携してサービスを提供して 、る場合、 DoS攻撃が複数のサーバに対して行われる ことがある。そこで、ネットワーク管理装置 10が連携している複数のサーバのリストを 持ち、連携している複数のサーバのうちの 1つのサーバに対して、あるクライアントが 規制対象となった場合に、連携している複数のサーバの全てに対して規制対象と判 断するようにしても良い。  In the present embodiment, network management device 10 performs access control only to a server based on a DoS attack on a server. Here, when multiple servers cooperate to provide a service, a DoS attack may be performed on multiple servers. Therefore, if the network management device 10 has a list of multiple servers with which it is linked and a client is subject to regulation for one of the multiple servers that are linked, It may be determined that all of a plurality of servers are regulated.
[0053] この場合、あるクライアントについての攻撃履歴は連携している全てのサーバにつ V、てまとめられ、あるクライアントにつ!/、ての攻撃通知の回数も連携して 、る全てのサ ーバについて合計される。ネットワーク管理装置 10がこの動作を行うことにより、複数 のサーバが連携してサービスを提供している場合に効率的な規制を行うことができる [0054] なお、本実施の形態に係る IP電話システムにおいて、さらに疑似サーバを備えても 良い。図 8は、本発明に係る IP電話システムにおいて疑似サーバを用いる場合の構 成の一例を示すブロック図である。図 1と同一符号は図 1に示された対象と同一又は 相当物を示しており、ここでの説明を省略する。図 1と比較すると図 8の IP電話システ ムは、新たに疑似サーバ 14を備える。 [0053] In this case, the attack history for a certain client is collected for all linked servers V, and the number of attack notifications for a certain client! / Is also linked for all supported servers. Is summed for the server. By performing this operation, the network management device 10 can perform efficient regulation when multiple servers provide services in cooperation. Note that the IP telephone system according to the present embodiment may further include a pseudo server. FIG. 8 is a block diagram showing an example of the configuration when a pseudo server is used in the IP telephone system according to the present invention. The same reference numerals as those in FIG. 1 denote the same or corresponding parts as those in FIG. 1, and the description thereof is omitted here. Compared to Fig. 1, the IP phone system in Fig. 8 has a new pseudo server 14.
[0055] 次に、本実施の形態に係る IP電話システムが疑似サーバを備える場合の動作につ いて説明する。アクセス制御指示部 41による規制の指示において、 SCS11、 IMS1 2、 Webサーバ 13の!、ずれかへのアクセスが疑似サーバ 14へのアクセスに置き換え られるように、 FW3またはルータに対してルーティングテーブルを変更するルーティ ング設定を行う。さらに、疑似サーバ 14は、クライアントとの通信を意図的に遅延させ る。このように疑似サーバ 14を備えることにより、 DoS攻撃を行うクライアントに知られ ずに、サーバへの攻撃を防ぐと共に、 DoS攻撃の頻度を減少させることができる。  Next, the operation when the IP telephone system according to the present embodiment includes a pseudo server will be described. Changed the routing table for FW3 or router so that access to SCS11, IMS12, Web server 13 !, or any of them is replaced with access to pseudo server 14 in the control instruction by access control instruction unit 41 Set the routing to be used. Furthermore, the pseudo server 14 intentionally delays communication with the client. By providing the pseudo server 14 in this way, it is possible to prevent attacks to the server and reduce the frequency of DoS attacks without being known to the client that performs the DoS attack.
[0056] なお、本発明に係るクライアント 1には、例えばワークステーション、パーソナルコン ピュータ、 PDA (Personal Digital Assistant)、携帯電話機等が含まれ得る。  Note that the client 1 according to the present invention may include, for example, a workstation, a personal computer, a PDA (Personal Digital Assistant), a mobile phone, and the like.
[0057] 更に、ネットワーク管理装置を構成するコンピュータに上述した各ステップを実行さ せるプログラムを、ネットワーク管理プログラムとして提供することができる。上述した プログラムは、コンピュータにより読取り可能な記録媒体に記憶させることによって、ネ ットワーク管理装置を構成するコンピュータに実行させることが可能となる。ここで、上 記コンピュータにより読取り可能な記録媒体としては、 CD— ROMやフレキシブルディ スク、 DVDディスク、光磁気ディスク、 ICカード等の可搬型記憶媒体や、コンピュータ プログラムを保持するデータベース、或いは、他のコンピュータ並びにそのデータべ ースや、更に回線上の伝送媒体をも含むものである。  Furthermore, a program for causing a computer constituting the network management apparatus to execute the above steps can be provided as a network management program. The above-described program can be executed by a computer constituting the network management apparatus by storing the program in a computer-readable recording medium. Here, the recording medium readable by the computer includes a portable storage medium such as a CD-ROM, a flexible disk, a DVD disk, a magneto-optical disk, an IC card, a database holding a computer program, or other Computers and their databases, as well as transmission media on the line.
[0058] なお、アクセス制御判断部またはアクセス制御判断ステップは、実施の形態におけ るアクセス制御判断部 32と保守用入出力部 33に対応する。 Note that the access control determination unit or the access control determination step corresponds to the access control determination unit 32 and the maintenance input / output unit 33 in the embodiment.
産業上の利用可能性  Industrial applicability
[0059] 以上説明したように、 DoS攻撃を受けたサーノくからの攻撃通知に基づいて、ネット ワーク管理装置が FWやルータを用いてアクセス制御を行うことにより、システム輻輳 を回避することが可能となる。また、サーバがクライアントを特定し、ネットワーク管理 装置がそのクライアントに対してアクセス制御を行うことにより、ピンポイントでのァクセ ス制御が可能となる。サーバが汎用的な通信手段を用いて攻撃通知を送信すること により、機種、ベンダー、サーバ仕様に依存せず、本発明を容易に適用することがで きる。また、 DoS攻撃の履歴や頻度、優先度に応じて、アクセス制御を行うことにより 、状況に応じた効果的なアクセス制御が可能となる。あるサーバに対して DoS攻撃を 行ったクライアントへのアクセス制御を行う場合に、連携する複数のサーバに対しても アクセス制御を行うことにより、複数のサーバへの影響を最小限に抑えることができる 。また、ネットワーク管理装置が自動的にアクセス制御を行うことにより、保守者の操 作を省くことができる。 [0059] As explained above, system congestion can be avoided by the network management device performing access control using FW and router based on the attack notification from Sano-kun that received DoS attack. It becomes. The server also identifies clients and manages the network When the device controls access to the client, pinpoint access control is possible. Since the server transmits an attack notification using a general-purpose communication means, the present invention can be easily applied regardless of the model, vendor, and server specifications. Also, by performing access control according to the history, frequency, and priority of DoS attacks, effective access control according to the situation becomes possible. When performing access control to a client that has performed a DoS attack on a server, it is possible to minimize the impact on multiple servers by controlling access to multiple servers in cooperation. . In addition, the network management device automatically performs access control, so that maintenance operations can be omitted.

Claims

請求の範囲 The scope of the claims
[1] クライアントとサーバを備えたシステムにおけるネットワーク管理方法をコンピュータ に実行させるネットワーク管理プログラムであって、  [1] A network management program for causing a computer to execute a network management method in a system including a client and a server,
前記クライアントから前記サーバへの DoS攻撃があった場合に、前記 DoS攻撃を 行ったクライアントを特定する情報を含む攻撃通知を、前記サーバから受信する攻撃 通知受信ステップと、  An attack notification receiving step of receiving, from the server, an attack notification including information for identifying the client that has performed the DoS attack when there is a DoS attack from the client to the server;
前記攻撃通知受信ステップが受信した前記攻撃通知に基づ 、て、前記 DoS攻撃 を行ったクライアントから前記サーバへのアクセスの規制または規制解除を行うァクセ ス制御の判断を行うアクセス制御判断ステップと、  Based on the attack notification received by the attack notification reception step, an access control determination step for determining access control for restricting or releasing access to the server from a client that has performed the DoS attack;
前記アクセス制御判断ステップによる判断に基づ 、て、外部へ前記アクセス制御の 指示を行うアクセス制御指示ステップと、  An access control instruction step for instructing the access control to the outside based on the determination in the access control determination step;
をコンピュータに実行させるネットワーク管理プログラム。  Network management program that causes a computer to execute.
[2] 請求項 1に記載のネットワーク管理プログラムにお 、て、 [2] In the network management program according to claim 1,
前記アクセス制御判断ステップは、保守者に対して前記アクセス制御の操作を行う ための表示を行 、、前記保守者の操作に基づ 、て前記アクセス制御の判断を行うこ とを特徴とするネットワーク管理プログラム。  The access control determining step displays a display for performing the access control operation for a maintenance person, and determines the access control based on the operation of the maintenance person. Management program.
[3] 請求項 1に記載のネットワーク管理プログラムにお 、て、 [3] In the network management program according to claim 1,
前記アクセス制御ステップは、アクセスリストの変更を、前記クライアントと前記サー バの間に接続されているファイアウォールまたはルータに行わせることを特徴とする ネットワーク管理プログラム。  In the network management program, the access control step causes a firewall or router connected between the client and the server to change the access list.
[4] 請求項 1に記載のネットワーク管理プログラムにお 、て、 [4] In the network management program according to claim 1,
前記アクセス制御ステップは、前記 DoS攻撃を行ったクライアントのユーザにっ ヽ てのユーザ情報の削除またはログイン停止を、前記サーバに行わせることを特徴とす るネットワーク管理プログラム。  The network management program characterized in that the access control step causes the server to delete the user information or stop the login for the client user who has performed the DoS attack.
[5] 請求項 1に記載のネットワーク管理プログラムにお 、て、 [5] In the network management program according to claim 1,
前記アクセス制御ステップは、前記 DoS攻撃を行ったクライアントから前記サーバ へのアクセスを、前記 DoS攻撃を行ったクライアントから外部の疑似サーバへのァク セスに置き換えるようなルーティング設定を、前記クライアントと前記サーバの間に接 続されているファイアウォールまたはルータに行わせることを特徴とするネットワーク 管理プログラム。 In the access control step, a routing setting that replaces access to the server from the client that has performed the DoS attack with access from the client that has performed the DoS attack to an external pseudo server is performed. Between servers A network management program characterized by having a firewall or router connected to it.
[6] 請求項 5に記載のネットワーク管理プログラムにおいて、  [6] In the network management program according to claim 5,
前記疑似サーバは、前記クライアントとの通信を遅延させることを特徴とするネットヮ ーク管理プログラム。  The network management program, wherein the pseudo server delays communication with the client.
[7] 請求項 1に記載のネットワーク管理プログラムにお 、て、 [7] In the network management program according to claim 1,
前記アクセス制御判断ステップは、連携する複数のサーバが存在する場合に、ある サーバについて前記規制の対象となったクライアントを、連携する他のサーバについ ても規制の対象とすることを特徴とするネットワーク管理プログラム。  In the access control determining step, when there are a plurality of servers that cooperate, the client that is subject to the restriction on a certain server is subject to restriction on another server that cooperates. Management program.
[8] 請求項 1に記載のネットワーク管理プログラムにお 、て、 [8] In the network management program according to claim 1,
前記アクセス制御判断ステップは、所定期間内の前記攻撃通知の回数をカウントし 、前記所定期間内の前記攻撃通知の回数に基づいて前記アクセス制御の判断を行 うことを特徴とするネットワーク管理プログラム。  The network management program characterized in that the access control determination step counts the number of attack notifications within a predetermined period and makes the access control determination based on the number of attack notifications within the predetermined period.
[9] 請求項 1に記載のネットワーク管理プログラムにお 、て、 [9] In the network management program according to claim 1,
前記攻撃通知は、前記アクセス制御の優先度を含み、前記所定期間内の前記攻 撃通知の回数と前記優先度とに基づいて前記アクセス制御の判断を行うことを特徴 とするネットワーク管理プログラム。  The network management program characterized in that the attack notification includes a priority of the access control, and judges the access control based on the number of the attack notifications within the predetermined period and the priority.
[10] 請求項 1に記載のネットワーク管理プログラムにお 、て、 [10] In the network management program according to claim 1,
前記アクセス制御判断ステップは、予め決定された規制解除時間の間、規制中の クライアントについての攻撃通知が受信されな力つた場合に、規制解除の判断を行う ことを特徴とするネットワーク管理プログラム。  The network management program according to claim 1, wherein the access control determination step makes a determination on deregulation when an attack notification is not received for a regulated client for a predetermined deregulation time.
[11] 請求項 10に記載のネットワーク管理プログラムにおいて、 [11] In the network management program according to claim 10,
前記アクセス制御判断ステップは、前記規制の対象となったクライアントが過去に規 制を受けた回数に基づいて、前記規制解除時間を決定することを特徴とするネットヮ ーク管理プログラム。  The network management program characterized in that the access control determination step determines the restriction release time based on the number of times the restricted client has been restricted in the past.
[12] 請求項 1に記載のネットワーク管理プログラムにおいて、 [12] In the network management program according to claim 1,
前記攻撃通知は、 SNMP— Trap、 Syslog、 Telnetのいずれかを用いて送信され ることを特徴とするネットワーク管理プログラム。 The network management program characterized in that the attack notification is transmitted using any one of SNMP-Trap, Syslog, and Telnet.
[13] 請求項 1に記載のネットワーク管理プログラムにおいて、 [13] In the network management program according to claim 1,
前記クライアントを特定する情報は、 IPアドレス等、ネットワーク機器を識別する情 報であることを特徴とするネットワーク管理プログラム。  The network management program characterized in that the information for identifying the client is information for identifying a network device such as an IP address.
[14] 請求項 1に記載のネットワーク管理プログラムにお 、て、 [14] In the network management program according to claim 1,
前記クライアントを特定する情報は、ログイン ID等、ユーザを識別する情報であるこ とを特徴とするネットワーク管理プログラム。  The network management program characterized in that the information for identifying the client is information for identifying a user such as a login ID.
[15] クライアントとサーバを備えたシステムにおけるサーバ制御方法をコンピュータに実 行させるサーバ制御プログラムであって、 [15] A server control program for causing a computer to execute a server control method in a system including a client and a server,
前記クライアントからの DoS攻撃の検知を行う攻撃検知ステップと、  An attack detection step for detecting a DoS attack from the client;
前記攻撃検知ステップによる検知に基づ 、て、前記 DoS攻撃を行った前記クライァ ントを特定する情報を含む攻撃通知を外部へ送信する攻撃通知送信ステップと、 をコンピュータに実行させるサーバ制御プログラム。  A server control program for causing a computer to execute an attack notification transmission step for transmitting an attack notification including information identifying the client that has performed the DoS attack based on detection by the attack detection step.
[16] クライアントとサーバを備えたシステムを管理するネットワーク管理装置であって、 前記クライアントから前記サーバへの DoS攻撃があった場合に、前記 DoS攻撃を 行ったクライアントを特定する情報を含む攻撃通知を、前記サーバから受信する攻撃 通知受信部と、 [16] A network management device for managing a system including a client and a server, and when there is a DoS attack from the client to the server, an attack notification including information for identifying the client that has performed the DoS attack An attack notification receiving unit for receiving from the server;
前記攻撃通知受信部が受信した前記攻撃通知に基づ 、て、前記 DoS攻撃を行つ たクライアントから前記サーバへのアクセスの規制または規制解除を行うアクセス制 御の判断を行うアクセス制御判断部と、  An access control determination unit for determining access control for restricting or releasing access to the server from a client that has performed the DoS attack based on the attack notification received by the attack notification receiving unit; ,
前記アクセス制御判断部による判断に基づ!/、て、外部へ前記アクセス制御の指示 を行うアクセス制御指示部と、  Based on the determination by the access control determination unit! /, An access control instruction unit for instructing the access control to the outside,
を備えてなるネットワーク管理装置。  A network management apparatus comprising:
[17] クライアントに対してサービスを提供するサーバであって、 [17] A server that provides services to clients,
前記クライアントからの DoS攻撃の検知を行う攻撃検知部と、  An attack detection unit for detecting a DoS attack from the client;
前記攻撃検知部による検知に基づいて、前記 DoS攻撃を行った前記クライアントを 特定する情報を含む攻撃通知を外部へ送信する攻撃通知送信部と、  Based on detection by the attack detection unit, an attack notification transmission unit for transmitting an attack notification including information for identifying the client that has performed the DoS attack to the outside;
を備えてなるサーバ。  A server comprising
[18] クライアントとサーバを備えたシステムにおけるネットワーク管理方法であって、 前記クライアントから前記サーバへの DoS攻撃があった場合に、前記 DoS攻撃を 行ったクライアントを特定する情報を含む攻撃通知を、前記サーバから受信する攻撃 通知受信ステップと、 [18] A network management method in a system including a client and a server, An attack notification receiving step of receiving, from the server, an attack notification including information for identifying the client that has performed the DoS attack when there is a DoS attack from the client to the server;
前記攻撃通知受信ステップが受信した前記攻撃通知に基づ 、て、前記 DoS攻撃 を行ったクライアントから前記サーバへのアクセスの規制または規制解除を行うァクセ ス制御の判断を行うアクセス制御判断ステップと、  Based on the attack notification received by the attack notification reception step, an access control determination step for determining access control for restricting or releasing access to the server from a client that has performed the DoS attack;
前記アクセス制御判断ステップによる判断に基づ 、て、外部へ前記アクセス制御の 指示を行うアクセス制御指示ステップと、  An access control instruction step for instructing the access control to the outside based on the determination in the access control determination step;
を備えてなるネットワーク管理方法。  A network management method comprising:
クライアントとサーバを備えたシステムにおけるサーバ制御方法であって、 前記クライアントからの DoS攻撃の検知を行う攻撃検知ステップと、  A server control method in a system comprising a client and a server, comprising: an attack detection step for detecting a DoS attack from the client;
前記攻撃検知ステップによる検知に基づ 、て、前記 DoS攻撃を行った前記クライァ ントを特定する情報を含む攻撃通知を外部へ送信する攻撃通知送信ステップと、 を備えてなるサーバ制御方法。  An attack notification transmission step of transmitting an attack notification including information identifying the client that has performed the DoS attack to the outside based on detection by the attack detection step.
PCT/JP2005/000335 2005-01-14 2005-01-14 Network management program, server control program, network management device, server, and network management method WO2006075378A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/JP2005/000335 WO2006075378A1 (en) 2005-01-14 2005-01-14 Network management program, server control program, network management device, server, and network management method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2005/000335 WO2006075378A1 (en) 2005-01-14 2005-01-14 Network management program, server control program, network management device, server, and network management method

Publications (1)

Publication Number Publication Date
WO2006075378A1 true WO2006075378A1 (en) 2006-07-20

Family

ID=36677414

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2005/000335 WO2006075378A1 (en) 2005-01-14 2005-01-14 Network management program, server control program, network management device, server, and network management method

Country Status (1)

Country Link
WO (1) WO2006075378A1 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012146337A (en) * 2012-05-07 2012-08-02 Ricoh Co Ltd Information processing apparatus, information processing method, program
JP2015219684A (en) * 2014-05-16 2015-12-07 日本電信電話株式会社 Communication system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003298628A (en) * 2002-03-29 2003-10-17 Toshiba Corp Server protection network system, server, and router
JP2004363785A (en) * 2003-06-03 2004-12-24 Nippon Telegr & Teleph Corp <Ntt> Internetwork connection device

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003298628A (en) * 2002-03-29 2003-10-17 Toshiba Corp Server protection network system, server, and router
JP2004363785A (en) * 2003-06-03 2004-12-24 Nippon Telegr & Teleph Corp <Ntt> Internetwork connection device

Non-Patent Citations (3)

* Cited by examiner, † Cited by third party
Title
HABU T. ET AL.: "5D-1 DDoS Kogeki Kaihi Kiko no Shisaku", INFORMATION PROCESSING SOCIETY OF JAPAN DAI 65 KAI ZENKOKU TAIKAI KOEN RONBUNSHU, no. 3, 25 March 2003 (2003-03-25), pages 3-203 - 3-204, XP003001529 *
KURAHASHI T: "3J-1 Bunsan Shorigata Shinnyu Kenchi System no Kento", 9 March 2004 (2004-03-09), pages 3-281 - 3-282, XP003001531 *
OKOSHI T. ET AL.: "4F-1 Shinnyu Kenchi ni Taisuru Taisaku no Jido Kaijo", INFORMATION PROCESSING SOCIETY OF JAPAN DAI 61 KAI (HEISEI 12 NEN KOKI) ZENKOKU TAIKAI KOEN RONBUNSHU, no. 3, 3 October 2000 (2000-10-03), pages 3-247 - 3-248, XP003001530 *

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2012146337A (en) * 2012-05-07 2012-08-02 Ricoh Co Ltd Information processing apparatus, information processing method, program
JP2015219684A (en) * 2014-05-16 2015-12-07 日本電信電話株式会社 Communication system

Similar Documents

Publication Publication Date Title
KR101143250B1 (en) System and method for disaster recovery and management of an email system
EP1903745B1 (en) System and method for preventing spam over internet telephony
US7738373B2 (en) Method and apparatus for rapid location of anomalies in IP traffic logs
US7941495B2 (en) Management capabilities for real-time messaging networks
JP2003533941A (en) Intelligent feedback loop process control system
US20080228890A1 (en) System and method for pushing activated instant messages
JP2008294974A (en) Communication system, communication control apparatus, communication control method, communication control program, and monitoring device
US8996640B2 (en) System, method and computer readable medium for processing unsolicited electronic mail
WO2010041414A1 (en) Communication system and communication control method
KR20180046894A (en) NFV based messaging service security providing method and system for the same
KR101493465B1 (en) Synchronous message management system
US20080134285A1 (en) Apparatus and method for countering spam in network for providing ip multimedia service
WO2006075378A1 (en) Network management program, server control program, network management device, server, and network management method
CN101277302A (en) Apparatus and method for safety centralized protection of distributed network equipment
US7206935B2 (en) System and method for protecting network appliances against security breaches
JP4651126B2 (en) Incident management system, management method, and management program
JP2005157650A (en) Illegal access detecting system
JP2005318037A (en) Unauthorized use monitoring system, unauthorized use monitoring/alarming apparatus, and unauthorized use monitoring method
JP4687519B2 (en) Call center system for broadcast distribution of event notifications
US20220263942A1 (en) System and Method for Enabling Trusted Caller Identity and Spoofed Call Prevention
CA2700809C (en) Process to protect against viruses/spam in mobile broadcast networks
WO2022165174A1 (en) Cyber-safety threat detection system
JP2004320453A (en) Unauthorized access warning device and its program
JP2023102036A (en) mail server and program
JP4977646B2 (en) Server apparatus and communication control method

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05703574

Country of ref document: EP

Kind code of ref document: A1

WWW Wipo information: withdrawn in national office

Ref document number: 5703574

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP