WO2016175131A1 - コネクション制御装置、コネクション制御方法およびコネクション制御プログラム - Google Patents
コネクション制御装置、コネクション制御方法およびコネクション制御プログラム Download PDFInfo
- Publication number
- WO2016175131A1 WO2016175131A1 PCT/JP2016/062676 JP2016062676W WO2016175131A1 WO 2016175131 A1 WO2016175131 A1 WO 2016175131A1 JP 2016062676 W JP2016062676 W JP 2016062676W WO 2016175131 A1 WO2016175131 A1 WO 2016175131A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- connection
- tcp
- packet
- abnormal
- server
- Prior art date
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/66—Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2463/00—Additional details relating to network architectures or network communication protocols for network security covered by H04L63/00
- H04L2463/142—Denial of service attacks against network infrastructure
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/24—Traffic characterised by specific attributes, e.g. priority or QoS
- H04L47/2483—Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
Definitions
- the present invention relates to a connection control device, a connection control method, and a connection control program.
- an object of the present invention is to prevent a connection occupation attack without affecting normal traffic.
- the connection control device includes a connection number calculation unit that calculates the number of TCP connections established between a server and a client on a network for each server, and the number of TCP connections for each server is predetermined.
- a determination unit that determines whether or not the threshold is greater than or equal to a threshold value, and an abnormality that detects an abnormal connection that performs a denial of service attack on the server that is determined by the determination unit to be greater than or equal to the threshold value
- a connection detection unit is a connection detection unit.
- the connection control method of the present invention is a connection control method executed by a connection control device, and calculates the number of TCP connections established between a server and a client on the network for each server.
- a connection number calculation step a determination step for determining whether or not the number of TCP connections for each server is equal to or greater than the threshold, and the determination step determines that the number of TCP connections is equal to or greater than a predetermined threshold.
- an abnormal connection detecting step of detecting an abnormal connection for performing a denial of service attack on the server.
- FIG. 1 is a diagram illustrating an example of a configuration of a network including a connection control device according to the first embodiment.
- FIG. 2 is a diagram illustrating an example of the configuration of the connection control apparatus according to the first embodiment.
- FIG. 3 is a diagram illustrating an example of packet header information according to the first embodiment.
- FIG. 4 is a diagram illustrating an example of a TCP connection according to the first embodiment.
- FIG. 5 is a diagram illustrating an example of a destination and the number of connections according to the first embodiment.
- FIG. 6 is a diagram illustrating an example of a transmission source and the number of connections according to the first embodiment.
- FIG. 7 is a diagram illustrating an example of the ratio of the actual throughput to the theoretical throughput according to the first embodiment.
- FIG. 1 is a diagram illustrating an example of a configuration of a network including a connection control device according to the first embodiment.
- FIG. 2 is a diagram illustrating an example of the configuration of the connection control apparatus according to the first embodiment
- FIG. 8 is a flowchart illustrating an example of processing of the connection control device according to the first embodiment.
- FIG. 9 is a flowchart illustrating an example of the detection process of the connection control device according to the first embodiment.
- FIG. 10 is a flowchart illustrating an example of the detection process of the connection control device according to the first embodiment.
- FIG. 11 is a flowchart illustrating an example of detection processing of the connection control device according to the first embodiment.
- FIG. 12 is a flowchart illustrating an example of detection processing of the connection control device according to the first embodiment.
- FIG. 13 is a flowchart illustrating an example of detection processing of the connection control device according to the first embodiment.
- FIG. 14 is a diagram illustrating an example of a computer in which a connection control apparatus is realized by executing a program.
- connection control apparatus and a connection control method according to the present application will be described in detail with reference to the drawings. Note that the connection control device and the connection control method according to the present application are not limited by this embodiment.
- FIG. 1 is a diagram illustrating an example of a configuration of a network including a connection control device according to the first embodiment.
- the network includes, for example, a connection control device 1, a server 2, a server 3, a switch 4, a client 5, and a client 6.
- the clients 5 and 6 can establish a TCP connection with the servers 2 and 3 to transmit and receive packets. For example, a packet issued from the client 5 to the server 2 flows to the server 2 via the switch 4 and the connection control device 1. A packet issued from the server 2 to the client 5 flows to the client 5 via the connection control device 1 and the switch 4.
- connection control device 1 is inline, but it may be installed in a mirrored port.
- the connection control device 1 includes an interface 10, a packet information analysis unit 20, and a packet control unit 30.
- the packet information analysis unit 20 performs packet analysis and the like.
- the packet control unit 30 controls transmission / reception of packets.
- the interface 10 is connected to the switch 4 and the server 2 and transmits and receives packets under the control of the packet control unit 30 and the like.
- FIG. 2 is a diagram illustrating an example of the configuration of the connection control apparatus according to the first embodiment.
- the connection control device 1 includes the interface 10, the packet information analysis unit 20, and the packet control unit 30.
- the packet information analysis unit 20 and the packet control unit 30 will be described in detail.
- the packet information analysis unit 20 includes a connection number calculation unit 21, a determination unit 22, an abnormal connection detection unit 23, and a score calculation unit 24.
- the connection number calculation unit 21 calculates the number of TCP connections established between the server and the client on the network for each server.
- the determination unit 22 determines whether or not the number of TCP connections for each server is equal to or greater than a predetermined threshold.
- the abnormal connection detection unit 23 detects an abnormal connection that performs a denial of service attack on the server that is determined by the determination unit 22 that the number of TCP connections is equal to or greater than a predetermined threshold.
- the connection number calculation unit 21 has a TCP header analysis function 211 and a connection number calculation function 212 for each server. Thereby, the connection number calculation unit 21 totals the number of TCP connections for each destination IP address included in the header information of the packet of the TCP connection.
- the TCP header analysis function 211 extracts header information such as a destination IP address, a source port number, and a destination port number from a TCP header and an IP header included in a packet received by the interface 10.
- the connection number calculation function 212 for each server calculates the number of unique connections for each server from the information extracted by the TCP header analysis function 211.
- the TCP header analysis function 211 extracts header information of each packet from a TCP header and an IP header included in the packet.
- FIG. 3 is a diagram illustrating an example of packet header information according to the first embodiment.
- the extracted header information items include a source IP address, a destination IP address, a source port number, and a destination port number, as shown in FIG.
- FIG. 3 is a simplified example for explanation, and the number of packets that the TCP header analysis function 211 actually extracts header information is not limited to that shown in FIG. Sometimes it becomes.
- the source IP address of a packet is “10.0.1.1”, the destination IP address is “10.0.0.1”, the source port number is “51001”, and the destination port number is “ 21 ”.
- the line of number 6 indicates that the source IP address of a packet is “10.0.1.2”, the destination IP address is “10.0.0.1”, the source port number is “51001”, and the destination port number is “80”. It shows that there is. Comparing the number 1 row and the number 6 row shows that the packets are of different TCP connections because the source IP address and the destination port number are different.
- connection count calculation function 212 for each server aggregates the header information of the packets extracted by the TCP header analysis function 211 for each connection as shown in FIG.
- FIG. 4 is a diagram illustrating an example of a TCP connection according to the first embodiment.
- the packets of numbers 7 to 16 in FIG. 3 are packets of one TCP connection because the source IP address, the destination IP address, the source port number, and the destination port number are the same.
- the packet with the number 1 and the packet with the number 2 have the same source IP address, destination IP address, and destination port number, but have different source port numbers. I understand.
- the connection number calculation function 212 for each server calculates the number of unique connections for each server by counting the number of connections for each server that is a packet transmission destination, that is, for each destination IP address. .
- FIG. 5 is a diagram illustrating an example of a destination and the number of connections according to the first embodiment. In this case, the number of unique connections of the server whose destination IP address is “10.0.0.1” is 6, and the number of unique connections of the server whose destination IP address is “10.0.0.2” is 2.
- the determination unit 22 determines whether or not to perform abnormal connection detection and packet control for each server, from the unique connection number for each server calculated by the connection number calculation unit 21. For example, the determination unit 22 may determine to perform abnormal connection detection and packet control for a server whose number of connections is equal to or greater than a predetermined threshold. In this case, when the threshold value is set to 5, for the server whose destination IP address shown in FIG. 5 is “10.0.0.1”, the abnormal connection is detected and the packet is controlled, and the destination IP address is “10.0.0.2”. It can be determined that the server does not detect abnormal connections and does not control packets.
- a packet having a client as a transmission source and a server as a destination has been described.
- a packet having a server as a transmission source and a client as a destination, or a client as a transmission source and a server as a destination Both packets and packets destined for the server and the destination for the client may be used. If both are used, the packet addressed to the client and the server, and the IP address and port number of the packet addressed to the server and the client are sent to the IP address with the source and destination reversed. Packets having the same port number can be considered to be due to the same TCP connection.
- information that can be acquired from the server such as a command for acquiring the server process state and the statistical state of the connection, can also be used.
- the abnormal connection detection unit 23 includes a packet reception time analysis function 231, a transmission source IP address totaling function 232, a throughput analysis function 233, a packet size analysis function 234, a TCP window size analysis function 235, a TCP connection normal analysis function 236, and a protocol violation.
- a determination function 237 is provided. Then, the abnormal connection detection unit 23 detects an abnormal connection that performs a connection occupation attack by any one of the functions or a combination of a plurality of functions.
- the packet reception time analysis function 231 acquires the time at which the interface 10 received a packet.
- the source IP address totaling function 232 counts the number of packets for each source IP address based on the packet source IP address.
- the throughput analysis function 233 calculates a theoretical throughput and an actual throughput.
- the packet size analysis function 234 acquires the size of the packet.
- the TCP window size analysis function 235 acquires the window size of the TCP connection.
- the TCP connection normal analysis function 236 determines whether or not the TCP connection is in a Half Close state, that is, a state in which a signal for terminating the connection is sent from the server but a signal for terminating the connection is not returned to the server.
- the protocol violation determining function 237 determines whether or not the TCP connection is a protocol violation.
- the abnormal connection detection unit 23 may adopt any one of the following methods, or may combine a plurality of methods. Further, the method for detecting an abnormal connection is not limited to the following method, and any known method can be used.
- Method 1 In the method 1, when the number of TCP connections counted for each source IP address included in the header information of the TCP connection packet is equal to or more than a predetermined threshold, the abnormal connection detection unit 23 determines that the TCP connection is an abnormal connection. Detect as. First, the packet reception time analysis function 231 acquires the time when a packet is received by the interface 10. Next, the per-source IP address totaling function 232 counts the number of connections for each source IP address that has transmitted a packet whose time acquired by the packet reception time analysis function 231 is more than a predetermined time, and in order of the number of connections. Sort.
- FIG. 6 shows an example in which aggregation is performed based on FIG.
- FIG. 6 is a diagram illustrating an example of a transmission source and the number of connections according to the first embodiment.
- FIG. 6 shows that the number of connections whose source IP address is “10.0.1.1” is 5, and the number of connections whose source IP address is “10.0.1.2” is 3.
- the score calculation unit 24 calculates and assigns an abnormality score to each source IP address based on the number of connections or the rank of the number of connections. For example, when the number of connections is equal to or greater than a predetermined threshold, the score calculation unit 24 gives an abnormality score.
- the number of connections is set to be small in FIG. 6, but there are cases where tens to hundreds of TCP connections are established from a client that actually performs a connection occupation attack. On the other hand, the number of connections from normal clients is often about several at most.
- the abnormal connection detection unit 23 determines the ratio of the actual throughput calculated from the packet size of the packet transmitted / received in the TCP connection to the theoretical throughput calculated from the TCP window size and the round trip time of the TCP connection. Is equal to or less than a predetermined threshold, the TCP connection is detected as an abnormal connection.
- the packet reception time analysis function 231 acquires the time when a packet is received by the interface 10.
- the TCP window size analysis function 235 acquires the TCP window size of the packet.
- the throughput analysis function 233 obtains the round trip time from the reception time of the packet, and calculates the theoretical throughput by Expression (1).
- the packet size analysis function 234 acquires the packet size. Further, the throughput analysis function 233 calculates the actual throughput, for example, by determining the packet size transmitted / received per unit time. Further, the throughput analysis function 233 calculates the ratio of the actual throughput to the theoretical throughput. Thereafter, the score calculation unit 24 assigns an abnormality score to the client corresponding to the source IP address of the TCP connection whose ratio of the actual throughput to the theoretical throughput is equal to or less than a predetermined threshold.
- FIG. 7 is a diagram illustrating an example of the ratio of the actual throughput to the theoretical throughput according to the first embodiment.
- each row of numbers 1 to 4 includes a TCP window size, a round trip time, a theoretical throughput, and a TCP connection size of TCP connections having different source IP addresses, destination IP addresses, source port numbers, and destination port numbers. It represents the actual throughput and the ratio of the actual throughput to the theoretical throughput.
- the source IP address is “10.0.1.1”
- the destination IP address is “10.0.0.1”
- the source port number is “51001”
- the destination port number is “21”.
- the TCP window size is 64 KB and the round trip time is 0.01 seconds. Since the theoretical throughput of the TCP connection indicated by number 1 is 51200 kbps and the actual throughput is 41259 kbps, the ratio of the actual throughput to the theoretical throughput is 0.81.
- the TCP connection indicated by number 3 in FIG. 7 has a source IP address “10.0.1.2”, a destination IP address “10.0.0.2”, a source port number “52002”, and a destination port number “80”.
- the TCP window size is 64 KB, and the round trip time is 0.005 seconds. Since the theoretical throughput of the TCP connection indicated by number 3 is 102400 kbps and the actual throughput is 1055 kbps, the ratio of the actual throughput to the theoretical throughput is 0.01.
- the threshold for the score calculation unit 24 to give an abnormality score is set to 0.1
- the ratio of the actual throughput to the theoretical throughput of the TCP connections indicated by numbers 3 and 4 in FIG. 7 is 0.1 or less, an abnormality score is assigned to the source IP address.
- the score calculation unit 24 may calculate and assign a score according to the duration of the TCP connection, instead of always assigning an abnormality score to the transmission source IP address when the value is below the threshold.
- the abnormal connection detection unit 23 detects the TCP connection as an abnormal connection when the TCP connection is closed by the server and not closed by the client. Specifically, the TCP connection normal analysis function 236 transmits a TCP flag packet in which FIN is set as a signal for terminating the connection from the server, but the TCP flag in which FIN and ACK are set from the client for a certain period of time or more. A TCP connection in which only the server side does not receive a packet and tries to close the TCP connection is determined to be in a Half Close state. Then, the score calculation unit 24 assigns an abnormality score to the transmission source IP address of the TCP connection determined to be in the Half Close state.
- the abnormal connection detection unit 23 determines that the TCP window size of the TCP connection is smaller than a predetermined threshold, and the ratio of the packet size of the TCP connection packet to the TCP window size is equal to or smaller than the predetermined threshold.
- the TCP connection is detected as an abnormal connection. Specifically, when the TCP window size obtained by the TCP window size analysis function 235 is smaller than a predetermined size, or when the actual packet size obtained by the packet size analysis function 234 deviates from the TCP window size. If so, the score calculation unit 24 gives an abnormality score to the source IP address of the TCP connection.
- the abnormal connection detection unit 23 detects the TCP connection as an abnormal connection when a packet that causes a protocol violation is transmitted / received in the TCP connection. Specifically, the protocol violation discrimination function 237 discriminates and extracts a protocol violation TCP connection such as an incomplete HTTP GET header. Then, the score calculation unit 24 gives an abnormality score to the source IP address of the extracted TCP connection.
- the packet control unit 30 prevents an attack on a client corresponding to a source IP address of a TCP connection to which an abnormal score is given by the above method or a TCP connection whose abnormal score is equal to or higher than a predetermined value. Control.
- the packet control unit 30 controls transmission / reception of packets between the server and the client that has established the abnormal connection detected by the abnormal connection detection unit 23. Specifically, the packet control unit 30 transmits a packet for resetting the TCP connection to the client of the abnormal connection. In addition, the packet control unit 30 sets a filter that discards packets of abnormal connections. Also, the abnormal connection packet is redirected to a server prepared in advance.
- the packet control unit 30 has a reset packet transmission function 31, a filter function 32, and a redirect function 33.
- the packet control unit 30 performs control by any one of the functions or a combination of a plurality of functions.
- the reset packet transmission function 31 responds to the IP address of the client to be controlled as a proxy instead of the server, transmits a TCP flag packet in which RST is set, and resets the TCP connection.
- the filter function 32 records the IP address of the client to be controlled by the IP address recording function 321, and sets a filter for discarding packets having the recorded IP address as the transmission source in the interface 10. For example, when the number of packets per unit time becomes equal to or smaller than a certain value for a certain time, the canceling function 322 cancels the filter.
- the redirect function 33 records the IP address of the client to be controlled by the IP address recording function 331, and automatically redirects a packet having the recorded IP address as a transmission source to a server at another site prepared in advance.
- the cancellation function 332 may exclude the packet from the control target.
- the reset packet transmission function 31 stops transmitting the reset packet, the cancellation function 322 cancels the filter, and the cancellation function 332 cancels the redirect. May be. Further, the packet information analysis unit 20 may store a sequence number for each TCP connection, and when the control by the packet control unit 30 is released, the packet information analysis unit 20 may continue to transmit and receive packets.
- FIG. 8 is a flowchart illustrating an example of processing of the connection control device according to the first embodiment.
- the interface 10 receives a packet (step S101).
- the connection number calculation unit 21 of the packet information analysis unit 20 extracts packet header information (step S102).
- the connection number calculation unit 21 calculates the number of unique connections for each server, for example, by counting the number of connections for each destination IP address (step S103).
- the determination unit 22 determines, for each server, whether or not the number of unique connections for each server calculated by the connection number calculation unit 21 is equal to or greater than a threshold value (step S104). If the number of connections is not greater than or equal to the threshold (No in step S104), the connection control device 1 does not perform the subsequent processing and ends the processing. On the other hand, when the number of connections is greater than or equal to the threshold (step S104, Yes), the abnormal connection detection unit 23 of the packet information analysis unit 20 detects an abnormal connection (step S105). Then, the packet control unit 30 controls the packet with respect to the detected abnormal connection transmission source (step S106).
- step S105 in which the abnormal connection detection unit 23 of the packet information analysis unit 20 detects an abnormal connection is the same as the above-described methods 1 to 5.
- FIGS. 9 to 13 are flowcharts illustrating examples of detection processing of the connection control device according to the first embodiment.
- Method 1 In Method 1, first, as shown in FIG. 9, the source IP address totaling function 232 counts the number of connections for each source IP address, and sorts the source IP addresses by the number of connections (step S201). At this time, the abnormal connection detection unit 23 may target a packet whose reception time acquired by the packet reception time analysis function 231 is earlier than a predetermined time. And the score calculation part 24 gives an abnormal score to the transmission source IP address (step S202, Yes) whose sorting order is higher than a predetermined order (step S203), for example. If the sorted rank is not higher than the predetermined rank (No in step S202), the score calculation unit 24 does not give an abnormal score.
- Method 2 In method 2, first, as shown in FIG. 10, the throughput analysis function 233 calculates a round trip time from the reception time acquired by the packet reception time analysis function 231 (step S301). Next, the TCP window size analysis function 235 acquires a TCP window size (step S302). Then, the throughput analysis function 233 calculates a theoretical throughput from the round trip time and the TCP window size (step S303). Further, the throughput analysis function 233 calculates the actual throughput from the packet size acquired by the packet size analysis function 234 (step S304).
- Step S305 when the ratio of the actual throughput to the theoretical throughput is equal to or less than a predetermined threshold (Yes in Step S305), the score calculation unit 24 assigns an abnormality score to the transmission source IP address (Step S306). ). In addition, when the ratio of the actual throughput to the theoretical throughput is not equal to or less than the predetermined threshold (No in Step S305), the score calculation unit 24 does not assign an abnormal score.
- Method 3 In method 3, first, as shown in FIG. 11, the TCP connection normal analysis function 236 determines whether or not a TCP flag packet in which FIN is set has been transmitted from the server (step S401). Then, the score calculation unit 24 gives an abnormal score to the transmission source IP that has been transmitted (step S401, Yes) and has not received a packet for a certain period of time (step S402, Yes) (step S403). Also, when the TCP flag packet with FIN set from the server has not been transmitted (No at Step S401), and when the packet has already been received or when a certain time has not elapsed (No at Step S402). The score calculation unit 24 does not give an abnormal score.
- the TCP window size analysis function 235 acquires the TCP window size (step S501). For example, when the acquired TCP window size is equal to or smaller than the threshold (Yes in Step S502), the score calculation unit 24 gives an abnormality score to the transmission source IP address (Step S503). If the acquired TCP window size is not less than or equal to the threshold value (No in step S502), the score calculation unit 24 does not give an abnormal score.
- Method 5 In the method 5, first, the presence or absence of a protocol violation is determined by the protocol violation determination function 237 (step S601). If it is determined that there is a protocol violation (step S601, Yes), the score calculation unit 24 gives an abnormal score to the transmission source IP address (step S602). When it is determined that there is no protocol violation (step S601, No), the score calculation unit 24 does not assign an abnormal score.
- the connection control device 1 calculates the number of TCP connections established between the server and the client by the connection number calculation unit 21 for each server. And the connection control apparatus 1 determines whether the number of TCP connections for every server is more than a predetermined threshold value by the determination part 22. Furthermore, the connection control device 1 detects an abnormal connection that causes a denial-of-service attack to the server that is determined by the determination unit 22 to have a number of TCP connections equal to or greater than a predetermined threshold by the abnormal connection detection unit 23. After that, the packet control unit 30 controls packet transmission / reception between the server and the abnormal connection client.
- connection occupancy attack is not established, so there is no need to detect abnormal connections and control packets, and to detect abnormal connections and control packets. It can affect normal traffic.
- the connection control apparatus 1 since the connection control apparatus 1 detects abnormal connections and controls packets only when necessary by the connection number calculation unit 21 and the determination unit 22, it affects normal traffic. In addition, connection exclusive attacks can be prevented.
- connection number calculation unit 21 counts the number of TCP connections for each destination IP address included in the header information of the TCP connection packet. Thereby, the connection number calculation unit 21 can obtain necessary information even when information such as the number of connections cannot be obtained directly from the server.
- the abnormal connection detection unit 23 detects the TCP connection as an abnormal connection when the number of TCP connections aggregated for each source IP address included in the header information of the packet of the TCP connection is equal to or greater than a predetermined threshold. . Thus, it is possible to detect a client that has established many TCP connections in order to occupy the allowable number of TCP connections.
- the abnormal connection detection unit 23 determines that the ratio of the actual throughput calculated from the packet size of the packet transmitted / received in the TCP connection to the theoretical throughput calculated from the TCP window size and the round trip time of the TCP connection is predetermined.
- the TCP connection is detected as an abnormal connection when it is equal to or less than the threshold value. Thereby, it is possible to detect a connection that has been communicating over a long period of time with an abnormally low throughput.
- the abnormal connection detection unit 23 detects the TCP connection as an abnormal connection when the TCP connection is closed by the server and not closed by the client. Accordingly, it is possible to prevent the connection in the Half Close state from occupying the allowable number of TCP connections even though the connection is not used.
- the abnormal connection detection unit 23 determines that the TCP window size of the TCP connection is smaller than a predetermined threshold value, or when the ratio of the packet size of the TCP connection packet to the TCP window size is equal to or smaller than the predetermined threshold value. Detect a connection as an abnormal connection. This makes it possible to detect and prevent an attack that occupies a connection by intentionally performing packet transmission / reception over a long period of time.
- the abnormal connection detection unit 23 detects the TCP connection as an abnormal connection when a packet that causes a protocol violation in the TCP connection is transmitted / received. Thus, by continuously sending an incomplete HTTP header to the server, it is possible to detect and prevent an attack that causes the server to enter a standby state, consume a process, and make the connection impossible.
- the packet control unit 30 controls packet transmission / reception by transmitting a packet for resetting the TCP connection to a client having an abnormal connection. As a result, it is possible to reset the connection with the attacking client without affecting the client performing normal communication.
- the packet control unit 30 controls transmission / reception of packets by setting a filter that discards packets of abnormal connections. Thereby, it is possible to block communication with an attacking client without affecting a client performing normal communication.
- the packet control unit 30 controls packet transmission / reception by redirecting abnormal connection packets to a server prepared in advance. Thereby, it is further examined whether or not the connection is abnormal in another server that performs communication. When it is determined that the connection is not abnormal, it can be handled as a normal connection.
- a control unit is included, and when the detection unit detects an abnormal connection, packet control is performed by the control unit.
- the present invention is not limited to this.
- the control unit may not be included, and a result detected by the detection unit may be used for black list generation.
- the abnormal connection detection unit 23 may detect an abnormal connection using a method in which a plurality of methods 1 to 5 described above are combined.
- the abnormal connection detection unit 23 can employ a method in which the method 2 and the method 4 are combined.
- the abnormal connection detection unit 23 first determines whether the TCP window size of the TCP connection is smaller than a predetermined threshold, and the ratio of the packet size of the TCP connection packet to the TCP window size is equal to or smaller than the predetermined threshold. It is determined whether or not.
- the abnormal connection detection unit 23 determines that the TCP window size is smaller than the predetermined threshold value or the ratio of the packet size to the TCP window size is equal to or smaller than the predetermined threshold value
- the abnormal connection detection unit 23 performs the process of the method 4. That is, the abnormal connection detection unit 23 calculates the ratio of the actual throughput of the TCP connection to the theoretical throughput, and detects the TCP connection as an abnormal connection when the calculated ratio is equal to or less than a predetermined value.
- the calculation amount in the abnormal connection detection unit 23 can be reduced.
- the probability of false detection that the abnormal connection detection unit 23 detects a normal TCP connection as an abnormal TCP connection can be reduced, and the detection accuracy can be improved.
- the control method performed by the packet control unit 30 to prevent an attack is not limited to filter setting and redirection, and any method can be used.
- the packet control unit 30 transmits an illegal packet such as a SYN / ACK packet including a cookie, an SYN / ACK packet including an invalid ACK sequence number, an ACK packet, or an RST packet to a client having an abnormal connection.
- a response request may be made.
- the packet control unit 30 may make a response request by HTTP Cookie or Javascript (registered trademark) to the client of the abnormal connection.
- the packet control unit 30 may make a response request by moving the mouse or CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) to an abnormal connection client.
- the client is determined by, for example, a person or a device. If the client is determined to be normal, the release function 332 removes the client from the control target. You may make it exclude.
- each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated.
- the specific form of distribution / integration of each device is not limited to that shown in the figure, and all or a part thereof may be functionally or physically distributed or arbitrarily distributed in arbitrary units according to various loads or usage conditions.
- all or any part of each processing function performed in each device is realized by a CPU (Central Processing Unit) and a program analyzed and executed by the CPU, or hardware by wired logic.
- CPU Central Processing Unit
- FIG. 14 is a diagram illustrating an example of a computer in which the connection control device 1 is realized by executing a program.
- the computer 1000 includes a memory 1010 and a CPU 1020, for example.
- the computer 1000 also includes a hard disk drive interface 1030, a disk drive interface 1040, a serial port interface 1050, a video adapter 1060, and a network interface 1070. These units are connected by a bus 1080.
- the memory 1010 includes a ROM (Read Only Memory) 1011 and a RAM (Random Access Memory) 1012.
- the ROM 1011 stores a boot program such as BIOS (Basic Input Output System).
- BIOS Basic Input Output System
- the hard disk drive interface 1030 is connected to the hard disk drive 1090.
- the disk drive interface 1040 is connected to the disk drive 1100.
- a removable storage medium such as a magnetic disk or an optical disk is inserted into the disk drive 1100.
- the serial port interface 1050 is connected to a mouse 1110 and a keyboard 1120, for example.
- the video adapter 1060 is connected to the display 1130, for example.
- the hard disk drive 1090 stores, for example, an OS 1091, an application program 1092, a program module 1093, and program data 1094. That is, a program that defines each process of the connection control device 1 is implemented as a program module 1093 in which a code executable by a computer is described.
- the program module 1093 is stored in the hard disk drive 1090, for example.
- a program module 1093 for executing processing similar to the functional configuration in the connection control device 1 is stored in the hard disk drive 1090.
- the hard disk drive 1090 may be replaced by an SSD (Solid State Drive).
- the setting data used in the processing of the above-described embodiment is stored as program data 1094 in, for example, the memory 1010 or the hard disk drive 1090. Then, the CPU 1020 reads the program module 1093 and the program data 1094 stored in the memory 1010 and the hard disk drive 1090 to the RAM 1012 and executes them as necessary.
- the program module 1093 and the program data 1094 are not limited to being stored in the hard disk drive 1090, but may be stored in, for example, a removable storage medium and read by the CPU 1020 via the disk drive 1100 or the like. Alternatively, the program module 1093 and the program data 1094 may be stored in another computer connected via a network (LAN (Local Area Network), WAN (Wide Area Network), etc.). The program module 1093 and the program data 1094 may be read by the CPU 1020 from another computer via the network interface 1070.
- LAN Local Area Network
- WAN Wide Area Network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
以下の実施形態では、第1の実施形態の構成および処理について説明し、最後に第1の実施形態の効果を説明する。
まず、図1を用いて、第1の実施形態に係るコネクション制御装置を含むネットワークの構成について説明する。図1は、第1の実施形態に係るコネクション制御装置を含むネットワークの構成の一例を示す図である。
方法1においては、異常コネクション検出部23は、TCPコネクションのパケットのヘッダ情報に含まれる送信元IPアドレス毎に集計したTCPコネクションの数が所定の閾値以上である場合に、該TCPコネクションを異常コネクションとして検出する。まず、パケット受信時刻分析機能231は、パケットがインタフェース10で受信された時刻を取得する。次に、送信元IPアドレス毎集計機能232は、パケット受信時刻分析機能231が取得した時刻が一定時間以上前であるパケットを送信した送信元IPアドレス毎にコネクション数を集計し、コネクション数の順にソートする。
方法2においては、異常コネクション検出部23は、TCPコネクションで送受信されるパケットのパケットサイズから算出された実際のスループットの、TCPコネクションのTCPウィンドウサイズおよびラウンドトリップタイムから算出された理論的スループットに対する割合が、所定の閾値以下である場合に、該TCPコネクションを異常コネクションとして検出する。まず、パケット受信時刻分析機能231は、パケットがインタフェース10で受信された時刻を取得する。そして、TCPウィンドウサイズ分析機能235は、パケットのTCPウィンドウサイズを取得する。ここで、スループット分析機能233は、パケットの受信時刻からラウンドトリップタイムを求め、式(1)により理論的スループットを算出する。
方法3においては、異常コネクション検出部23は、TCPコネクションがサーバによってクローズされ、かつクライアントによってクローズされていない場合に、該TCPコネクションを異常コネクションとして検出する。具体的には、TCPコネクション正常分析機能236は、サーバから接続を終了する信号としてFINがセットされたTCPフラグのパケットを送信したが、一定時間以上クライアントからFINおよびACKがセットされたTCPフラグのパケットを受信せず、サーバ側だけがTCPコネクションをクローズしようとしているTCPコネクションをHalf Closeの状態であると判定する。そして、スコア算出部24は、Half Closeの状態であると判定されたTCPコネクションの送信元IPアドレスに異常スコアを付与する。
方法4においては、異常コネクション検出部23は、TCPコネクションのTCPウィンドウサイズが所定の閾値より小さい場合、また、TCPコネクションのパケットのパケットサイズのTCPウィンドウサイズに対する割合が所定の閾値以下である場合に、該TCPコネクションを異常コネクションとして検出する。具体的には、TCPウィンドウサイズ分析機能235により求められたTCPウィンドウサイズが、所定のサイズより小さい場合や、パケットサイズ分析機能234により求められた実際のパケットサイズが、TCPウィンドウサイズから乖離している場合、スコア算出部24は、TCPコネクションの送信元IPアドレスに異常スコアを付与する。
方法5においては、異常コネクション検出部23は、TCPコネクションにおいてプロトコル違反となるパケットの送受信が行われている場合に、該TCPコネクションを異常コネクションとして検出する。具体的には、プロトコル違反判別機能237は、不完全なHTTP GETヘッダ等の、プロトコル違反のTCPコネクションを判別し、抽出する。そして、スコア算出部24は、抽出されたTCPコネクションの送信元IPアドレスに異常スコアを付与する。
次に、図8等を用いて、コネクション制御装置1の処理について説明する。図8は、第1の実施形態に係るコネクション制御装置の処理の一例を示すフローチャートである。図8に示すように、まず、インタフェース10は、パケットを受信する(ステップS101)。次に、パケット情報分析部20のコネクション数算出部21は、パケットのヘッダ情報を抽出する(ステップS102)。そして、コネクション数算出部21は、例えば、宛先IPアドレス毎にコネクション数を集計することで、サーバ毎のユニークなコネクション数を算出する(ステップS103)。
方法1では、まず、図9に示すように、送信元IPアドレス毎集計機能232が、送信元IPアドレス毎のコネクション数を集計し、送信元IPアドレスをコネクション数でソートする(ステップS201)。この時、異常コネクション検出部23は、パケット受信時刻分析機能231によって取得した受信時刻が、所定の時刻より前であるパケットを対象としてもよい。そして、スコア算出部24は、例えば、ソートした順位が所定の順位より上である送信元IPアドレス(ステップS202、Yes)に異常スコアを付与する(ステップS203)。また、ソートした順位が所定の順位より上でない場合(ステップS202、No)は、スコア算出部24は異常スコアを付与しない。
方法2では、まず、図10に示すように、スループット分析機能233が、パケット受信時刻分析機能231が取得した受信時刻からラウンドトリップタイムを算出する(ステップS301)。次に、TCPウィンドウサイズ分析機能235は、TCPウィンドウサイズを取得する(ステップS302)。そして、スループット分析機能233は、ラウンドトリップタイムおよびTCPウィンドウサイズから理論的スループットを算出する(ステップS303)。さらに、スループット分析機能233は、パケットサイズ分析機能234が取得したパケットサイズから、実際のスループットを算出する(ステップS304)。ここで、スコア算出部24は、例えば、実際のスループットの理論的スループットに対する割合が、所定の閾値以下である場合(ステップS305、Yes)は、送信元IPアドレスに異常スコアを付与する(ステップS306)。また、実際のスループットの理論的スループットに対する割合が、所定の閾値以下でない場合(ステップS305、No)は、スコア算出部24は異常スコアを付与しない。
方法3では、まず、図11に示すように、TCPコネクション正常分析機能236が、サーバからFINがセットされたTCPフラグのパケットが送信済みであるか否かを判定する(ステップS401)。そして、送信済みであり(ステップS401、Yes)、かつ、一定時間パケットを受信していない(ステップS402、Yes)送信元IPには、スコア算出部24が異常スコアを付与する(ステップS403)。また、サーバからFINがセットされたTCPフラグのパケットが送信済みでない場合(ステップS401、No)、および既にパケットを受信している場合や一定時間を経過していない場合(ステップS402、No)は、スコア算出部24は異常スコアを付与しない。
方法4では、まず、図12に示すように、TCPウィンドウサイズ分析機能235がTCPウィンドウサイズを取得する(ステップS501)。そして、例えば、取得したTCPウィンドウサイズが閾値以下である場合(ステップS502、Yes)は、スコア算出部24は送信元IPアドレスに異常スコアを付与する(ステップS503)。また、取得したTCPウィンドウサイズが閾値以下でない場合(ステップS502、No)は、スコア算出部24は異常スコアを付与しない。
方法5では、まず、プロトコル違反判別機能237によってプロトコル違反の有無が判定される(ステップS601)。そして、プロトコル違反があると判定された場合(ステップS601、Yes)は、スコア算出部24は送信元IPアドレスに異常スコアを付与する(ステップS602)。また、プロトコル違反がないと判定された場合(ステップS601、No)は、スコア算出部24は異常スコアを付与しない。
コネクション制御装置1は、コネクション数算出部21によって、サーバとクライアントとの間に確立されているTCPコネクションの数をサーバ毎に算出する。そして、コネクション制御装置1は、判定部22によって、サーバ毎のTCPコネクションの数が所定の閾値以上であるか否かを判定する。さらに、コネクション制御装置1は、異常コネクション検出部23によって、判定部22によってTCPコネクションの数が所定の閾値以上であると判定されたサーバに対してサービス不能攻撃を行う異常コネクションを検出する。その後、パケット制御部30によって、サーバと異常コネクションのクライアントとのパケットの送受信を制御する。
異常コネクション検出部23は、上記の方法1~5のうちの複数の方法を組み合わせた方法を用いて異常コネクションを検知するようにしてもよい。例えば、異常コネクション検出部23は、方法2および方法4を組み合わせた方法を採用することができる。
また、図示した各装置の各構成要素は機能概念的なものであり、必ずしも物理的に図示の如く構成されていることを要しない。すなわち、各装置の分散・統合の具体的形態は図示のものに限られず、その全部または一部を、各種の負荷や使用状況等に応じて、任意の単位で機能的または物理的に分散・統合して構成することができる。さらに、各装置にて行なわれる各処理機能は、その全部または任意の一部が、CPU(Central Processing Unit)および当該CPUにて解析実行されるプログラムにて実現され、あるいは、ワイヤードロジックによるハードウェアとして実現され得る。
図14は、プログラムが実行されることにより、コネクション制御装置1が実現されるコンピュータの一例を示す図である。コンピュータ1000は、例えば、メモリ1010、CPU1020を有する。また、コンピュータ1000は、ハードディスクドライブインタフェース1030、ディスクドライブインタフェース1040、シリアルポートインタフェース1050、ビデオアダプタ1060、ネットワークインタフェース1070を有する。これらの各部は、バス1080によって接続される。
2、3 サーバ
4 スイッチ
5、6 クライアント
10 インタフェース
20 パケット情報分析部
21 コネクション数算出部
22 判定部
23 異常コネクション検出部
24 スコア算出部
30 パケット制御部
31 リセットパケット送信機能
32 フィルタ機能
33 リダイレクト機能
211 TCPヘッダ分析機能
212 サーバ毎コネクション数算出機能
231 パケット受信時刻分析機能
232 送信元IPアドレス毎集計機能
233 スループット分析機能
234 パケットサイズ分析機能
235 TCPウィンドウサイズ分析機能
236 TCPコネクション正常分析機能
237 プロトコル違反判別機能
321、331 IPアドレス記録機能
322、332 解除機能
Claims (13)
- ネットワーク上のサーバとクライアントとの間に確立されているTCPコネクションの数を、前記サーバ毎に算出するコネクション数算出部と、
前記サーバ毎のTCPコネクションの数が所定の閾値以上であるか否かを判定する判定部と、
前記判定部によって前記TCPコネクションの数が前記閾値以上であると判定された前記サーバに対してサービス不能攻撃を行う異常コネクションを検出する異常コネクション検出部と、
を有することを特徴とするコネクション制御装置。 - 前記コネクション数算出部は、
前記TCPコネクションのパケットのヘッダ情報に含まれる宛先IPアドレス毎に、前記TCPコネクションの数を集計することを特徴とする請求項1に記載のコネクション制御装置。 - 前記異常コネクション検出部は、
前記TCPコネクションのパケットのヘッダ情報に含まれる送信元IPアドレス毎に集計した前記TCPコネクションの数が所定の閾値以上である場合に、該TCPコネクションを前記異常コネクションとして検出することを特徴とする請求項1に記載のコネクション制御装置。 - 前記異常コネクション検出部は、
前記TCPコネクションで送受信されるパケットのパケットサイズから算出された実際のスループットの、前記TCPコネクションのTCPウィンドウサイズおよびラウンドトリップタイムから算出された理論的スループットに対する割合が、所定の閾値以下である場合に、該TCPコネクションを前記異常コネクションとして検出することを特徴とする請求項1に記載のコネクション制御装置。 - 前記異常コネクション検出部は、
前記TCPコネクションが前記サーバによってクローズされ、かつ前記クライアントによってクローズされていない場合に、該TCPコネクションを異常コネクションとして検出することを特徴とする請求項1に記載のコネクション制御装置。 - 前記異常コネクション検出部は、
前記TCPコネクションのTCPウィンドウサイズが所定の閾値より小さい場合、また、前記TCPコネクションのパケットのパケットサイズの前記TCPウィンドウサイズに対する割合が所定の閾値以下である場合に、該TCPコネクションを異常コネクションとして検出することを特徴とする請求項1に記載のコネクション制御装置。 - 前記異常コネクション検出部は、
前記TCPコネクションにおいてプロトコル違反となるパケットの送受信が行われている場合に、該TCPコネクションを異常コネクションとして検出することを特徴とする請求項1に記載のコネクション制御装置。 - 前記サーバと、前記異常コネクション検出部によって検出された異常コネクションを確立している前記クライアントとのパケットの送受信を制御するパケット制御部をさらに有することを特徴とする請求項1に記載のコネクション制御装置。
- 前記パケット制御部は、
前記異常コネクションの前記クライアントに対し、TCPコネクションをリセットするパケットを送信することでパケットの送受信を制御することを特徴とする請求項8に記載のコネクション制御装置。 - 前記パケット制御部は、
前記異常コネクションのパケットを廃棄するフィルタを設定することでパケットの送受信を制御することを特徴とする請求項8に記載のコネクション制御装置。 - 前記パケット制御部は、
前記異常コネクションのパケットを、予め用意したサーバへリダイレクトすることでパケットの送受信を制御することを特徴とする請求項8に記載のコネクション制御装置。 - コネクション制御装置で実行されるコネクション制御方法であって、
ネットワーク上のサーバとクライアントとの間に確立されているTCPコネクションの数を、前記サーバ毎に算出するコネクション数算出工程と、
前記サーバ毎のTCPコネクションの数が所定の閾値以上であるか否かを判定する判定工程と、
前記判定工程によって前記TCPコネクションの数が前記閾値以上であると判定された前記サーバに対してサービス不能攻撃を行う異常コネクションを検出する異常コネクション検出工程と、
を含んだことを特徴とするコネクション制御方法。 - コンピュータを請求項1から11のいずれか1項に記載のコネクション制御装置として機能させるためのコネクション制御プログラム。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2017515523A JP6291135B2 (ja) | 2015-04-28 | 2016-04-21 | コネクション制御装置、コネクション制御方法およびコネクション制御プログラム |
US15/568,906 US10728281B2 (en) | 2015-04-28 | 2016-04-21 | Connection control apparatus, connection control method, and connection control program |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2015091695 | 2015-04-28 | ||
JP2015-091695 | 2015-04-28 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2016175131A1 true WO2016175131A1 (ja) | 2016-11-03 |
Family
ID=57198365
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2016/062676 WO2016175131A1 (ja) | 2015-04-28 | 2016-04-21 | コネクション制御装置、コネクション制御方法およびコネクション制御プログラム |
Country Status (3)
Country | Link |
---|---|
US (1) | US10728281B2 (ja) |
JP (1) | JP6291135B2 (ja) |
WO (1) | WO2016175131A1 (ja) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11178107B2 (en) * | 2019-09-30 | 2021-11-16 | Michael Schloss | System and method for detecting surreptitious packet rerouting |
WO2021240586A1 (ja) * | 2020-05-25 | 2021-12-02 | 日本電信電話株式会社 | コネクション数計測装置、コネクション状態検出装置、コネクション状態検出方法、およびコネクション数計測プログラム |
Families Citing this family (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP6859776B2 (ja) * | 2017-03-16 | 2021-04-14 | 日本電気株式会社 | 無線アクセスネットワーク装置 |
US11184369B2 (en) * | 2017-11-13 | 2021-11-23 | Vectra Networks, Inc. | Malicious relay and jump-system detection using behavioral indicators of actors |
US10721162B2 (en) * | 2018-03-08 | 2020-07-21 | Andro Computational Solutions | Routing data through distributed communications network |
US10999304B2 (en) | 2018-04-11 | 2021-05-04 | Palo Alto Networks (Israel Analytics) Ltd. | Bind shell attack detection |
US11070569B2 (en) | 2019-01-30 | 2021-07-20 | Palo Alto Networks (Israel Analytics) Ltd. | Detecting outlier pairs of scanned ports |
US11184378B2 (en) | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Scanner probe detection |
US11184377B2 (en) * | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious port scan detection using source profiles |
US11184376B2 (en) * | 2019-01-30 | 2021-11-23 | Palo Alto Networks (Israel Analytics) Ltd. | Port scan detection using destination profiles |
US11316872B2 (en) | 2019-01-30 | 2022-04-26 | Palo Alto Networks (Israel Analytics) Ltd. | Malicious port scan detection using port profiles |
JP7222260B2 (ja) * | 2019-02-07 | 2023-02-15 | 日本電信電話株式会社 | 試験装置 |
US11509680B2 (en) | 2020-09-30 | 2022-11-22 | Palo Alto Networks (Israel Analytics) Ltd. | Classification of cyber-alerts into security incidents |
US11799880B2 (en) | 2022-01-10 | 2023-10-24 | Palo Alto Networks (Israel Analytics) Ltd. | Network adaptive alert prioritization system |
Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012234236A (ja) * | 2011-04-28 | 2012-11-29 | Hitachi Ltd | 負荷分散システム |
Family Cites Families (12)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2001091401A2 (en) * | 2000-05-19 | 2001-11-29 | Ztango, Inc. | A system for providing wireless application protocol-based services |
GB2395856A (en) * | 2002-11-26 | 2004-06-02 | King S College London | Method for reducing packet congestion at a network node |
US7463590B2 (en) * | 2003-07-25 | 2008-12-09 | Reflex Security, Inc. | System and method for threat detection and response |
JP2005184792A (ja) * | 2003-11-27 | 2005-07-07 | Nec Corp | 帯域制御装置、帯域制御方法及び帯域制御プログラム |
US7607170B2 (en) * | 2004-12-22 | 2009-10-20 | Radware Ltd. | Stateful attack protection |
US8020207B2 (en) * | 2007-01-23 | 2011-09-13 | Alcatel Lucent | Containment mechanism for potentially contaminated end systems |
WO2008148099A1 (en) * | 2007-05-25 | 2008-12-04 | New Jersey Institute Of Technology | Method and system to mitigate low rate denial of service (dos) attacks |
US20100054123A1 (en) * | 2008-08-30 | 2010-03-04 | Liu Yong | Method and device for hign utilization and efficient flow control over networks with long transmission latency |
US8897132B2 (en) * | 2010-03-31 | 2014-11-25 | Blue Coat Systems, Inc. | Enhanced random early discard for networked devices |
US9716659B2 (en) * | 2011-03-23 | 2017-07-25 | Hughes Network Systems, Llc | System and method for providing improved quality of service over broadband networks |
US9380534B2 (en) * | 2012-06-07 | 2016-06-28 | Google Inc. | System and method for selecting a power efficient network interface |
ES2628613T3 (es) * | 2012-09-17 | 2017-08-03 | Huawei Technologies Co., Ltd. | Método y dispositivo de protección contra ataques |
-
2016
- 2016-04-21 US US15/568,906 patent/US10728281B2/en active Active
- 2016-04-21 WO PCT/JP2016/062676 patent/WO2016175131A1/ja active Application Filing
- 2016-04-21 JP JP2017515523A patent/JP6291135B2/ja active Active
Patent Citations (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2012234236A (ja) * | 2011-04-28 | 2012-11-29 | Hitachi Ltd | 負荷分散システム |
Non-Patent Citations (2)
Title |
---|
KUNIO NAKATOMI: "Tayoka suru Application o Kashika suru, IPCOM no Visualiser Kino", PFU TECHINICAL REVIEW, vol. 25, no. 1, 1 January 2014 (2014-01-01), pages 39 - 46 * |
YOSHIKAZU SHIBAIKE: "Nerawareta Genba Security o Kyoka seyo", NIKKEI SYSTEMS, 26 August 2012 (2012-08-26), pages 86 - 91 * |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11178107B2 (en) * | 2019-09-30 | 2021-11-16 | Michael Schloss | System and method for detecting surreptitious packet rerouting |
WO2021240586A1 (ja) * | 2020-05-25 | 2021-12-02 | 日本電信電話株式会社 | コネクション数計測装置、コネクション状態検出装置、コネクション状態検出方法、およびコネクション数計測プログラム |
JPWO2021240586A1 (ja) * | 2020-05-25 | 2021-12-02 | ||
JP7315099B2 (ja) | 2020-05-25 | 2023-07-26 | 日本電信電話株式会社 | コネクション数計測装置、コネクション状態検出装置、コネクション状態検出方法、およびコネクション数計測プログラム |
Also Published As
Publication number | Publication date |
---|---|
US20180103059A1 (en) | 2018-04-12 |
US10728281B2 (en) | 2020-07-28 |
JP6291135B2 (ja) | 2018-03-14 |
JPWO2016175131A1 (ja) | 2017-08-24 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6291135B2 (ja) | コネクション制御装置、コネクション制御方法およびコネクション制御プログラム | |
US11924170B2 (en) | Methods and systems for API deception environment and API traffic control and security | |
US9900344B2 (en) | Identifying a potential DDOS attack using statistical analysis | |
KR101061375B1 (ko) | Uri 타입 기반 디도스 공격 탐지 및 대응 장치 | |
US9124626B2 (en) | Firewall based botnet detection | |
JP4083747B2 (ja) | DoS攻撃の検出及び追跡を行うシステム及び方法 | |
US10511625B2 (en) | Identifying a potential DDOS attack using statistical analysis | |
US10693908B2 (en) | Apparatus and method for detecting distributed reflection denial of service attack | |
CN114830112A (zh) | 通过QUIC通信协议执行的检测和缓解DDoS攻击 | |
EP2659647A1 (en) | Method for detecting and mitigating denial of service attacks | |
JP2007179131A (ja) | イベント検出システム、管理端末及びプログラムと、イベント検出方法 | |
US20200128039A1 (en) | Network session traffic behavior learning system | |
JP6470201B2 (ja) | 攻撃検知装置、攻撃検知システムおよび攻撃検知方法 | |
WO2020162181A1 (ja) | 試験装置 | |
RU2531878C1 (ru) | Способ обнаружения компьютерных атак в информационно-телекоммуникационной сети | |
Belej | Development of a Technique for Detecting" Distributed Denial-of-Service Attacks" in Security Systems of Wireless Sensor Network | |
CN112491911B (zh) | Dns分布式拒绝服务防御方法、装置、设备及存储介质 | |
JP6497782B2 (ja) | 試験装置、試験方法および試験プログラム | |
JP3984233B2 (ja) | ネットワーク攻撃検出方法、ネットワーク攻撃元識別方法、ネットワーク装置、ネットワーク攻撃検出プログラムおよびネットワーク攻撃元識別プログラム | |
JP2007166154A (ja) | 攻撃検出装置、攻撃検出方法および攻撃検出プログラム | |
KR20120059914A (ko) | 분산 서비스 거부 공격 탐지용 제품에 대한 평가 방법 및 평가 장치 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 16786408 Country of ref document: EP Kind code of ref document: A1 |
|
ENP | Entry into the national phase |
Ref document number: 2017515523 Country of ref document: JP Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 15568906 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 16786408 Country of ref document: EP Kind code of ref document: A1 |