WO2008069043A1 - Système de communication et dispositif de gestion d'adresses, et procédé et programme de gestion d'adresses utilisés par ceux-ci - Google Patents

Système de communication et dispositif de gestion d'adresses, et procédé et programme de gestion d'adresses utilisés par ceux-ci Download PDF

Info

Publication number
WO2008069043A1
WO2008069043A1 PCT/JP2007/072804 JP2007072804W WO2008069043A1 WO 2008069043 A1 WO2008069043 A1 WO 2008069043A1 JP 2007072804 W JP2007072804 W JP 2007072804W WO 2008069043 A1 WO2008069043 A1 WO 2008069043A1
Authority
WO
WIPO (PCT)
Prior art keywords
identification information
traceable
address management
server
client device
Prior art date
Application number
PCT/JP2007/072804
Other languages
English (en)
Japanese (ja)
Inventor
Shigeyoshi Shima
Original Assignee
Nec Corporation
Kitamura, Hiroshi
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Corporation, Kitamura, Hiroshi filed Critical Nec Corporation
Publication of WO2008069043A1 publication Critical patent/WO2008069043A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates to a communication system, an address management device, an address management method used for them, and an address management program. Note that this application claims priority based on Japanese Application No. 2006-331401, and the disclosure of Japanese Application No. 2006-331401 is incorporated herein by reference.
  • an object of the present invention is to solve the above-described problems and to prevent an attack performed on a server from a malicious user terminal or an untrusted client, and a communication system and address management It is an object of the present invention to provide an apparatus, an address management method used therefor, and a program thereof.
  • a communication system includes a client device and a client. And an address management device that generates identification information for identifying the server device in response to detection of a sign that an access request from the client device to the server device is generated.
  • the address management device pays out by setting the valid period available to the client device as identification information.
  • the client device makes an access request to the server using the issued identification information.
  • An address management device manages identification information used when a client device accesses a server device.
  • the address management device includes an identification information generation unit and an identification information payout unit.
  • the identification information generation unit generates identification information that identifies the server device in response to detection of an indication that an access request from the client device to the server device is generated.
  • the identification information payout unit sets the valid period in which the client device can be used for the identification information and pays it out.
  • An address management method is a method for managing identification information used for a client device to access a server device.
  • the address management method includes a step of generating identification information for identifying a server device in response to detection of an indication that an access request from the client device to the server device is generated, and a valid period in which the client device can use the identification information. And a step of paying out identification information having a valid period set.
  • the address management method according to the fourth exemplary aspect of the present invention is realized by a program executed by a computer.
  • the identification information for specifying the server has a valid period of use, so it is possible to perform DoS attacks and unauthorized access attacks from malicious user terminals and untrusted clients. It becomes possible to make it difficult to receive.
  • FIG. 1 is a block diagram showing a configuration of a communication system according to a first embodiment of the present invention.
  • FIG. 2 is a configuration example of a traceable ID management server according to the present invention. It is a block diagram showing FIG. 3 is a diagram showing a state transition of a traceable ID generated by a traceable ID generation unit according to the present invention.
  • FIG. 4A is a diagram showing an outline of a timer in the traceable ID management unit according to the present invention.
  • FIG. 4B is a diagram showing an outline of a timer in the traceable ID management unit according to the present invention.
  • FIG. 5 is a sequence chart showing the operation of the communication system according to the first exemplary embodiment of the present invention.
  • FIG. 6 is a flowchart showing the operation of the traceable ID management server according to the present invention.
  • FIG. 7 is a block diagram showing a configuration of a communication system according to a second exemplary embodiment of the present invention.
  • FIG. 8 is a sequence chart showing the operation of the communication system according to the second exemplary embodiment of the present invention.
  • FIG. 1 is a block diagram showing a configuration of a communication system according to a first exemplary embodiment of the present invention.
  • the communication system according to the first embodiment of the present invention is configured by arranging a DNS (Domain Name System) server 3 between sites 100 and 200.
  • a security gateway (Security GateWay) (A) 11 and a server (A) 14 are installed at the site 100, and a security gateway (B) 21 and a client (B) 22 are installed at the site 200. ing.
  • DNS Domain Name System
  • the security gateway (A) 11 includes a security gateway 12 and a traceable ID (IDentifier) management server 13. Traceable The ID management server 13 receives a notification of an access request from the client (B) 22 to the server (A) 14 from the security gateway 12 and communicates with the server (A) 14 for each client (B) 22 A traceable ID (Traceable Private ID) to be assigned to is generated, and the traceable ID is returned to the client (B) 22. In this case, the valid period information (aging information) set in advance is included in the traceable ID. Is granted.
  • the traceable ID management server 13 pays out the generated traceable ID to the server (A) 14 and the client HB) 22. At this time, a traceable ID is set in the security gateway 12. The security gateway 12 receives an access request from the client (B) 22 using the set traceable ID.
  • the traceable ID management server 13 When the traceable ID management server 13 receives a disconnection notification from the client (B) 22 via the security gateway 12, the traceable ID assigned to each client (B) 22 is discarded. Alternatively, the traceable ID management server 13 discards the traceable ID assigned to each client (B) 22 when the period indicated by the valid period information (aging information) given in advance to the traceable ID elapses. At this time, the traceable ID management server 13 notifies the security gateway 12 and the server (A) 14 that the traceable ID has been discarded. Thereafter, when the client HB) 22 makes an access request using the discarded traceable ID, the security gateway 12 notifies that the traceable ID is invalid.
  • FIG. 2 is a block diagram showing a configuration example of the traceable ID management server 13 of FIG.
  • the traceable ID management server 13 includes a CPU (central processing unit) 131, a memory 132, a traceable ID management table 133, and a communication control unit 134.
  • the CPU 131 has functions of a traceable ID generation unit 131a and a traceable ID payout unit 131b.
  • the traceable ID generation unit 131a and the traceable ID payout unit 131b are realized by the CPU 131 executing a program stored in the memory 132.
  • the traceable ID generation unit 131a When the traceable ID generation unit 131a receives a predictive notification indicating the possibility of an access request from the client (B) 22 to the sano (A) 14, it refers to the traceable ID management table 133. Select one of the IDs that can be tracked. Alternatively, the traceable ID generation unit 131a generates a new traceable ID upon receiving the predictive notification. The traceable ID generation unit 131a passes the selected or generated traceable ID to the traceable ID issuing unit 131b and the traceable ID management unit 131c.
  • the traceable ID management unit 131c associates the traceable ID passed from the traceable ID generation unit 131a with the client (B) 22 that has predicted the access request, into a traceable ID management table. Record. At this time, the trackable ID management unit 131c selects or generates the tracked The valid period information (aging information) set in advance is assigned to the possible ID and recorded in the traceable ID management table 133.
  • the traceable ID issuing unit 13 lb sends the traceable ID passed from the traceable ID generating unit 131 a to the client (B) 22 (DNS server 3) and the server (A) 14 via the communication control unit 134. Pay out.
  • the traceable ID management table 133 indicates that the requester of access to the server (A) 14 [in the above case, the client (B) 22] and the traceable ID (issued to the requester [client (B) 22]) ( For example, “ & ”) and validity period information (aging information) (for example, “b”) are stored in association with each other.
  • the traceable ID is an ID assigned to each communication partner with the server (A) 14 (source of access to the server (A) 14) [for example, IP (Internet Protocol) that is generated and disappears according to the state Address].
  • the traceable ID is an ID that can be used by the user terminal or client that is the request source only during the period indicated by the valid period information (aging information).
  • the traceable ID management unit 131c transitions to a state in which the availability of a traceable ID is determined using an upper limit timer (Upper Limit Timer) or an LPA timer (Last Packet Accepted Timer).
  • an upper limit timer Upper Limit Timer
  • an LPA timer Last Packet Accepted Timer
  • FIG. 3 is a diagram showing a state transition of the traceable ID generated by the traceable ID generation unit 131a of FIG. 4A and 4B are diagrams showing an outline of each timer shown in FIG.
  • Figure 4A shows the validity period when the upper limit timer times out.
  • Figure 4B shows the validity period when the LPA timer times out.
  • the state of the traceable ID is the new session acceptance (NSA: New Session
  • the transition is in the order of Accepted state A1, New Session Forbidden (NSF) state A2, and Un-reach notification (URN) state A3.
  • NSF New Session Forbidden
  • UPN Un-reach notification
  • New Session Acceptance (NSA) state A1 is a state where a traceable ID is available.
  • the FPA (First Packet Accepted) flag (Flag) used as this state value is used for the condition of “ban or end session at the time of state transition”.
  • the new session prohibited (NSF) state A 2 is a state in which a traceable ID can be used only for an existing session (Old Session). In other words, a traceable ID can be used for an existing session (Old Session), and a traceable ID cannot be used for a new session (New Session).
  • the traceable ID is aged by the LPA timer.
  • Non-delivery notification (URN) state A3 is a state in which the traceable ID cannot be used.
  • the client (B) 22 is notified that the packet does not reach the traceable ID.
  • the state transition of the traceable ID shown in FIG. 3 is applicable to any protocol such as TCP (Transmission Control Protocol), UDP (User Datagram Protocol), and ICMP (Internet Control Mess age Protocol).
  • TCP Transmission Control Protocol
  • UDP User Datagram Protocol
  • ICMP Internet Control Mess age Protocol
  • the NSA State Timer (New Session Accepted State Timer) measures the usage time of the assigned trackable ID.
  • NSF NSF
  • End 0
  • the upper limit timer is a timer for forcibly making the traceable ID unavailable.
  • the upper limit timer starts at the transition of the available state, and when it expires at the time-out (Expired), the state of the traceable ID transitions to the non-delivery notification (URN) state A3. Move.
  • the LP A timer (Last Packet Accepted Timer) is a timer for monitoring communication keep-alive.
  • the timer value of the LPA timer is variable depending on the learning type.
  • the LPA timer starts timing (Start) when transitioning from the new session acceptance (NSA) state A1, and when it expires (Expired), the state of the traceable ID transitions to the non-delivery notification (URN) state A 3 Set to Packet Accepted: Refresh (initial value).
  • the URN state timer (Un- Reach Notification State Timer) starts tracking at the transition from the new session prohibition (NSF) state A2 and starts when it expires (Expired). Annihilate.
  • the traceable ID generated (or selected) by the traceable ID generation unit 131a expires during use, there is a problem in service. In particular, it is not good that the valid period of the traceable ID generated by the traceable ID generation unit 131a expires during file download. For this reason, it is desirable to set the valid period of the traceable ID to a long time. However, if the period in which the traceable ID can be used is set to a long period according to the validity period, it is a security problem and should be revoked as soon as possible after the use is completed.
  • the revocation form such as revocation for each transaction or revocation by the number of transactions may be set in the traceable ID.
  • a combination of the setting of the revocation form and the setting of the validity period is also possible.
  • an access request may be generated for the device to be searched [for example, server (A) 14].
  • a predictive notification is sent from the server 3 to the security gateway 12.
  • the predictive notification is notified from the security gateway 12 to the traceable ID management server 13, and the traceable ID generated by the traceable ID management server 13 is sent to the request source through the DNS server 3.
  • the traceable ID management server 13 receives a predictive notification from the DNS server 3.
  • the traceable ID management server 13 receives a predictive notification from the LDAP server 3.
  • client (B) 22 refers to presence information indicating the state of the communication partner (communication terminal corresponding to server (A) 14) (for example, during a meeting, away from the seat, etc.), When predicting access to an elephant. In this case, the traceable ID management server 13 receives a predictive notification from the communication partner.
  • the traceable ID management server 13 receives a predictive notification from a device that can detect the reference of the contact network.
  • a website (Web site) consists of multiple servers [there is a hyper link], and if that site (one of the multiple servers) is accessed, When predicting that the server will also have access. In this case, normally, since the hyperlink is described in FQDN (Fully-Qualified Domain Name), access to obtain information from the DNS server occurs.
  • the traceable ID management server 13 receives a predictive notification from the DNS server 3.
  • the life pattern is fixed (for example, if you turn on your personal computer in the morning, the website you want to go to first is decided), and when you start its first action, When it is predicted that there is access to a website etc. to go to.
  • the traceable ID management server 13 receives a predictive notification from a device (for example, the client (B) 22 itself) that is predicted to be accessed.
  • the traceable ID management server 13 receives a predictive notification from a device (for example, the client (B) 22 itself) that is predicted to be accessed.
  • FIG. 5 is a sequence chart showing the operation of the communication system according to the first exemplary embodiment of the present invention. The operation of the communication system according to the first embodiment of the present invention will be described with reference to FIGS. 5 and 6, the processing operation of the traceable ID management server 13 is realized by the CPU 131 executing the program in the memory 132.
  • Client (B) 22 starts communication (step al), and server (A) 14 address (NID In order to search for IP), “node representative ID [NID—FQDN (Fully-Qualified Domain Name)]” is output to the DNS server 3 (steps a2 and a3).
  • DNS server 3 resolves the address of the node representative ID based on the “node representative ID (NID—FQDN)”! /, (Step a4), and provides a warning (accessibility) notification to the security gateway (A) It is sent to 11 security gateways 12 (step a5).
  • the security gateway 12 sends a predictive notification from the DNS server 3 to the traceable ID management server 13 (step a6).
  • the traceable ID generation unit 131a refers to the traceable ID management table 133 and selects one of the available traceable IDs. Alternatively, the traceable ID generation unit 131a generates a new traceable ID (NID—IP).
  • the traceable ID generation unit 131a passes the selected or generated traceable ID to the traceable ID issuing unit 13 lb and the traceable ID management unit 13 lc (step a7).
  • the traceable ID management unit 131c associates the traceable ID selected or generated by the traceable ID generation unit 131a with the client (B) 22 who made the access request and the valid period in the traceable ID table. Record.
  • the traceable ID issuing unit 13 lb issues the traceable ID (NID—IP) generated by the traceable ID generating unit 131a to the DNS server 3 and Sano (A) 14 via the communication control unit 134. (Steps a8, a9, alO).
  • the server (A) 14 sets the traceable ID (NID—IP) issued from the traceable ID issuing unit 131b in its own device, and thereafter enables reception with the traceable ID (step al l).
  • the DNS server 3 uses the traceable ID (NID-IP) issued from the traceable ID issuing unit 131b as the address resolution result, and the security gateway (B) 21
  • the client (B) 22 Upon receiving the traceable ID (NID—IP) from the DNS server 3, the client (B) 22 connects to the server (A) 14 using the traceable ID (NID—IP) as the destination address (step al3, al4, al 7). At this time, the security gateway 12 of the security gateway (A) 11 verifies the access to the server (A) 14 by the traceable ID (NID-IP) (step al6) D After this, the client (B) 22 can trace The target communication is started using the ID (NID—IP) (step al 5), the server (A) 14 is accessed and data is acquired and displayed (steps a20 and a21).
  • the security gateway 12 verifies the access to the server (A) 14, the first packet is observed in the case of UDP / I CMP, and "syn" is sent in the case of TCP. This can be traced to the ID management server 13 (step a 18).
  • the traceable ID management server 13 receives the notification from the security gateway 12, the traceable ID management server 13 performs an aging process for the traceable ID related to the notification (step a19).
  • FIG. 6 is a flowchart showing the operation of the aging process in the traceable management server 13. With reference to FIG. 6, the operation of the aging process in step al9 will be described.
  • the traceable ID management unit 131c When receiving the notification from the security gateway 12, the traceable ID management unit 131c detects the connection to the server (A) 14 by the client (B) 22 (step S1). At this time, the notification from the security gateway 12 preferably includes information that can identify the traceable ID associated with the client (B) 22. The traceable ID management unit 131 c refers to the notification from the security gateway 12 to identify the traceable ID used to connect to the server (A) 14 and sets the traceable ID for the traceable ID (step S2). . The traceable ID management unit 131c issues a request to delete the traceable ID to the server (A) 14 via the security gateway 12 when the period indicated by the valid period information (aging information) has elapsed (Step S3 Yes, S5, a22).
  • the traceable ID management unit 131c discards the traceable ID and the corresponding information from the traceable ID table.
  • the timing of discarding the traceable ID may be before issuing the request for deleting the traceable ID or after receiving a response to the request for deleting the traceable ID.
  • the traceable ID management unit 131c will secure a request to delete the traceable ID. It is issued to the server (A) 14 via the gateway 12 (steps S3No, S4, a22), and the traceable ID management unit 131c discards the traceable ID and the information associated therewith from the traceable ID table. To do.
  • the server (A) 14 and the security gateway 12 register the traceable ID registered in response to the traceable ID deletion request issued from the traceable ID management server 13. (Steps a23 and a24) 0 This makes it impossible for client (B) 22 to access server (A) 14 using the traceable ID obtained from DNS server 3. .
  • the traceable ID management unit 131c may issue a traceable ID deletion request to the DNS server 3 in step S5. In this case, the DNS server 3 discards the traceable ID assignment setting.
  • steps a4 to all is preferably processing in Admin Do main that cannot be seen by the client (B) 22! /.
  • a traceable ID is generated each time a possibility (predictor) of access from the user terminal or client (B) 22 to the server (A) 14 occurs.
  • (A) 14 and client (B) 22 are paid out.
  • the traceable ID for accessing the server (A) 14 is obtained by the Sano (A) 14 or security gateway. 12 or DNS server 3 is discarded. This makes it difficult for malicious user terminals and untrusted clients to receive attacks such as DoS attacks and unauthorized access.
  • the traceable ID generated each time a possibility of access (predictor) occurs is held in correspondence with the sender (requester), so that the sender is specified only by the destination address. be able to.
  • FIG. 7 is a block diagram showing a configuration of a communication system according to the second exemplary embodiment of the present invention.
  • the communication system according to the second embodiment of the present invention has the same configuration as that of the first embodiment of the present invention shown in FIG. 1 except that a DNS server 23 is added in the site 201.
  • the same components are denoted by the same reference numerals.
  • the operation of the same component is the same as that of the first embodiment of the present invention.
  • the configuration of the traceable ID management server 13 is the same as that of the traceable ID management server 13 according to the first embodiment of the present invention shown in FIG.
  • FIG. 8 is a sequence chart showing the operation of the communication system according to the second exemplary embodiment of the present invention. The operation of the communication system according to the second embodiment of the present invention will be described with reference to FIG. 2 and FIGS.
  • the processing operation of the traceable ID management server 13 is realized by the CPU 131 executing the program in the memory 132.
  • Client (B) 22 starts communication (step bl) and outputs “node representative ID (NID FQDN)” to DNS server 23 to search for the address (NID—IP) of server (A) 14 Do (Step b2, b3).
  • the DNS server 23 passes the “node representative ID (NID—FQDN)” to the DNS server 3 (step b4).
  • the DNS server 3 performs address resolution of the node representative ID based on the “node representative ID (NID—FQDN)” (step b5), and sends a predictive (accessibility) notification to the security gateway (A ) Send to 11 security gateways 12 (step b6).
  • the security gateway 12 sends a predictive notification from the DNS server 3 to the traceable ID management server 13 (step b7).
  • the traceable ID generation unit 131a refers to the traceable ID management table 133 and selects one of the available traceable IDs. Alternatively, the traceable ID generation unit 131a generates a new traceable ID (NID—IP). To do.
  • the traceable ID generation unit 131a passes the selected or generated traceable ID to the traceable ID issuing unit 13 lb and the traceable ID management unit 131c (step b8).
  • the traceable ID management unit 131c associates the traceable ID selected or generated by the traceable ID generation unit 131a with the client (B) 22 who made the access request and the valid period in the traceable ID table. Record.
  • the trackable ID issuing unit 13 lb issues the trackable ID (NID—IP) generated by the trackable ID generating unit 131 a to the DNS server 3 and Sano (A) 14 via the communication control unit 134.
  • Step ⁇ )! ⁇ ;! Server (A) 14 sets the traceable ID (NID—IP) issued from the traceable ID issuing unit 131b in its own device, and thereafter enables reception with the traceable ID (NID—IP) ( Step bl2).
  • the DNS server 3 uses the traceable ID (NID-IP) issued from the traceable ID issuing unit 13 lb as the address resolution result, and the client (B) 22 via the DNS server 23 and the security gateway (B) 21. (Steps ⁇ 3 and ⁇ 4).
  • the client (B) 22 Upon receipt of the traceable ID (NID-IP) from the DNS server 3, the client (B) 22 connects to the server (A) 14 using the traceable ID (NID_IP) as the destination address (step S1). (Bl5, bl6, bl9).
  • the security gateway 12 of the security gateway (A) 11 verifies the access to the server (A) 14 with a traceable ID (NID-IP) (step bl8).
  • the client (B) 22 starts the desired communication using the traceable ID (NID—IP) (step bl 7), and accesses the server (A) 14 to acquire and display the data. (Step b22, b23).
  • the security gateway 12 verifies the access to the server (A) 14, the first packet is observed in the case of UDP / I CMP, and "syn" is sent in the case of TCP. This can be traced to the ID management server 13 (step b20).
  • the traceable ID management server 13 receives the notification from the security gateway 12, the traceable ID management server 13 performs an aging process for the traceable ID related to the notification (step b21).
  • step b21 The aging process in step b21 is the same as the aging process shown in FIG.
  • the traceable ID management unit 131c When receiving the notification from the security gateway 12, the traceable ID management unit 131c detects the connection to the server (A) 14 by the client (B) 22 (step S1). At this time, the notification from the security gateway 12 preferably includes information that can identify the traceable ID associated with the client (B) 22. The traceable ID management unit 131 c refers to the notification from the security gateway 12 to identify the traceable ID used to connect to the server (A) 14 and sets the traceable ID for the traceable ID (step S2). . The traceable ID management unit 131c issues a request to delete the traceable ID to the server (A) 14 via the security gateway 12 when the period indicated by the valid period information (aging information) has elapsed (Step S3 Yes, S5, b24).
  • the traceable ID management unit 131c discards the traceable ID and the corresponding information from the traceable ID table.
  • the timing of discarding the traceable ID may be before issuing the request for deleting the traceable ID or after receiving a response to the request for deleting the traceable ID.
  • the traceable ID management unit 131c will secure a request to delete the traceable ID. It is issued to the server (A) 14 via the gateway 12 (steps S3No, S4, b24), and the traceable ID management unit 131c discards the traceable ID and the information associated therewith from the traceable ID table. To do.
  • the server (A) 14 and the security gateway 12 register the traceable ID registered in response to the traceable ID deletion request issued from the traceable ID management server 13. Is discarded (step b25, b26). As a result, client (B) 22 cannot access server (A) 14 using the traceable ID obtained from DNS server 3. .
  • the traceable ID management unit 131c may also issue a traceable ID deletion request to the DNS server 3 or the DNS server 23. In this case, the DNS server 3 or the DNS server 23 discards the traceable ID assignment setting.
  • processing in the above steps b5 to bl2 is preferably processing in Admin Do main that cannot be seen by the client (B) 22! /.
  • the present invention is applicable to NGN (Next Generation Network) and IPv6 (Internwt Protocol version 6) networks.
  • the communication system is a communication system in which address information used when a client device accesses a server device is managed by an address management device.
  • the address management device detects a sign indicating a possibility that an access request from the client device to the server device is generated, and generates a server device identification information used in the access request when the sign is detected With.
  • the address management device includes holding means and control means! /.
  • the holding unit holds the server device identification information generated by the generation unit, the corresponding client device information, and the validity period information of the identification information in association with each other.
  • the control means discards the identification information of the server device corresponding to the access and the information corresponding thereto from the holding means when detecting the expiration of the identification information based on the validity period information.
  • control means should discard the identification information corresponding to the access and the information corresponding thereto from the holding means when the access of the client apparatus to the server apparatus is completed. Is preferred.
  • the identification information of the server device is an IP (Internet Protocol) address that is generated / deleted according to at least the state! /.
  • IP Internet Protocol
  • the address management device manages identification information used when a client device accesses a server device.
  • An address management method is an address management method used in a communication system in which identification information used when a client device accesses a server device is managed by the address management device.
  • the address management device executes processing for detecting a sign indicating the possibility of an access request from the client device to the server device, and is used in the access request when the sign is detected. And generating processing for generating identification information of the server device to be executed.
  • the address management device associates the identification information of the server device generated by the generation processing, the information of the client device corresponding thereto, and the validity period information of the identification information with each other in the holding means. Executing a process to be held, and a control process to discard the identification information of the server apparatus corresponding to the access and the information corresponding to the access from the holding means when the expiration of the identification information is detected based on the validity period information. Preferably performing.
  • the address management device discards the identification information corresponding to the access and the information corresponding to the access from the holding means at the end of the access to the server device of the client device in the control process. It is preferable to provide.
  • the program according to the fourth aspect of the present invention is a program executed by an address management device that manages identification information used when a client device accesses a server device.
  • the program detects, in the central processing unit of the address management device, a sign that indicates a possibility that an access request for the server device is generated from the client device, and uses the access request when the sign is detected.
  • the address management device is caused to execute generation processing for generating identification information of the server device.
  • a traceable ID (IDentifier) management server may generate a request for access to a user terminal or a client server. Is detected, a traceable ID (Traceable Private ID) assigned to each user terminal or client is generated by communicating with the server, and the traceable ID is returned to the user terminal or client.
  • the detected sign is, for example, the occurrence of a DNS query for a client to access a DNS (Domain Name System) and obtain server identification information.
  • the traceable ID management server when the traceable ID management server receives a disconnection notification from the user terminal or the client, the traceable ID is discarded.
  • the traceable ID management server discards the traceable ID when the period indicated by the valid period information (aging information) assigned in advance to the traceable ID assigned to each user terminal or client elapses. After that, when the user terminal or client makes an access request using the discarded traceable ID, the user is notified that the traceable ID is invalid.
  • a traceable ID is generated every time an access request is received from a user terminal or a client, and when the access is completed or a predetermined period has elapsed, Discard the traceable ID. This makes it difficult for a malicious user terminal or an untrusted client to receive attacks such as DoS attacks and unauthorized access. Further, in the communication system of the present invention, by using the traceable ID, it is possible to specify the transmission source only by the destination address.
  • the traceable ID is an ID assigned to each partner such as a user terminal or a client.
  • the traceable ID can be obtained from the mediation server via a secure route. Furthermore, since the traceable ID is set to be valid only during the session, it is possible to authenticate who the connection is from.
  • the present invention can be made less susceptible to attacks such as DoS attacks and unauthorized access from malicious user terminals and untrusted clients.
  • the effect that it can defend is acquired.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)
  • Telephonic Communication Services (AREA)

Abstract

Système de communication capable de prévenir efficacement une attaque telle une attaque DoS ou un accès abusif depuis un terminal utilisateur malveillant ou un client peu fiable, et de protéger un serveur d'une attaque. Dès réception d'une notification prédictive indiquant la possibilité d'accès du client au serveur depuis un serveur DNS (3), un serveur de gestion d'ID traçables, affecté à chaque client, ajoute des informations de période de validité aux ID traçables générées, et les renvoie au serveur DNS. Le serveur DNS (3) transmet ces ID traçables au client en tant que résultat de la solution de gestion d'adresses. De plus, le serveur de gestion d'ID traçables rejette l'ID traçable affectée à chaque client, après écoulement de la période indiquée par les informations de période de validité ajoutées aux ID traçables.
PCT/JP2007/072804 2006-12-08 2007-11-27 Système de communication et dispositif de gestion d'adresses, et procédé et programme de gestion d'adresses utilisés par ceux-ci WO2008069043A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2006-331401 2006-12-08
JP2006331401A JP2010068014A (ja) 2006-12-08 2006-12-08 通信システム、アドレス管理装置及びそれらに用いるアドレス管理方法並びにそのプログラム

Publications (1)

Publication Number Publication Date
WO2008069043A1 true WO2008069043A1 (fr) 2008-06-12

Family

ID=39491946

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2007/072804 WO2008069043A1 (fr) 2006-12-08 2007-11-27 Système de communication et dispositif de gestion d'adresses, et procédé et programme de gestion d'adresses utilisés par ceux-ci

Country Status (2)

Country Link
JP (1) JP2010068014A (fr)
WO (1) WO2008069043A1 (fr)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003242282A (ja) * 2002-02-19 2003-08-29 Ntt Comware Corp コンテンツ配信システムとコンテンツ配信方法、及びこの方法をコンピュータに実行させるプログラムとこの方法を記録した記録媒体
JP2004297550A (ja) * 2003-03-27 2004-10-21 Seiko Instruments Inc コンテンツ管理システム及びコンテンツ配信システム
JP2005197804A (ja) * 2003-12-26 2005-07-21 Victor Co Of Japan Ltd ストリーミング配信サーバ

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2003242282A (ja) * 2002-02-19 2003-08-29 Ntt Comware Corp コンテンツ配信システムとコンテンツ配信方法、及びこの方法をコンピュータに実行させるプログラムとこの方法を記録した記録媒体
JP2004297550A (ja) * 2003-03-27 2004-10-21 Seiko Instruments Inc コンテンツ管理システム及びコンテンツ配信システム
JP2005197804A (ja) * 2003-12-26 2005-07-21 Victor Co Of Japan Ltd ストリーミング配信サーバ

Also Published As

Publication number Publication date
JP2010068014A (ja) 2010-03-25

Similar Documents

Publication Publication Date Title
US8738902B2 (en) Implicit SSL certificate management without server name indication (SNI)
US7415536B2 (en) Address query response method, program, and apparatus, and address notification method, program, and apparatus
US7792994B1 (en) Correlating network DNS data to filter content
EP2924941B1 (fr) Procédé et dispositif de prévention d'un accès illégal à un service
US8336087B2 (en) Robust digest authentication method
US8645503B1 (en) Accelerated data uploading
US20100281146A1 (en) Dynamic domain name service system and automatic registration method
JP4758362B2 (ja) 中継装置、プログラム及び中継方法
WO2014000303A1 (fr) Procédé permettant de recevoir un message et dispositif et système d'inspection de paquet en profondeur
WO2010003317A1 (fr) Dispositif, procédé et système pour empêcher la falsification d'une page web
US8191131B2 (en) Obscuring authentication data of remote user
EP3306900B1 (fr) Acheminement dns pour sécurité de réseau améliorée
WO2007093100A1 (fr) Procédé de liaison de l'adresse du terminal utilisateur dans l'équipement d'accès
US8555347B2 (en) Dynamic host configuration protocol (DHCP) authentication using challenge handshake authentication protocol (CHAP) challenge
US20090245265A1 (en) Communication gateway device and relay method of the same
Rafiee et al. Winsend: Windows secure neighbor discovery
JP4643596B2 (ja) 端末装置を認証する装置、方法、プログラム、端末装置、および端末装置の通信を中継する装置
JP2009272659A (ja) 通信制御装置、通信制御方法および通信システム
JP2004535096A (ja) 外部からのアクセスを規制するための方法およびシステム
JP2004078280A (ja) リモートアクセス仲介システム及び方法
WO2022135132A1 (fr) Procédé et appareil de traitement de service, dispositif électronique et support de stockage
EP3989509A1 (fr) Procédé de réalisation d'architecture collaborative dynamique, système, dispositif terminal et support de stockage
WO2008069043A1 (fr) Système de communication et dispositif de gestion d'adresses, et procédé et programme de gestion d'adresses utilisés par ceux-ci
Cisco Release Notes for the Cisco Secure PIX Firewall Version 5.2(9)
US9143520B2 (en) Method and apparatus for computer network security

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07832529

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07832529

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP