WO2018212086A1 - Control device, relay device, communication system, and communication control method - Google Patents

Control device, relay device, communication system, and communication control method Download PDF

Info

Publication number
WO2018212086A1
WO2018212086A1 PCT/JP2018/018279 JP2018018279W WO2018212086A1 WO 2018212086 A1 WO2018212086 A1 WO 2018212086A1 JP 2018018279 W JP2018018279 W JP 2018018279W WO 2018212086 A1 WO2018212086 A1 WO 2018212086A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
packet
relay device
network bandwidth
permission list
Prior art date
Application number
PCT/JP2018/018279
Other languages
French (fr)
Japanese (ja)
Inventor
秀章 榊原
公士 田淵
Original Assignee
日本電気株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電気株式会社 filed Critical 日本電気株式会社
Publication of WO2018212086A1 publication Critical patent/WO2018212086A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways

Definitions

  • the present invention relates to communication control in a communication network, and more particularly to a technique for preventing the occurrence of congestion due to an attack from the outside.
  • a communication system that centrally manages communication paths in a network constructed by relay devices connected to each other using a control device is widely used.
  • Such a communication system is configured based on an architecture represented by Open Flow.
  • Open Flow In communication systems such as Open Flow, user data and control data are controlled separately.
  • an attack is caused by transmission of a large number of packets from an external terminal device, the network bandwidth is compressed and communication is performed. Failure may occur.
  • an attack performed from an external terminal device for example, an attack such as a DDoS (Distributed Denial ⁇ ⁇ of ⁇ ⁇ Service) attack is performed.
  • DDoS Distributed Denial ⁇ ⁇ of ⁇ ⁇ Service
  • Patent Document 1 a technique for suppressing the influence of a large number of packets sent in a case where a large amount of packets are received from the outside.
  • Patent Document 1 relates to a communication system including a communication device that operates by inquiring of a control server about processing contents to be applied to a received packet.
  • the control server of the communication system of Patent Document 1 has data of illegal packet definition patterns that can affect the communication system.
  • the control server of Patent Literature 1 notifies the communication device of the processing contents to discard the packet having the same characteristics.
  • Japanese Patent Laid-Open No. 2004-151867 states that the communication device can increase resistance to attacks by discarding illegal packets by such a method.
  • Patent Document 1 is not sufficient in the following points.
  • a packet received by a communication device is compared with an illegal packet definition pattern to determine whether the packet is intended for an attack. Therefore, it is not possible to deal with an attack by a packet whose definition pattern is not stored in the control server. In such a case, there is a possibility that the load on the network increases and a failure occurs in communication. Therefore, the technique of Patent Document 1 is not sufficient as a technique for suppressing the influence of a large number of packets and continuing communication.
  • An object of the present invention is to provide a control device that can suppress the influence of a large amount of packets sent and can continue communication in order to solve the above-described problems.
  • the control device of the present invention includes information generation means and control means.
  • the information generation means sets the processing contents of the packet in the relay device based on the information extracted from the packet that the relay device on the network performs the transfer process, and generates the information of the terminal device that is the packet transmission source as the external terminal information To do.
  • the control means controls the transfer process in the relay apparatus based on the set process content. Further, the information generating means generates external terminal information as permission list information while the network bandwidth is below the reference when the network bandwidth required for transmission of a packet of a preset packet type exceeds the reference. In addition, the control unit transmits the permission list information generated by the information generation unit to the relay device.
  • the communication control method of the present invention sets the processing contents of the packet in the relay device based on the information extracted from the packet that the relay device on the network performs the transfer process.
  • the communication control method of the present invention generates information on a terminal device that is a packet transmission source as external terminal information.
  • the communication control method of the present invention controls the transfer process in the relay apparatus based on the set process content.
  • the communication control method of the present invention detects that the network bandwidth required for transmission of a packet of a preset packet type exceeds the standard, the external terminal information while the network bandwidth is below the standard is allowed list Generate as information.
  • the communication control method of the present invention transmits the generated permission list information to the relay device.
  • FIG. 1 shows an outline of the configuration of the control device of this embodiment.
  • the control device of the present embodiment includes an information generation unit 1 and a control unit 2.
  • the information generation means 1 sets the processing contents of the packet in the relay device based on the information extracted from the packet that the relay device on the network performs the transfer process, and uses the information of the terminal device that is the source of the packet as external terminal information Generate.
  • the control means 2 controls the transfer process in the relay device based on the set process content.
  • the information generating means 1 generates external terminal information as permission list information while the network bandwidth is below the reference when the network bandwidth required for transmission of a packet of a preset packet type exceeds the reference. .
  • the control unit 2 transmits the permission list information generated by the information generation unit 1 to the relay device.
  • the control device of the present embodiment generates information on the terminal device that is the transmission source of the packet processed by the relay device in the information generation means 1 as external terminal information. Further, in the control device of the present embodiment, the information generation unit 1 generates external terminal information as permission list information while the network bandwidth required for packet transmission exceeds the reference, while it is below the reference, and performs control. Means 2 transmits the permission list to the relay apparatus. The relay device that has received the permission list can process the packet based on the permission list based on the external terminal information when the network bandwidth used for packet transmission is below the reference.
  • the relay device can determine the terminal device added to the external terminal information after the network bandwidth used for packet transmission exceeds the standard, it can be determined from the terminal device that transmits a large number of packets. Processing of incoming packets can be eliminated. For this reason, even when a transmission source of a packet that transmits a large number of packets is generated, it is possible to continuously perform transfer processing of packets transmitted from other terminal devices. As a result, by using the control device of the present embodiment, it is possible to suppress the influence of a large number of packets sent and continue communication.
  • FIG. 2 shows an outline of the configuration of the communication system of the present embodiment.
  • the communication system of the present embodiment includes a control device 10, a first relay device 20, and a second relay device 30.
  • the first relay device 20 is connected to the external terminal 60 via the external network device 40.
  • the second relay device 30 is connected to the external terminal 70 via the external network device 50.
  • the control device 10 analyzes the flow of a packet, and generates processing content indicating processing content when the first relay device 20 and the second relay device 30 process the packet.
  • FIG. 3 is a diagram illustrating a configuration of the control device 10 of the present embodiment.
  • the control apparatus 10 includes a network control unit 11, a flow information generation unit 12, and an information storage unit 13.
  • the network control unit 11 has a function of controlling communication in the communication network.
  • the network control unit 11 instructs the processing contents of the packets of the first relay device 20 and the second relay device 30.
  • the first relay device 20 and the second relay based on the processing content generated by the flow information generation unit 12 based on the information extracted from the packets sent from the first relay device 20 and the second relay device 30
  • the packet transfer process in the device 30 is controlled.
  • the network control unit 11 When the network control unit 11 receives a packet from the first relay device 20 and the second relay device 30, the network control unit 11 sends the received packet to the flow information generation unit 12. In addition, the network control unit 11 returns the packet for which the flow information generation unit 12 has completed learning of the connection status and information on the processing contents of the packet to the transmission source relay device.
  • the network control unit 11 Upon receiving a congestion notification indicating that congestion has occurred from the first relay device 20 and the second relay device 30, the network control unit 11 is a transmission source that is a target for which the relay device continues to process packets.
  • the communication device information is generated as permission list information.
  • the network control unit 11 generates permission list information based on information registered before receiving the congestion notification.
  • the network control unit 11 transmits the permission list information to the relay device that has transmitted the congestion notification.
  • the network control unit 11 of the present embodiment corresponds to the control unit 2 of the first embodiment.
  • the flow information generator 12 learns the connection status between the relay device and other communication devices based on the packets sent from the first relay device 20 and the second relay device 30, and analyzes the packet flow. I do.
  • the flow information generation unit 12 generates packet processing data in each relay apparatus based on the flow analysis result.
  • the processing content refers to data indicating a criterion for what kind of processing is performed when each relay device processes a packet.
  • the processing content data includes, for example, a packet type, transmission source and transmission destination identification information, a corresponding port number, and the like.
  • the network control unit 11 learns the information of the transmission source terminal device and the transfer destination communication device based on the information extracted from the packet header, and generates the data of the packet processing content.
  • the flow information generation unit 12 stores data on the processing contents of the generated packet in the information storage unit 13.
  • the flow information generation unit 12 stores information on the connection relationship between each relay device and the communication device in the information storage unit 13.
  • the flow information generation unit 12 associates the identification information of the communication device connected to the relay device, such as data registration date and time, relay device identification information, port number, and IP address, and stores them in the information storage unit 13 as external terminal information. To do.
  • the flow information generation unit 12 receives packets from the first relay device 20 and the second relay device 30 via the network control unit 11, and transmits the packets for which extraction of information has been completed via the network control unit 11. Return to the relay device. Further, the flow information generation unit 12 of this embodiment corresponds to the information generation unit 1 of the first embodiment.
  • the network control unit 11 and the flow information generation unit 12 are configured by a semiconductor device, for example. Further, the processing in the network control unit 11 and the flow information generation unit 12 may be performed by executing a computer program on a CPU (Central Processing Unit).
  • a CPU Central Processing Unit
  • the information storage unit 13 has a function of storing data indicating the processing content of the packet generated by the flow information generation unit 12.
  • the information storage unit 13 has a function of storing connection relationship information between each relay device and the communication device as external terminal information. Information on the connection relationship between each relay device and the communication device is stored as data in which the identification information of the communication device connected to the relay device such as data registration date, relay device identification information, port number and IP address is associated with each other. ing.
  • the information storage unit 13 is configured by a storage device such as a semiconductor storage device or a hard disk drive, or a combination thereof.
  • FIG. 4 shows a configuration of the communication device 100 used as the first relay device 20 and the second relay device 30 of the present embodiment.
  • the communication apparatus 100 includes a transfer processing unit 101, a bandwidth monitoring unit 102, and a storage unit 103.
  • the transfer processing unit 101 processes the received packet based on the processing content stored in the storage unit 103 as a flow table.
  • the transfer processing unit 101 refers to the flow table in the storage unit 103 and transfers the received packet to a communication device corresponding to the destination of the packet.
  • the transfer processing unit 101 When the transfer processing unit 101 receives a packet whose processing content is not stored in the storage unit 103, the transfer processing unit 101 transfers the received packet to the control device 10. The transfer processing unit 101 processes the packet returned from the control device 10 based on the set flow table.
  • the transfer processing unit 101 performs transfer processing only on packets received from communication devices registered in the permission list information when congestion occurs. In addition, the transfer processing unit 101 stops transfer processing of a packet received from a communication device that is not registered in the permission list information when congestion occurs and discards the packet.
  • the bandwidth monitoring unit 102 has a function of monitoring packet transfer processing in the transfer processing unit 101.
  • the bandwidth monitoring unit 102 compares the network bandwidth used for communication of the type of packet designated by the control device 10 with a reference value, and determines the communication state.
  • the bandwidth monitoring unit 102 determines that congestion has occurred when the bandwidth used for communication is greater than or equal to the reference. If the bandwidth monitoring unit 102 determines that congestion has occurred, the bandwidth monitoring unit 102 transmits to the control device 10 a congestion notification indicating that congestion has occurred, and information on the last date and time when the normal communication has been recorded.
  • the transfer processing unit 101 and the bandwidth monitoring unit 102 are configured by a semiconductor device, for example. Further, the processing in the transfer processing unit 101 and the bandwidth monitoring unit 102 may be performed by executing a computer program on a CPU (Central Processing Unit).
  • a CPU Central Processing Unit
  • the storage unit 103 stores information necessary for the operation of the communication apparatus 100 and packet processing, such as a flow table indicating packet processing rules and permission list information.
  • the storage unit 103 is configured by a storage device such as a semiconductor storage device or a hard disk drive, or a combination thereof.
  • the external network device 40 and the external network device 50 are communication devices that perform transfer processing according to the destination of the packet on the communication network.
  • External terminal 60 and external terminal 70 are information processing devices connected to a communication network.
  • the external terminal 60 and the external terminal 70 transmit and receive packets to and from other terminal devices via the communication network.
  • the packet transmitted from the external terminal 60 to the external terminal 70 is sent to the first relay device 20 via the external network device 40.
  • the transfer processing unit 101 of the first relay device 20 refers to the flow table of the storage unit 103 and confirms whether information indicating the processing content is stored.
  • the transfer processing unit 101 transfers the received packet to the control device 10.
  • the transfer processing unit 101 performs transfer processing according to the destination of the packet based on the processing content.
  • the network control unit 11 of the control device 10 When receiving the packet, the network control unit 11 of the control device 10 sends the received packet to the flow information generation unit 12.
  • the flow information generation unit 12 analyzes the flow of the packet based on the information extracted from the header of the packet, and sets information indicating processing contents in the relay device. Further, the network control unit 11 associates the registration date and time, the identification information of the first relay device 20, the port number, and the identification information of the external network device 40 with the information storage unit 13 based on the information extracted from the packet. Save as information.
  • the network control unit 11 When the flow information generation unit 12 stores the information generated based on the information extracted from the packet, the network control unit 11 returns the packet to the first relay device 20. Further, the network control unit 11 sends information indicating the processing contents of the packet to the first relay device 20.
  • the transfer processing unit 101 of the first relay device 20 updates the flow table of the storage unit 103.
  • the transfer processing unit 101 performs packet transfer processing based on the flow table.
  • the packet addressed to the external terminal 70 is transferred to the second relay device 30.
  • the packet transferred to the second relay device 30 is sent to the external terminal 70 via the external network device 50. Further, the second relay device 30 transfers the packet received from the external terminal 70 to the control device 10 and receives information indicating the processing content of the packet from the control device 10.
  • FIG. 5 schematically illustrates an example of a packet transmission path when a packet in which information on the processing contents of the packet is not stored in the storage unit 103 of the first relay device 20 is input to the first relay device 20.
  • FIG. FIG. 6 illustrates an example of a packet transmission path when a packet is input to the first relay device 20 after the information on the processing contents of the packet is stored in the storage unit 103 of the first relay device 20. It is the figure shown typically. 5 and 6, the packet flow is indicated by arrows. 5 and 6, the control device 10 uses the first relay device 20 and the second relay device 30 as a management target network. The first relay device 20 and the second relay device 30 are connected to the external network via the port 3 and are connected to the relay device via the port 1.
  • FIG. 7 is a diagram illustrating an operation flow of the relay device when performing bandwidth monitoring to eliminate congestion in the communication system of the present embodiment.
  • FIG. 8 shows the configuration of a communication network in which an external terminal performing an attack is an external attack terminal 80.
  • the control device 10 sets the bandwidth monitoring function in the first relay device 20 and the second relay device 30.
  • the network control unit 11 of the control device 10 transmits a setting value for performing bandwidth monitoring to the relay device that performs setting of the bandwidth monitoring function.
  • FIG. 9 shows an example of setting values when performing bandwidth monitoring.
  • the set value when performing bandwidth monitoring is configured by a packet type, CIR (Committed Information Rate) based on trTCM (RFC2698: Two Rate Three Color Color), and PIR (Peak Information Rate). Yes.
  • a “TCP SYN” packet is designated as the packet type.
  • the CIR indicates a communication speed that is at least guaranteed when congestion or congestion occurs in the communication network.
  • the PIR indicates the maximum band that can be relayed by the communication speed.
  • the communication speed is set as a value indicated by a bit rate, for example.
  • the bandwidth monitoring unit 102 of the first relay device 20 and the second relay device 30 When the bandwidth monitoring unit 102 of the first relay device 20 and the second relay device 30 receives the setting value information when performing bandwidth monitoring, it monitors the packet processing in the transfer processing unit 101 based on the setting value. Do.
  • the bandwidth monitoring unit 102 performs monitoring by measuring the bandwidth required for processing the packet set by the packet type.
  • the transfer processing unit 101 refers to the flow table of the storage unit 103 and processes the packet based on the processing content (step S1).
  • the bandwidth monitoring unit 102 checks the type of packet to be processed.
  • the bandwidth monitoring unit 102 continues to monitor the bandwidth without performing any processing (step S6).
  • the bandwidth monitoring unit 102 stores the current time as information on the last date and time when communication was normally performed (step S7).
  • the bandwidth monitoring unit 102 checks whether the network bandwidth is equal to or less than the PIR set value.
  • the bandwidth monitoring unit 102 continues to monitor the bandwidth without performing processing (step S6).
  • the bandwidth monitoring unit 102 congests information indicating that congestion has occurred and information on the last date and time when communication was normally performed. A notification is sent to the control device 10 (step S5).
  • the TCP SYN packet When a TCP SYN packet is transmitted from the external attack terminal 80 by a DDoS attack, the TCP SYN packet is sent to the first relay device 20 via the external network device 40.
  • the communication control unit 21 of the first relay device 20 transfers the received packet to the control device 10 when the packet from the external attack terminal 80 has not been received so far.
  • the flow information generation unit 12 of the control device 10 extracts information from the packet and stores it in the information storage unit 13.
  • the control device 10 returns the packet to the first relay device 20 together with information on the processing content of the packet.
  • the transfer processing unit 101 of the first relay device 20 that has received the returned packet transfers the received packet to the second relay device 30.
  • the second relay device 30 that has received the packet transfers the packet according to the destination of the packet.
  • the first relay device 20 processes the packet based on the processing content shown in the updated flow table.
  • the bandwidth monitoring unit 102 of the first relay device 20 determines that congestion has occurred, and the control device 10 has congestion. Information indicating this and information on the last date and time when communication was performed normally.
  • the network control unit 11 of the control device 10 Upon receiving information indicating that congestion has occurred, the network control unit 11 of the control device 10 refers to the external terminal information stored in the information storage unit 13 and before the last date and time when communication has been performed normally. Extract registered external terminal information. When the network control unit 11 extracts the external terminal information registered before the last date and time of normal communication, the network control unit 11 generates information on the external terminal that permits connection based on the extracted external terminal information as permission list information To do.
  • FIG. 10 shows an example of external terminal information before receiving a congestion notification.
  • FIG. 11 shows an example of permission list information generated based on external terminal information after receiving a congestion notification.
  • the information before No. 2 in FIG. 10 is the external terminal information registered before the last date and time, and the permission list information is only two external terminals registered at the time of normal communication. It is composed of information.
  • the network control unit 11 transmits the generated permission list information to the first relay device 20.
  • the transfer processing unit 101 of the first relay device 20 Upon receiving the permission list information, the transfer processing unit 101 of the first relay device 20 stores the permission list information in the storage unit 103. When the permission list information is stored, the transfer processing unit 101 sets filtering for processing only packets received from an external terminal included in the permission list information. When the filtering setting is performed, the communication control unit 21 of the first relay device 20 sets only the packets of the transmission source of the external terminal included in the permission list information as processing targets, and discards the other packets. Therefore, the packet received from the external attack terminal 80 is discarded by the transfer processing unit 101 and is not transferred to other communication devices.
  • FIG. 12 shows a state where the packet transmitted by the external attack terminal 80 is discarded by the first relay device 20 and the packet transmitted by the external terminal 60 is normally transmitted. Since the first relay device 20 discards the packet and the network bandwidth is not tight, communication in the communication network can be continued.
  • information on the terminal device that is the transmission source of the packet processed by the relay device in the control device 10 and the registered date and time are recorded as external terminal information.
  • the network control unit 11 of the control device 10 extracts the external terminal information before the last date and time recorded when the communication was normally performed, and generates permission list information is doing.
  • the relay device receives the permission list information from the control device 10, continues processing only the packets received from the terminal devices registered in the permission list information, and is sent from a terminal device not registered in the permission list information. The transfer process of the incoming packet is stopped and the packet is discarded.
  • the relay device Even if a large amount of packets are received from a specific terminal device by continuing only the processing of packets received from the terminal device when communication was normally performed in this way, the relay device It is possible to continue processing of packets sent from the terminal device. Therefore, even when an attack such as a DDoS attack is received, the relay apparatus can suppress the influence of the attack and continue the transfer process of packets received from other terminal apparatuses. As described above, the communication system according to the present embodiment can suppress the influence of a large amount of packets and can continue communication.
  • control device 10 performs communication control in the network configured by the first relay device 20 and the second relay device 30, but the control device 10 is a relay device that performs communication control.
  • the number may be three or more. Further, there may be a plurality of external network devices connected to the relay device and a plurality of terminal devices connected to the external network device.
  • the permission list information is sent to the relay device that is the source of the congestion notification, but it may be sent to another relay device.
  • the congestion notification is received from the first relay device 20
  • the generated permission list information is also sent to the second relay device 30, thereby preventing an attack on the second relay device 30.
  • stable communication can be continued when there is a terminal device that performs an attack.
  • (Appendix 1) Information that sets the processing contents of the packet in the relay device based on information extracted from the packet that the relay device on the network performs transfer processing, and generates information of the terminal device that is the transmission source of the packet as external terminal information Generating means; Control means for controlling the transfer processing in the relay device based on the set processing content; With The information generation means uses the external terminal information while the network bandwidth is equal to or less than the reference as permission list information when a network bandwidth required for transmission of the packet of a preset packet type exceeds the reference Generate The control unit transmits the permission list information generated by the information generation unit to the relay device.
  • the information generation means generates the external terminal information by associating a first time for registering information of the terminal device with identification information of the terminal device, The terminal device in which the first time is earlier than the second time sent from the relay device as the time when the network bandwidth was below the reference when the network bandwidth exceeds the reference.
  • the control apparatus according to appendix 1, wherein the permission list information is generated based on the information.
  • Appendix 3 The control apparatus according to appendix 1 or 2, wherein the control means further includes means for setting a condition when the relay apparatus monitors the network bandwidth.
  • the control unit generates second permission list information corresponding to another relay device when receiving a notification from the relay device indicating that the network bandwidth exceeds the reference, and the other relay device The control device according to any one of appendices 1 to 3, wherein the second permission list information is transmitted to the control device.
  • a transfer processing means for transferring a packet input from the terminal device via the network based on the processing content set by the control device; Means for monitoring the network bandwidth required for transmission of the packet of a preset packet type, and updating the time when the network bandwidth required for communication of the packet is below a reference as the final time And a bandwidth monitoring means having means for When the bandwidth monitoring unit detects that the network bandwidth exceeds the reference, the bandwidth monitoring unit notifies the control device of information indicating that the network bandwidth exceeds the reference, and information on the final time.
  • Send as The transfer processing means uses, as a response to the congestion notification, permission list information, which is information set based on information of the terminal device that is the transmission source of the packet that has performed the transfer processing before the final time.
  • a relay apparatus characterized by stopping the transfer process of the packet received from the control apparatus and sent from other than the terminal apparatus included in the permission list information.
  • the bandwidth monitoring unit updates the final time when the network bandwidth required for transmission of the packet is equal to or lower than a first reference, and the network bandwidth required for transmission of the packet.
  • the relay apparatus according to appendix 5, wherein the congestion notification is transmitted when the congestion criterion is larger than a second criterion that is larger than the first criterion.
  • the transfer processing means performs filtering on the input packet based on the permission list information, and discards the packet transmitted from a device other than the terminal device included in the permission list information. Or the relay apparatus of 6.
  • Appendix 8 The control device according to any one of appendices 1 to 4, A first relay device and a second relay device comprising the relay device according to any one of appendices 5 to 7, The first relay device transmits the congestion notification to the control device when detecting that the network bandwidth exceeds the reference, The control device generates the permission list information based on the last time included in the congestion notification, The communication system, wherein the first relay device processes the input packet based on the permission list information sent as a response to the congestion notification from the control device.
  • a communication control method comprising: transmitting the generated permission list information to the relay device.
  • Appendix 11 The communication control method according to appendix 9 or 10, wherein the relay device sets a condition for monitoring the network bandwidth.
  • Appendix 15 15. The communication according to appendix 13 or 14, wherein filtering is performed on the input packet based on the permission list information, and the packet transmitted from a device other than the terminal device included in the permission list information is discarded. Control method.

Abstract

[Problem] To provide a control device capable of controlling the impact of a large quantity of packets being sent, and carry out communication on an ongoing basis. [Solution] A control device is configured so as to have an information generation means 1 and a control means 2. The information generation means 1 sets, on the basis of information extracted from a packet to be forwarded by a relay device on a network, a process description for the packet at the relay device and generates information on a source terminal device for the packet as external terminal information. The control means 2 controls, on the basis of the set process description, the forwarding process at the relay device. In addition, when a network bandwidth required for forwarding packets of a pre-set packet type exceeds the standard, the information generation means 1 generates, as permission list information, external terminal information for the period during which the network bandwidth was below standard. The control means 2 also transmits the permission list information generated by the information generation means 1 to the relay device.

Description

制御装置、中継装置、通信システムおよび通信制御方法Control device, relay device, communication system, and communication control method
 本発明は、通信ネットワークにおける通信制御に関するものであり、特に、外部からの攻撃による輻輳の発生を防止する技術に関するものである。 The present invention relates to communication control in a communication network, and more particularly to a technique for preventing the occurrence of congestion due to an attack from the outside.
 互いに接続された中継装置で構築されたネットワーク内の通信経路を制御装置で集中管理する通信システムが広く用いられている。そのような、通信システムは、Open Flowに代表されるアーキテクチャを基に構成される。Open Flowのような通信システムでは、ユーザデータと制御データが分離して制御されるが、外部の端末装置から大量のパケットの送信による攻撃を受けた場合に、ネットワークの帯域が圧迫されて通信に障害が発生する恐れがある。外部の端末装置から行われる攻撃としては、例えば、DDoS(Distributed Denial of Service)攻撃のような攻撃が行われる。 A communication system that centrally manages communication paths in a network constructed by relay devices connected to each other using a control device is widely used. Such a communication system is configured based on an architecture represented by Open Flow. In communication systems such as Open Flow, user data and control data are controlled separately. However, when an attack is caused by transmission of a large number of packets from an external terminal device, the network bandwidth is compressed and communication is performed. Failure may occur. As an attack performed from an external terminal device, for example, an attack such as a DDoS (Distributed Denial 行 わ of か ら Service) attack is performed.
 通信システムの信頼性の維持のためには、外部から大量にパケットの送付を受けたような場合にも、ネットワーク帯域の圧迫を抑制し通信を継続して行う必要がある。そのため、外部から大量にパケットの送付を受けたような場合に、大量に送付されたパケットの影響を抑制する技術の開発が行われている。そのような、外部から大量にパケットの送付を受けたような場合に、大量に送付されたパケットの影響を抑制する技術としては、例えば、特許文献1のような技術が開示されている。 In order to maintain the reliability of the communication system, it is necessary to continue communication while suppressing the compression of the network bandwidth even when a large amount of packets are received from the outside. Therefore, in the case where a large amount of packets are received from the outside, development of a technique for suppressing the influence of the large amount of packets that have been transmitted has been performed. For example, a technique as disclosed in Patent Document 1 is disclosed as a technique for suppressing the influence of a large number of packets sent in a case where a large amount of packets are received from the outside.
 特許文献1は、受信したパケットに適用する処理内容を制御サーバに問い合わせて動作する通信装置を備える通信システムに関するものである。特許文献1の通信システムの制御サーバは、通信システムに影響を与えうる不正パケットの定義パタンのデータを有している。特許文献1の制御サーバは、通信装置から転送されたパケットが不正パケットの定義パタンと一致したとき、通信装置に同じ特徴のパケットの破棄する処理内容を通知する。特許文献1では、通信装置がそのような方法で不正パケットを破棄することで攻撃に対する耐性を高めることができるとしている。 Patent Document 1 relates to a communication system including a communication device that operates by inquiring of a control server about processing contents to be applied to a received packet. The control server of the communication system of Patent Document 1 has data of illegal packet definition patterns that can affect the communication system. When the packet transferred from the communication device matches the definition pattern of the illegal packet, the control server of Patent Literature 1 notifies the communication device of the processing contents to discard the packet having the same characteristics. Japanese Patent Laid-Open No. 2004-151867 states that the communication device can increase resistance to attacks by discarding illegal packets by such a method.
特開2013-70325号公報JP2013-70325A
 しかしながら、特許文献1の技術は次のような点で十分ではない。特許文献1の通信システムでは、通信装置が受信したパケットと不正パケットの定義パタンを比較して、攻撃を意図したパケットであるかを判断している。よって、定義パタンが制御サーバに保存されていないパケットによる攻撃を受けた際には、対応できない。そのような場合には、ネットワークの負荷が上昇し、通信に障害が生じる恐れがある。よって、特許文献1の技術は、大量に送付されたパケットの影響を抑制し、通信を継続して行う技術としては十分ではない。 However, the technique of Patent Document 1 is not sufficient in the following points. In the communication system of Patent Document 1, a packet received by a communication device is compared with an illegal packet definition pattern to determine whether the packet is intended for an attack. Therefore, it is not possible to deal with an attack by a packet whose definition pattern is not stored in the control server. In such a case, there is a possibility that the load on the network increases and a failure occurs in communication. Therefore, the technique of Patent Document 1 is not sufficient as a technique for suppressing the influence of a large number of packets and continuing communication.
 本発明は、上記の課題を解決するため、大量に送付されたパケットの影響を抑制し、通信を継続して行うことができる制御装置を提供することを目的としている。 An object of the present invention is to provide a control device that can suppress the influence of a large amount of packets sent and can continue communication in order to solve the above-described problems.
 上記の課題を解決するため、本発明の制御装置は、情報生成手段と、制御手段を備えている。情報生成手段は、ネットワーク上の中継装置が転送処理を行うパケットから抽出した情報を基に、中継装置におけるパケットの処理内容を設定し、パケットの送信元の端末装置の情報を外部端末情報として生成する。制御手段は、設定した処理内容を基に中継装置における転送処理を制御する。また、情報生成手段は、あらかじめ設定されたパケット種別のパケットの伝送に要するネットワーク帯域が基準を超えたときに、ネットワーク帯域が基準以下であった間の外部端末情報を許可リスト情報として生成する。また、制御手段は、情報生成手段が生成した許可リスト情報を中継装置に送信する。 In order to solve the above-described problems, the control device of the present invention includes information generation means and control means. The information generation means sets the processing contents of the packet in the relay device based on the information extracted from the packet that the relay device on the network performs the transfer process, and generates the information of the terminal device that is the packet transmission source as the external terminal information To do. The control means controls the transfer process in the relay apparatus based on the set process content. Further, the information generating means generates external terminal information as permission list information while the network bandwidth is below the reference when the network bandwidth required for transmission of a packet of a preset packet type exceeds the reference. In addition, the control unit transmits the permission list information generated by the information generation unit to the relay device.
 本発明の通信制御方法は、ネットワーク上の中継装置が転送処理を行うパケットから抽出した情報を基に、中継装置におけるパケットの処理内容を設定する。本発明の通信制御方法は、パケットの送信元の端末装置の情報を外部端末情報として生成する。本発明の通信制御方法は、設定した処理内容を基に中継装置における転送処理を制御する。本発明の通信制御方法は、あらかじめ設定されたパケット種別のパケットの伝送に要するネットワーク帯域が基準を超えたことを検知した際に、ネットワーク帯域が基準以下であった間の外部端末情報を許可リスト情報として生成する。本発明の通信制御方法は、生成した許可リスト情報を中継装置に送信する。 The communication control method of the present invention sets the processing contents of the packet in the relay device based on the information extracted from the packet that the relay device on the network performs the transfer process. The communication control method of the present invention generates information on a terminal device that is a packet transmission source as external terminal information. The communication control method of the present invention controls the transfer process in the relay apparatus based on the set process content. When the communication control method of the present invention detects that the network bandwidth required for transmission of a packet of a preset packet type exceeds the standard, the external terminal information while the network bandwidth is below the standard is allowed list Generate as information. The communication control method of the present invention transmits the generated permission list information to the relay device.
 本発明によると、大量に送付されたパケットの影響を抑制し、通信を継続して行うことができる。 According to the present invention, it is possible to suppress the influence of a large amount of packets sent and continue communication.
本発明の第1の実施形態の構成の概要を示す図である。It is a figure which shows the outline | summary of a structure of the 1st Embodiment of this invention. 本発明の第2の実施形態の構成の概要を示す図である。It is a figure which shows the outline | summary of a structure of the 2nd Embodiment of this invention. 本発明の第2の実施形態の制御装置の構成を示す図である。It is a figure which shows the structure of the control apparatus of the 2nd Embodiment of this invention. 本発明の第2の実施形態の中継装置の構成を示す図である。It is a figure which shows the structure of the relay apparatus of the 2nd Embodiment of this invention. 本発明の第2の実施形態におけるパケットの伝送経路の例を模式的に示した図である。It is the figure which showed typically the example of the transmission path | route of the packet in the 2nd Embodiment of this invention. 本発明の第2の実施形態におけるパケットの伝送経路の例を模式的に示した図である。It is the figure which showed typically the example of the transmission path | route of the packet in the 2nd Embodiment of this invention. 本発明の第2の実施形態の制御装置の動作フローを示した図である。It is the figure which showed the operation | movement flow of the control apparatus of the 2nd Embodiment of this invention. 本発明の第2の実施形態におけるパケットの伝送経路の例を模式的に示した図である。It is the figure which showed typically the example of the transmission path | route of the packet in the 2nd Embodiment of this invention. 本発明の第2の実施形態の帯域監視の設定値の例を示した図である。It is the figure which showed the example of the setting value of the zone | band monitoring of the 2nd Embodiment of this invention. 本発明の第2の実施形態の外部端末情報の例を示した図である。It is the figure which showed the example of the external terminal information of the 2nd Embodiment of this invention. 本発明の第2の実施形態の許可リストの例を示した図である。It is the figure which showed the example of the permission list | wrist of the 2nd Embodiment of this invention. 本発明の第2の実施形態におけるパケットの伝送経路の例を模式的に示した図である。It is the figure which showed typically the example of the transmission path | route of the packet in the 2nd Embodiment of this invention.
 (第1の実施形態)
 本発明の第1の実施形態について図を参照して詳細に説明する。図1は、本実施形態の制御装置の構成の概要を示したものである。本実施形態の制御装置は、情報生成手段1と、制御手段2を備えている。情報生成手段1は、ネットワーク上の中継装置が転送処理を行うパケットから抽出した情報を基に、中継装置におけるパケットの処理内容を設定し、パケットの送信元の端末装置の情報を外部端末情報として生成する。制御手段2は、設定した処理内容を基に中継装置における転送処理を制御する。また、情報生成手段1は、あらかじめ設定されたパケット種別のパケットの伝送に要するネットワーク帯域が基準を超えたときに、ネットワーク帯域が基準以下であった間の外部端末情報を許可リスト情報として生成する。また、制御手段2は、情報生成手段1が生成した許可リスト情報を中継装置に送信する。 (First embodiment)
A first embodiment of the present invention will be described in detail with reference to the drawings. FIG. 1 shows an outline of the configuration of the control device of this embodiment. The control device of the present embodiment includes an information generation unit 1 and a control unit 2. The information generation means 1 sets the processing contents of the packet in the relay device based on the information extracted from the packet that the relay device on the network performs the transfer process, and uses the information of the terminal device that is the source of the packet as external terminal information Generate. The control means 2 controls the transfer process in the relay device based on the set process content. Also, the information generating means 1 generates external terminal information as permission list information while the network bandwidth is below the reference when the network bandwidth required for transmission of a packet of a preset packet type exceeds the reference. . In addition, the control unit 2 transmits the permission list information generated by the information generation unit 1 to the relay device.
 本実施形態の制御装置は、情報生成手段1において中継装置が処理するパケットの送信元の端末装置の情報を外部端末情報として生成する。また、本実施形態の制御装置では、情報生成手段1は、パケットの伝送に要するネットワーク帯域が基準を超えたときに、基準以下であった間の外部端末情報を許可リスト情報として生成し、制御手段2が許可リストを中継装置に送信している。許可リストを受け取った中継装置は、パケットの伝送に使われているネットワーク帯域が基準以下の間の外部端末情報を基にした許可リストを基に、パケットの処理を行うことができる。 The control device of the present embodiment generates information on the terminal device that is the transmission source of the packet processed by the relay device in the information generation means 1 as external terminal information. Further, in the control device of the present embodiment, the information generation unit 1 generates external terminal information as permission list information while the network bandwidth required for packet transmission exceeds the reference, while it is below the reference, and performs control. Means 2 transmits the permission list to the relay apparatus. The relay device that has received the permission list can process the packet based on the permission list based on the external terminal information when the network bandwidth used for packet transmission is below the reference.
 すなわち、中継装置は、パケットの伝送に使われているネットワーク帯域が基準を超えてから外部端末情報に追加された端末装置を判別することができるので、大量のパケットを送信してくる端末装置から送られてくるパケットの処理を排除することができる。そのため、大量のパケットを送信してくるパケットの送信元が発生したときにもその他の端末装置から送られてくるパケットの転送処理を継続して行うことができる。その結果、本実施形態の制御装置を用いることで、大量に送付されたパケットの影響を抑制し、通信を継続して行うことができる。 In other words, since the relay device can determine the terminal device added to the external terminal information after the network bandwidth used for packet transmission exceeds the standard, it can be determined from the terminal device that transmits a large number of packets. Processing of incoming packets can be eliminated. For this reason, even when a transmission source of a packet that transmits a large number of packets is generated, it is possible to continuously perform transfer processing of packets transmitted from other terminal devices. As a result, by using the control device of the present embodiment, it is possible to suppress the influence of a large number of packets sent and continue communication.
 (第2の実施形態)
 本発明の第2の実施形態について図を参照して詳細に説明する。図2は、本実施形態の通信システムの構成の概要を示したものである。 (Second Embodiment)
A second embodiment of the present invention will be described in detail with reference to the drawings. FIG. 2 shows an outline of the configuration of the communication system of the present embodiment.
 本実施形態の通信システムは、制御装置10と、第1の中継装置20と、第2の中継装置30を備えている。第1の中継装置20は、外部ネットワーク装置40を介して外部端末60と接続されている。また、第2の中継装置30は、外部ネットワーク装置50を介して外部端末70と接続されている。本実施形態の通信システムは、制御装置10がパケットのフローを解析し、第1の中継装置20および第2の中継装置30がパケットを処理する際の処理内容を示す処理内容を生成する。 The communication system of the present embodiment includes a control device 10, a first relay device 20, and a second relay device 30. The first relay device 20 is connected to the external terminal 60 via the external network device 40. The second relay device 30 is connected to the external terminal 70 via the external network device 50. In the communication system of the present embodiment, the control device 10 analyzes the flow of a packet, and generates processing content indicating processing content when the first relay device 20 and the second relay device 30 process the packet.
 制御装置10の構成について説明する。図3は、本実施形態の制御装置10の構成を示した図である。本実施形態の制御装置10は、ネットワーク制御部11と、フロー情報生成部12と、情報記憶部13を備えている。 The configuration of the control device 10 will be described. FIG. 3 is a diagram illustrating a configuration of the control device 10 of the present embodiment. The control apparatus 10 according to the present embodiment includes a network control unit 11, a flow information generation unit 12, and an information storage unit 13.
 ネットワーク制御部11は、通信ネットワークにおける通信を制御する機能を有する。
ネットワーク制御部11は、第1の中継装置20および第2の中継装置30のパケットの処理内容を指示する。第1の中継装置20および第2の中継装置30から送られてくるパケットから抽出した情報を基にフロー情報生成部12が生成した処理内容を基に第1の中継装置20および第2の中継装置30におけるパケットの転送処理の制御を行う。 The network control unit 11 has a function of controlling communication in the communication network.
The network control unit 11 instructs the processing contents of the packets of the first relay device 20 and the second relay device 30. The first relay device 20 and the second relay based on the processing content generated by the flow information generation unit 12 based on the information extracted from the packets sent from the first relay device 20 and the second relay device 30 The packet transfer process in the device 30 is controlled.
 ネットワーク制御部11は、第1の中継装置20および第2の中継装置30からパケットを受け取ると、受け取ったパケットをフロー情報生成部12に送る。また、ネットワーク制御部11は、フロー情報生成部12が接続状況の学習を完了したパケットと、パケットの処理内容の情報を送信元の中継装置に返送する。 When the network control unit 11 receives a packet from the first relay device 20 and the second relay device 30, the network control unit 11 sends the received packet to the flow information generation unit 12. In addition, the network control unit 11 returns the packet for which the flow information generation unit 12 has completed learning of the connection status and information on the processing contents of the packet to the transmission source relay device.
 ネットワーク制御部11は、第1の中継装置20および第2の中継装置30から輻輳が生じていることを示す輻輳通知を受け取ると、中継装置がパケットの処理を継続して行う対象とする送信元の通信装置の情報を許可リスト情報として生成する。ネットワーク制御部11は、輻輳通知を受ける以前に登録された情報を基に許可リスト情報を生成する。ネットワーク制御部11は、許可リスト情報を生成すると、輻輳通知の送信元の中継装置に許可リスト情報を送信する。また、本実施形態のネットワーク制御部11は、第1の実施形態の制御手段2に相当する。 Upon receiving a congestion notification indicating that congestion has occurred from the first relay device 20 and the second relay device 30, the network control unit 11 is a transmission source that is a target for which the relay device continues to process packets. The communication device information is generated as permission list information. The network control unit 11 generates permission list information based on information registered before receiving the congestion notification. When the network control unit 11 generates the permission list information, the network control unit 11 transmits the permission list information to the relay device that has transmitted the congestion notification. Further, the network control unit 11 of the present embodiment corresponds to the control unit 2 of the first embodiment.
 フロー情報生成部12は、第1の中継装置20および第2の中継装置30から送られてくるパケットを基に、中継装置と他の通信装置の接続状況等を学習してパケットのフローの解析を行う。フロー情報生成部12は、フローの解析結果を基に各中継装置におけるパケットの処理内容のデータを生成する。処理内容とは、各中継装置においてパケットを処理する際に、どのような処理を行うかの基準が示されたデータのことをいう。処理内容のデータは、例えば、パケット種別、送信元および送信先の識別情報および対応するポート番号等によって構成されている。 The flow information generator 12 learns the connection status between the relay device and other communication devices based on the packets sent from the first relay device 20 and the second relay device 30, and analyzes the packet flow. I do. The flow information generation unit 12 generates packet processing data in each relay apparatus based on the flow analysis result. The processing content refers to data indicating a criterion for what kind of processing is performed when each relay device processes a packet. The processing content data includes, for example, a packet type, transmission source and transmission destination identification information, a corresponding port number, and the like.
 ネットワーク制御部11は、パケットのヘッダから抽出した情報を基に送信元の端末装置や転送先の通信装置の情報を学習し、パケットの処理内容のデータを生成する。フロー情報生成部12は、生成したパケットの処理内容のデータを情報記憶部13に保存する。 The network control unit 11 learns the information of the transmission source terminal device and the transfer destination communication device based on the information extracted from the packet header, and generates the data of the packet processing content. The flow information generation unit 12 stores data on the processing contents of the generated packet in the information storage unit 13.
 また、フロー情報生成部12は、各中継装置と通信装置の接続関係の情報を情報記憶部13に保存する。フロー情報生成部12は、データの登録日時、中継装置の識別情報、ポート番号およびIPアドレスなど中継装置と接続されている通信装置の識別情報を互いに関連づけて情報記憶部13に外部端末情報として保存する。 In addition, the flow information generation unit 12 stores information on the connection relationship between each relay device and the communication device in the information storage unit 13. The flow information generation unit 12 associates the identification information of the communication device connected to the relay device, such as data registration date and time, relay device identification information, port number, and IP address, and stores them in the information storage unit 13 as external terminal information. To do.
 フロー情報生成部12は、ネットワーク制御部11を介して第1の中継装置20および第2の中継装置30からパケットを受け取り、情報の抽出が完了したパケットを、ネットワーク制御部11を介して送信元の中継装置に返送する。また、本実施形態のフロー情報生成部12は、第1の実施形態の情報生成手段1に相当する。 The flow information generation unit 12 receives packets from the first relay device 20 and the second relay device 30 via the network control unit 11, and transmits the packets for which extraction of information has been completed via the network control unit 11. Return to the relay device. Further, the flow information generation unit 12 of this embodiment corresponds to the information generation unit 1 of the first embodiment.
 ネットワーク制御部11およびフロー情報生成部12は、例えば、半導体装置によって構成されている。また、ネットワーク制御部11およびフロー情報生成部12における処理は、CPU(Central Processing Unit)上でコンピュータプログラムを実行することで行われてもよい。 The network control unit 11 and the flow information generation unit 12 are configured by a semiconductor device, for example. Further, the processing in the network control unit 11 and the flow information generation unit 12 may be performed by executing a computer program on a CPU (Central Processing Unit).
 情報記憶部13は、フロー情報生成部12が生成したパケットの処理内容を示すデータを保存する機能を有する。また、情報記憶部13は、各中継装置と通信装置の接続関係の情報を外部端末情報として保存する機能を有する。各中継装置と通信装置の接続関係の情報を、データの登録日時、中継装置の識別情報、ポート番号およびIPアドレスなど中継装置と接続されている通信装置の識別情報を互いに関連づけたデータとして保存している。情報記憶部13は、半導体記憶装置やハードディスクドライブなどの記憶装置、または、それらの組み合わせによって構成されている。 The information storage unit 13 has a function of storing data indicating the processing content of the packet generated by the flow information generation unit 12. In addition, the information storage unit 13 has a function of storing connection relationship information between each relay device and the communication device as external terminal information. Information on the connection relationship between each relay device and the communication device is stored as data in which the identification information of the communication device connected to the relay device such as data registration date, relay device identification information, port number and IP address is associated with each other. ing. The information storage unit 13 is configured by a storage device such as a semiconductor storage device or a hard disk drive, or a combination thereof.
 第1の中継装置20および第2の中継装置30の構成について説明する。図4は、本実施形態の第1の中継装置20および第2の中継装置30として用いる通信装置100の構成を示したものである。通信装置100は、転送処理部101と、帯域監視部102と、記憶部103を備えている。 The configuration of the first relay device 20 and the second relay device 30 will be described. FIG. 4 shows a configuration of the communication device 100 used as the first relay device 20 and the second relay device 30 of the present embodiment. The communication apparatus 100 includes a transfer processing unit 101, a bandwidth monitoring unit 102, and a storage unit 103.
 転送処理部101は、受信したパケットを記憶部103にフローテーブルとして保存されている処理内容に基づいて処理する。転送処理部101は、記憶部103のフローテーブルを参照し、受信したパケットをパケットの宛先に応じた通信装置に転送する。 The transfer processing unit 101 processes the received packet based on the processing content stored in the storage unit 103 as a flow table. The transfer processing unit 101 refers to the flow table in the storage unit 103 and transfers the received packet to a communication device corresponding to the destination of the packet.
 転送処理部101は、処理内容が記憶部103に保存されていないパケットを受信した際、受信したパケットを制御装置10に転送する。また、転送処理部101は、制御装置10から返送されたパケットを設定されたフローテーブルに基づいて処理する。 When the transfer processing unit 101 receives a packet whose processing content is not stored in the storage unit 103, the transfer processing unit 101 transfers the received packet to the control device 10. The transfer processing unit 101 processes the packet returned from the control device 10 based on the set flow table.
 転送処理部101は、輻輳発生時に許可リスト情報に登録された通信装置から受信したパケットについてのみ転送処理等を行う。また、転送処理部101は、輻輳発生時に許可リスト情報に登録されていない通信装置から受信したパケットの転送処理等を停止してパケットを廃棄する。 The transfer processing unit 101 performs transfer processing only on packets received from communication devices registered in the permission list information when congestion occurs. In addition, the transfer processing unit 101 stops transfer processing of a packet received from a communication device that is not registered in the permission list information when congestion occurs and discards the packet.
 帯域監視部102は、転送処理部101におけるパケットの転送処理を監視する機能を有する。帯域監視部102は、制御装置10によって指定された種別のパケットの通信に使用しているネットワーク帯域と基準値を比較し、通信状態を判断する。帯域監視部102は、通信で使用している帯域が基準以上であるとき輻輳が生じていると判断する。帯域監視部102は、輻輳が生じていると判断すると輻輳が生じていることを示す輻輳通知と、正常に通信を行ったことが記録されている最終日時の情報を制御装置10に送る。 The bandwidth monitoring unit 102 has a function of monitoring packet transfer processing in the transfer processing unit 101. The bandwidth monitoring unit 102 compares the network bandwidth used for communication of the type of packet designated by the control device 10 with a reference value, and determines the communication state. The bandwidth monitoring unit 102 determines that congestion has occurred when the bandwidth used for communication is greater than or equal to the reference. If the bandwidth monitoring unit 102 determines that congestion has occurred, the bandwidth monitoring unit 102 transmits to the control device 10 a congestion notification indicating that congestion has occurred, and information on the last date and time when the normal communication has been recorded.
 転送処理部101および帯域監視部102は、例えば、半導体装置によって構成されている。また、転送処理部101および帯域監視部102における処理は、CPU(Central Processing Unit)上でコンピュータプログラムを実行することで行われてもよい。 The transfer processing unit 101 and the bandwidth monitoring unit 102 are configured by a semiconductor device, for example. Further, the processing in the transfer processing unit 101 and the bandwidth monitoring unit 102 may be performed by executing a computer program on a CPU (Central Processing Unit).
 記憶部103は、パケットの処理ルールを示すフローテーブルおよび許可リスト情報等の、通信装置100の動作およびパケットの処理に必要な情報を保存している。記憶部103は、半導体記憶装置やハードディスクドライブなどの記憶装置、または、それらの組み合わせによって構成されている。 The storage unit 103 stores information necessary for the operation of the communication apparatus 100 and packet processing, such as a flow table indicating packet processing rules and permission list information. The storage unit 103 is configured by a storage device such as a semiconductor storage device or a hard disk drive, or a combination thereof.
 外部ネットワーク装置40および外部ネットワーク装置50は、通信ネットワーク上においてパケットの宛先に応じた転送処理等を行う通信装置である。 The external network device 40 and the external network device 50 are communication devices that perform transfer processing according to the destination of the packet on the communication network.
 外部端末60および外部端末70は、通信ネットワークに接続された情報処理装置等である。外部端末60および外部端末70は、通信ネットワークを介して他の端末装置とパケットの送受信を行う。 External terminal 60 and external terminal 70 are information processing devices connected to a communication network. The external terminal 60 and the external terminal 70 transmit and receive packets to and from other terminal devices via the communication network.
 本実施形態の通信システムの動作について説明する。始めに、本実施形態の通信システムにおいて輻輳等が発生せずに、通常の通信が行われている場合の動作について説明する。以下では、通常の通信が行われている場合の通信システムの動作について、外部端末60から外部端末70にパケットが送信される場合を例に説明する。 The operation of the communication system of this embodiment will be described. First, an operation when normal communication is performed without congestion or the like in the communication system of the present embodiment will be described. Hereinafter, the operation of the communication system when normal communication is performed will be described by taking as an example a case where a packet is transmitted from the external terminal 60 to the external terminal 70.
 外部端末60から外部端末70宛に送信されたパケットは、外部ネットワーク装置40を介して第1の中継装置20に送られる。パケットが入力されると、第1の中継装置20の転送処理部101は、記憶部103のフローテーブルを参照し、処理内容を示す情報が保存されているかを確認する。 The packet transmitted from the external terminal 60 to the external terminal 70 is sent to the first relay device 20 via the external network device 40. When a packet is input, the transfer processing unit 101 of the first relay device 20 refers to the flow table of the storage unit 103 and confirms whether information indicating the processing content is stored.
 フローテーブルに処理内容の情報がないとき、転送処理部101は、受信したパケットを制御装置10に転送する。フローテーブルに処理内容の情報があるとき、転送処理部101は、処理内容に基づいてパケットの宛先に応じた転送処理等を行う。 When there is no processing content information in the flow table, the transfer processing unit 101 transfers the received packet to the control device 10. When there is processing content information in the flow table, the transfer processing unit 101 performs transfer processing according to the destination of the packet based on the processing content.
 制御装置10のネットワーク制御部11は、パケットを受信すると、受け取ったパケットをフロー情報生成部12に送る。フロー情報生成部12は、パケットを受け取ると、パケットのヘッダから抽出した情報を基に、パケットのフローを解析し、中継装置における処理内容を示す情報を設定する。また、ネットワーク制御部11は、パケットから抽出した情報を基に、登録日時、第1の中継装置20の識別情報、ポート番号および外部ネットワーク装置40の識別情報を関連づけて情報記憶部13に外部端末情報として保存する。 When receiving the packet, the network control unit 11 of the control device 10 sends the received packet to the flow information generation unit 12. When the flow information generation unit 12 receives the packet, the flow information generation unit 12 analyzes the flow of the packet based on the information extracted from the header of the packet, and sets information indicating processing contents in the relay device. Further, the network control unit 11 associates the registration date and time, the identification information of the first relay device 20, the port number, and the identification information of the external network device 40 with the information storage unit 13 based on the information extracted from the packet. Save as information.
 フロー情報生成部12がパケットから抽出した情報を基に生成した情報を保存すると、ネットワーク制御部11は、パケットを第1の中継装置20に返送する。また、ネットワーク制御部11は、パケットの処理内容を示す情報を第1の中継装置20に送る。 When the flow information generation unit 12 stores the information generated based on the information extracted from the packet, the network control unit 11 returns the packet to the first relay device 20. Further, the network control unit 11 sends information indicating the processing contents of the packet to the first relay device 20.
 制御装置10からパケットおよび処理内容の情報を受信すると、第1の中継装置20の転送処理部101は、記憶部103のフローテーブルを更新する。フローテーブルを更新すると、転送処理部101は、フローテーブルに基づいて、パケットの転送処理を行う。外部端末70宛のパケットは、第2の中継装置30に転送される。第2の中継装置30に転送されたパケットは、外部ネットワーク装置50を介して外部端末70に送られる。
また、第2の中継装置30は、外部端末70から受信したパケットを制御装置10に転送し、制御装置10からパケットの処理内容を示す情報を受信する。 When the packet and the processing content information are received from the control device 10, the transfer processing unit 101 of the first relay device 20 updates the flow table of the storage unit 103. When the flow table is updated, the transfer processing unit 101 performs packet transfer processing based on the flow table. The packet addressed to the external terminal 70 is transferred to the second relay device 30. The packet transferred to the second relay device 30 is sent to the external terminal 70 via the external network device 50.
Further, the second relay device 30 transfers the packet received from the external terminal 70 to the control device 10 and receives information indicating the processing content of the packet from the control device 10.
 図5は、第1の中継装置20の記憶部103にパケットの処理内容の情報が保存されていないパケットが第1の中継装置20に入力された場合におけるパケットの伝送経路の例を模式的に示した図である。また、図6は、第1の中継装置20の記憶部103にパケットの処理内容の情報が保存された後に、第1の中継装置20にパケットが入力された場合におけるパケットの伝送経路の例を模式的に示した図である。図5および図6においてパケットの流れは、矢印で示されている。図5および図6では、制御装置10は、第1の中継装置20と第2の中継装置30を管理対象のネットワークとしている。第1の中継装置20および第2の中継装置30は、外部ネットワークとポート3を介して接続され、中継装置とポート1を介して接続されている。 FIG. 5 schematically illustrates an example of a packet transmission path when a packet in which information on the processing contents of the packet is not stored in the storage unit 103 of the first relay device 20 is input to the first relay device 20. FIG. FIG. 6 illustrates an example of a packet transmission path when a packet is input to the first relay device 20 after the information on the processing contents of the packet is stored in the storage unit 103 of the first relay device 20. It is the figure shown typically. 5 and 6, the packet flow is indicated by arrows. 5 and 6, the control device 10 uses the first relay device 20 and the second relay device 30 as a management target network. The first relay device 20 and the second relay device 30 are connected to the external network via the port 3 and are connected to the relay device via the port 1.
 図5に示すように、第1の中継装置20の記憶部103にパケットの処理内容が設定されていないパケットが、第1の中継装置20に入力された場合には、パケットは制御装置10に転送されて、処理内容が設定される。また、処理内容が設定されたパケットが、第1の中継装置20に入力された場合には、図6に示すように制御装置10へのパケットの転送は、行われない。 As shown in FIG. 5, when a packet in which the processing content of the packet is not set in the storage unit 103 of the first relay device 20 is input to the first relay device 20, the packet is sent to the control device 10. It is transferred and the processing content is set. Further, when a packet for which processing content is set is input to the first relay device 20, the packet is not transferred to the control device 10 as shown in FIG.
 次に、第1の中継装置20および第2の中継装置30における帯域監視によって輻輳の発生を検知して、輻輳を解消する処理を行う際の動作について説明する。図7は、本実施形態の通信システムにおいて、帯域監視を行って輻輳を解消する際の中継装置の動作フローを示した図である。 Next, the operation when the occurrence of congestion is detected by bandwidth monitoring in the first relay device 20 and the second relay device 30 and processing for eliminating the congestion is performed will be described. FIG. 7 is a diagram illustrating an operation flow of the relay device when performing bandwidth monitoring to eliminate congestion in the communication system of the present embodiment.
 第1の中継装置20に接続されている外部ネットワーク装置40を介して、外部端末から大量のパケットを送信する攻撃が行われた場合を例に説明する。図8は、攻撃を行っている外部端末を、外部攻撃端末80として通信ネットワークの構成を示したものである。 An example in which an attack that transmits a large number of packets from an external terminal is performed via the external network device 40 connected to the first relay device 20 will be described. FIG. 8 shows the configuration of a communication network in which an external terminal performing an attack is an external attack terminal 80.
 通信ネットワークが動作を行う際に、制御装置10は、第1の中継装置20および第2の中継装置30における帯域監視機能の設定を行う。制御装置10のネットワーク制御部11は、帯域監視機能の設定を行う中継装置に、帯域監視を行う際の設定値を送信する。 When the communication network operates, the control device 10 sets the bandwidth monitoring function in the first relay device 20 and the second relay device 30. The network control unit 11 of the control device 10 transmits a setting value for performing bandwidth monitoring to the relay device that performs setting of the bandwidth monitoring function.
 図9は、帯域監視を行う際の設定値の例を示したものである。図9の例では、帯域監視を行う際の設定値は、パケット種別と、trTCM(RFC2698:Two Rate Three Color Marker)に基づいたCIR(Committed Information Rate)およびPIR(Peak Information Rate)によって構成されている。図9の例では、パケット種別として、「TCP SYN」パケットが指定されている。CIRは、通信ネットワークにおいて混雑や輻輳が生じている際に、最低限保証する通信速度を示している。また、PIRは、中継可能な最大の帯域を通信速度で示している。通信速度は、例えば、ビットレートによって示される値として設定される。 FIG. 9 shows an example of setting values when performing bandwidth monitoring. In the example of FIG. 9, the set value when performing bandwidth monitoring is configured by a packet type, CIR (Committed Information Rate) based on trTCM (RFC2698: Two Rate Three Color Color), and PIR (Peak Information Rate). Yes. In the example of FIG. 9, a “TCP SYN” packet is designated as the packet type. The CIR indicates a communication speed that is at least guaranteed when congestion or congestion occurs in the communication network. The PIR indicates the maximum band that can be relayed by the communication speed. The communication speed is set as a value indicated by a bit rate, for example.
 第1の中継装置20および第2の中継装置30の帯域監視部102は、帯域監視を行う際の設定値の情報を受け取ると、設定値に基づいて転送処理部101におけるパケットの処理の監視を行う。帯域監視部102は、パケット種別で設定されたパケットの処理に要する帯域を計測することで監視を行う。 When the bandwidth monitoring unit 102 of the first relay device 20 and the second relay device 30 receives the setting value information when performing bandwidth monitoring, it monitors the packet processing in the transfer processing unit 101 based on the setting value. Do. The bandwidth monitoring unit 102 performs monitoring by measuring the bandwidth required for processing the packet set by the packet type.
 中継装置が外部端末のパケットを受信すると、転送処理部101は、記憶部103のフローテーブルを参照して処理内容に基づいてパケットの処理を行う(ステップS1)。転送処理部101がパケットの処理を行う際に、帯域監視部102は、処理されるパケット種別を確認する。 When the relay device receives the packet of the external terminal, the transfer processing unit 101 refers to the flow table of the storage unit 103 and processes the packet based on the processing content (step S1). When the transfer processing unit 101 processes a packet, the bandwidth monitoring unit 102 checks the type of packet to be processed.
 パケット種別が設定値の「TCP SYN」と一致しないとき(ステップS2でNo)、帯域監視部102は、処理を行わずに帯域の監視を継続する(ステップS6)。 When the packet type does not match the set value “TCP SYN” (No in step S2), the bandwidth monitoring unit 102 continues to monitor the bandwidth without performing any processing (step S6).
 パケット種別が設定値の「TCP SYN」と一致するとき(ステップS2でYes)、使用しているネットワーク帯域がCIR以上であるかを確認する。 When the packet type matches the set value “TCP SYN” (Yes in step S2), it is confirmed whether the network bandwidth being used is equal to or greater than the CIR.
 使用しているネットワーク帯域がCIRの設定値未満であるとき(ステップS3でNo)、帯域監視部102は、現時刻を正常に通信が行われた最終日時の情報として記憶する(ステップS7)。 When the network bandwidth being used is less than the set value of the CIR (No in step S3), the bandwidth monitoring unit 102 stores the current time as information on the last date and time when communication was normally performed (step S7).
 使用しているネットワーク帯域がCIRの設定値以上であるとき(ステップS3でYes)、帯域監視部102は、ネットワーク帯域がPIRの設定値以下であるか確認する。 When the network bandwidth being used is equal to or greater than the CIR set value (Yes in step S3), the bandwidth monitoring unit 102 checks whether the network bandwidth is equal to or less than the PIR set value.
 使用しているネットワーク帯域がPIRの設定値より小さいとき(ステップS4でNo)、帯域監視部102は、処理を行わずに帯域の監視を継続する(ステップS6)。 When the network bandwidth being used is smaller than the set value of PIR (No in step S4), the bandwidth monitoring unit 102 continues to monitor the bandwidth without performing processing (step S6).
 使用しているネットワーク帯域がPIRの設定値以上のとき(ステップS4でYes)、帯域監視部102は、輻輳が発生したことを示す情報と、正常に通信が行われた最終日時の情報を輻輳通知として制御装置10に送る(ステップS5)。 When the network bandwidth being used is equal to or greater than the set value of the PIR (Yes in step S4), the bandwidth monitoring unit 102 congests information indicating that congestion has occurred and information on the last date and time when communication was normally performed. A notification is sent to the control device 10 (step S5).
 外部攻撃端末80からDDoS攻撃によってTCP SYNパケットが送信されると、TCP SYNパケットは、外部ネットワーク装置40を介して第1の中継装置20に送られる。 When a TCP SYN packet is transmitted from the external attack terminal 80 by a DDoS attack, the TCP SYN packet is sent to the first relay device 20 via the external network device 40.
 第1の中継装置20の通信制御部21は、外部攻撃端末80からのパケットをそれまで受け取っていない場合には、受信したパケットを制御装置10に転送する。制御装置10のフロー情報生成部12は、パケットから情報を抽出して情報記憶部13に保存する。パケットから情報を抽出すると、制御装置10は、第1の中継装置20にパケットをパケットの処理内容の情報とともに返送する。返送されたパケットを受け取った第1の中継装置20の転送処理部101は、受け取ったパケットを第2の中継装置30に転送する。パケットを受け取った第2の中継装置30は、パケットの宛先に応じてパケットの転送を行う。フローテーブルの設定が行われた後は、第1の中継装置20は、更新されたフローテーブルに示された処理内容に基づいてパケットの処理を行う。 The communication control unit 21 of the first relay device 20 transfers the received packet to the control device 10 when the packet from the external attack terminal 80 has not been received so far. The flow information generation unit 12 of the control device 10 extracts information from the packet and stores it in the information storage unit 13. When the information is extracted from the packet, the control device 10 returns the packet to the first relay device 20 together with information on the processing content of the packet. The transfer processing unit 101 of the first relay device 20 that has received the returned packet transfers the received packet to the second relay device 30. The second relay device 30 that has received the packet transfers the packet according to the destination of the packet. After the flow table is set, the first relay device 20 processes the packet based on the processing content shown in the updated flow table.
 外部攻撃端末80から、「TCP SYN」パケットが大量に送信されると、第1の中継装置20の帯域監視部102は、輻輳が生じていると判断し、制御装置10に輻輳が生じていることを示す情報と正常に通信を行った最終日時の情報を送信する。 When a large amount of “TCP SYN” packets are transmitted from the external attack terminal 80, the bandwidth monitoring unit 102 of the first relay device 20 determines that congestion has occurred, and the control device 10 has congestion. Information indicating this and information on the last date and time when communication was performed normally.
 制御装置10のネットワーク制御部11は、輻輳が生じたことを示す情報を受け取ると、情報記憶部13に保存されている外部端末情報を参照し、正常に通信を行った最終日時よりも前に登録された外部端末情報を抽出する。ネットワーク制御部11は、正常に通信を行った最終日時よりも前に登録された外部端末情報を抽出すると、抽出した外部端末情報を基に接続を許可する外部端末の情報を許可リスト情報として生成する。 Upon receiving information indicating that congestion has occurred, the network control unit 11 of the control device 10 refers to the external terminal information stored in the information storage unit 13 and before the last date and time when communication has been performed normally. Extract registered external terminal information. When the network control unit 11 extracts the external terminal information registered before the last date and time of normal communication, the network control unit 11 generates information on the external terminal that permits connection based on the extracted external terminal information as permission list information To do.
 図10は、輻輳通知を受け取る前の外部端末情報の例を示している。また、図11は、輻輳通知を受け取った後に外部端末情報を基に生成される許可リスト情報の例を示している。図11の例では、図10のNo2以前の情報が最終日時よりも前に登録された外部端末情報とされ、許可リスト情報は、正常に通信を行った時刻に登録された2つの外部端末のみの情報によって構成されている。 FIG. 10 shows an example of external terminal information before receiving a congestion notification. FIG. 11 shows an example of permission list information generated based on external terminal information after receiving a congestion notification. In the example of FIG. 11, the information before No. 2 in FIG. 10 is the external terminal information registered before the last date and time, and the permission list information is only two external terminals registered at the time of normal communication. It is composed of information.
 許可リストを生成すると、ネットワーク制御部11は、生成した許可リスト情報を第1の中継装置20に送信する。 When the permission list is generated, the network control unit 11 transmits the generated permission list information to the first relay device 20.
 許可リスト情報を受信すると、第1の中継装置20の転送処理部101は、許可リスト情報を記憶部103に保存する。許可リスト情報を保存すると、転送処理部101は、許可リスト情報に含まれる外部端末から受け取ったパケットのみを処理対象とするフィルタリングの設定を行う。フィルタリングの設定を行うと、第1の中継装置20の通信制御部21は、許可リスト情報に含まれる外部端末が送信元のパケットのみを処理対象とし、それ以外のパケットを破棄する。そのため、外部攻撃端末80から受信するパケットは、転送処理部101によって破棄され他の通信装置には転送されない。 Upon receiving the permission list information, the transfer processing unit 101 of the first relay device 20 stores the permission list information in the storage unit 103. When the permission list information is stored, the transfer processing unit 101 sets filtering for processing only packets received from an external terminal included in the permission list information. When the filtering setting is performed, the communication control unit 21 of the first relay device 20 sets only the packets of the transmission source of the external terminal included in the permission list information as processing targets, and discards the other packets. Therefore, the packet received from the external attack terminal 80 is discarded by the transfer processing unit 101 and is not transferred to other communication devices.
 また、このとき外部端末60は許可リスト情報に含まれているので、外部端末60から送られてくるパケットに対しては、通常の処理が行われる。図12は、外部攻撃端末80が送信したパケットを第1の中継装置20が破棄し、外部端末60が送信したパケットが正常に伝送されている状態を示している。第1の中継装置20においてパケットの破棄を行うことでネットワーク帯域の逼迫は生じないため、通信ネットワーク内における通信を継続して行うことができる。 At this time, since the external terminal 60 is included in the permission list information, a normal process is performed on the packet sent from the external terminal 60. FIG. 12 shows a state where the packet transmitted by the external attack terminal 80 is discarded by the first relay device 20 and the packet transmitted by the external terminal 60 is normally transmitted. Since the first relay device 20 discards the packet and the network bandwidth is not tight, communication in the communication network can be continued.
 本実施形態の通信システムは、制御装置10において中継装置が処理を行ったパケットの送信元の端末装置の情報と、登録した日時を関連づけて外部端末情報として記録している。制御装置10のネットワーク制御部11は、中継装置から輻輳通知を受け取ったときに、正常に通信を行っていたときに記録された最終日時よりも前の外部端末情報を抽出し許可リスト情報を生成している。中継装置は、許可リスト情報を制御装置10から受信し、許可リスト情報に登録されている端末装置から受信するパケットの処理のみを継続し、許可リスト情報に登録されていない端末装置から送られてくるパケットの転送処理を停止してパケットを廃棄している。このような方法で、正常に通信を行えていたときの端末装置から受信するパケットの処理のみを継続することで、特定の端末装置から大量にパケットを受信した場合にも、中継装置は、その他の端末装置から送られてくるパケットの処理を継続することができる。そのため、DDoS攻撃のような攻撃を受けた場合にも、中継装置は、攻撃の影響を抑制して、その他の端末装置から受信するパケットの転送処理を継続することができる。以上より、本実施形態の通信システムは、大量に送付されたパケットの影響を抑制し、通信を継続して行うことができる。 In the communication system of the present embodiment, information on the terminal device that is the transmission source of the packet processed by the relay device in the control device 10 and the registered date and time are recorded as external terminal information. When receiving the congestion notification from the relay device, the network control unit 11 of the control device 10 extracts the external terminal information before the last date and time recorded when the communication was normally performed, and generates permission list information is doing. The relay device receives the permission list information from the control device 10, continues processing only the packets received from the terminal devices registered in the permission list information, and is sent from a terminal device not registered in the permission list information. The transfer process of the incoming packet is stopped and the packet is discarded. Even if a large amount of packets are received from a specific terminal device by continuing only the processing of packets received from the terminal device when communication was normally performed in this way, the relay device It is possible to continue processing of packets sent from the terminal device. Therefore, even when an attack such as a DDoS attack is received, the relay apparatus can suppress the influence of the attack and continue the transfer process of packets received from other terminal apparatuses. As described above, the communication system according to the present embodiment can suppress the influence of a large amount of packets and can continue communication.
 第2の実施形態では、制御装置10は、第1の中継装置20および第2の中継装置30によって構成されるネットワークにおける通信制御を行っているが、制御装置10が通信制御を行う中継装置の数は、3台以上であってもよい。また、中継装置に接続される外部ネットワーク装置および外部ネットワーク装置に接続される端末装置は、それぞれ複数であってもよい。 In the second embodiment, the control device 10 performs communication control in the network configured by the first relay device 20 and the second relay device 30, but the control device 10 is a relay device that performs communication control. The number may be three or more. Further, there may be a plurality of external network devices connected to the relay device and a plurality of terminal devices connected to the external network device.
 第2の実施形態では、輻輳通知の送信元の中継装置に許可リスト情報を送付しているが、他の中継装置に送付してもよい。例えば、第1の中継装置20から輻輳通知を受け取った際に、第2の中継装置30にも生成した許可リスト情報を送付することで、第2の中継装置30への攻撃を防ぐことができる。そのような構成とすることで、攻撃を行う端末装置が存在する場合に、安定した通信を継続することができる。 In the second embodiment, the permission list information is sent to the relay device that is the source of the congestion notification, but it may be sent to another relay device. For example, when the congestion notification is received from the first relay device 20, the generated permission list information is also sent to the second relay device 30, thereby preventing an attack on the second relay device 30. . With such a configuration, stable communication can be continued when there is a terminal device that performs an attack.
 上記の実施形態の一部又は全部は、以下の付記のようにも記載されうるが、以下には限られない。 Some or all of the above embodiments can be described as in the following supplementary notes, but are not limited thereto.
 (付記1)
 ネットワーク上の中継装置が転送処理を行うパケットから抽出した情報を基に、前記中継装置における前記パケットの処理内容を設定し、前記パケットの送信元の端末装置の情報を外部端末情報として生成する情報生成手段と、
 設定した前記処理内容を基に前記中継装置における前記転送処理を制御する制御手段と、
 を備え、
 前記情報生成手段は、あらかじめ設定されたパケット種別の前記パケットの伝送に要するネットワーク帯域が基準を超えたときに、前記ネットワーク帯域が前記基準以下であった間の前記外部端末情報を許可リスト情報として生成し、
 前記制御手段は、前記情報生成手段が生成した前記許可リスト情報を前記中継装置に送信することを特徴とする制御装置。 (Appendix 1)
Information that sets the processing contents of the packet in the relay device based on information extracted from the packet that the relay device on the network performs transfer processing, and generates information of the terminal device that is the transmission source of the packet as external terminal information Generating means;
Control means for controlling the transfer processing in the relay device based on the set processing content;
With
The information generation means uses the external terminal information while the network bandwidth is equal to or less than the reference as permission list information when a network bandwidth required for transmission of the packet of a preset packet type exceeds the reference Generate
The control unit transmits the permission list information generated by the information generation unit to the relay device.
 (付記2)
 前記情報生成手段は、前記端末装置の情報を登録する第1の時刻と、前記端末装置の識別情報とを関連づけて前記外部端末情報を生成し、
 前記ネットワーク帯域が前記基準を超えたときに、前記中継装置から前記ネットワーク帯域が前記基準以下であった時刻として送られてくる第2の時刻よりも前記第1の時刻が前である前記端末装置の情報を基に前記許可リスト情報を生成することを特徴とする付記1に記載の制御装置。 (Appendix 2)
The information generation means generates the external terminal information by associating a first time for registering information of the terminal device with identification information of the terminal device,
The terminal device in which the first time is earlier than the second time sent from the relay device as the time when the network bandwidth was below the reference when the network bandwidth exceeds the reference The control apparatus according to appendix 1, wherein the permission list information is generated based on the information.
 (付記3)
 前記制御手段は、前記中継装置が前記ネットワーク帯域の監視を行う際の条件を設定する手段をさらに有することを特徴とする付記1または2に記載の制御装置。 (Appendix 3)
The control apparatus according to appendix 1 or 2, wherein the control means further includes means for setting a condition when the relay apparatus monitors the network bandwidth.
 (付記4)
 前記制御手段は、前記中継装置から前記ネットワーク帯域が前記基準を超えたことを示す通知を受けた際に、他の中継装置に対応する第2の許可リスト情報を生成し、前記他の中継装置に前記第2の許可リスト情報を送信することを特徴とする付記1から3いずれかに記載の制御装置。 (Appendix 4)
The control unit generates second permission list information corresponding to another relay device when receiving a notification from the relay device indicating that the network bandwidth exceeds the reference, and the other relay device The control device according to any one of appendices 1 to 3, wherein the second permission list information is transmitted to the control device.
 (付記5)
 端末装置からネットワークを介して入力されるパケットを、制御装置によって設定された処理内容に基づいて転送処理する転送処理手段と、
 あらかじめ設定されたパケット種別の前記パケットの伝送に要しているネットワーク帯域を監視する手段と、前記パケットの通信に要している前記ネットワーク帯域が基準以下であったときの時刻を最終時刻として更新する手段とを有する帯域監視手段と
 を備え、
 前記帯域監視手段は、前記ネットワーク帯域が前記基準を超えたことを検知した際に、前記制御装置に前記ネットワーク帯域が前記基準を超えたことを示す情報と、前記最終時刻の情報とを輻輳通知として送信し、
 前記転送処理手段は、前記最終時刻よりも前に前記転送処理を行った前記パケットの送信元の前記端末装置の情報に基づいて設定された情報である許可リスト情報を、前記輻輳通知の応答として前記制御装置から受信し、前記許可リスト情報に含まれる端末装置以外から送られてくる前記パケットの前記転送処理を停止することを特徴とする中継装置。 (Appendix 5)
A transfer processing means for transferring a packet input from the terminal device via the network based on the processing content set by the control device;
Means for monitoring the network bandwidth required for transmission of the packet of a preset packet type, and updating the time when the network bandwidth required for communication of the packet is below a reference as the final time And a bandwidth monitoring means having means for
When the bandwidth monitoring unit detects that the network bandwidth exceeds the reference, the bandwidth monitoring unit notifies the control device of information indicating that the network bandwidth exceeds the reference, and information on the final time. Send as
The transfer processing means uses, as a response to the congestion notification, permission list information, which is information set based on information of the terminal device that is the transmission source of the packet that has performed the transfer processing before the final time. A relay apparatus characterized by stopping the transfer process of the packet received from the control apparatus and sent from other than the terminal apparatus included in the permission list information.
 (付記6)
 前記帯域監視手段は、前記パケットの伝送に要している前記ネットワーク帯域が第1の基準以下であった場合に前記最終時刻を更新し、前記パケットの伝送に要している前記ネットワーク帯域が前記第1の基準よりも大きい第2の基準よりも大きいときに前記輻輳通知を送信することを特徴とする付記5に記載の中継装置。 (Appendix 6)
The bandwidth monitoring unit updates the final time when the network bandwidth required for transmission of the packet is equal to or lower than a first reference, and the network bandwidth required for transmission of the packet The relay apparatus according to appendix 5, wherein the congestion notification is transmitted when the congestion criterion is larger than a second criterion that is larger than the first criterion.
 (付記7)
 前記転送処理手段は、入力される前記パケットに前記許可リスト情報を基にフィルタリングを施し、前記許可リスト情報に含まれる端末装置以外から送られてくる前記パケットを破棄することを特徴とする付記5または6に記載の中継装置。 (Appendix 7)
The transfer processing means performs filtering on the input packet based on the permission list information, and discards the packet transmitted from a device other than the terminal device included in the permission list information. Or the relay apparatus of 6.
 (付記8)
 付記1から4いずれかに記載の制御装置と、
 付記5から7いずれかに記載の中継装置からなる第1の中継装置および第2の中継装置と
 を備え、
 前記第1の中継装置は、前記ネットワーク帯域が前記基準を超えたことを検知した際に、前記制御装置に前記輻輳通知を送信し、
 前記制御装置は、前記輻輳通知に含まれる前記最終時刻を基に前記許可リスト情報を生成し、
 前記第1の中継装置は、前記制御装置から前記輻輳通知の応答として送られてくる前記許可リスト情報を基に、入力される前記パケットの処理を行うことを特徴とする通信システム。 (Appendix 8)
The control device according to any one of appendices 1 to 4,
A first relay device and a second relay device comprising the relay device according to any one of appendices 5 to 7,
The first relay device transmits the congestion notification to the control device when detecting that the network bandwidth exceeds the reference,
The control device generates the permission list information based on the last time included in the congestion notification,
The communication system, wherein the first relay device processes the input packet based on the permission list information sent as a response to the congestion notification from the control device.
 (付記9)
 ネットワーク上の中継装置が転送処理を行うパケットから抽出した情報を基に、前記中継装置における前記パケットの処理内容を設定し、
 前記パケットの送信元の端末装置の情報を外部端末情報として生成し、
 設定した前記処理内容を基に前記中継装置における前記転送処理を制御し、
 あらかじめ設定されたパケット種別の前記パケットの伝送に要するネットワーク帯域が基準を超えたことを検知した際に、前記ネットワーク帯域が前記基準以下であった間の前記外部端末情報を許可リスト情報として生成し、
 生成した前記許可リスト情報を前記中継装置に送信することを特徴とする通信制御方法。 (Appendix 9)
Based on the information extracted from the packet that the relay device on the network performs the transfer process, the processing content of the packet in the relay device is set,
Generate information of the terminal device that is the source of the packet as external terminal information,
Control the transfer process in the relay device based on the set processing content,
When it is detected that the network bandwidth required for transmitting the packet of a preset packet type exceeds a reference, the external terminal information while the network bandwidth is equal to or less than the reference is generated as permission list information. ,
A communication control method, comprising: transmitting the generated permission list information to the relay device.
 (付記10)
 前記端末装置の情報を登録する第1の時刻と、前記端末装置の識別情報とを関連づけて前記外部端末情報を生成し、
 前記ネットワーク帯域が前記基準を超えたときに、前記中継装置から前記ネットワーク帯域が前記基準以下であった時刻として送られてくる第2の時刻よりも前記第1の時刻が前である前記端末装置の情報を基に前記許可リスト情報を生成することを特徴とする付記9に記載の通信制御方法。 (Appendix 10)
Generating the external terminal information by associating the first time for registering the terminal device information with the identification information of the terminal device;
The terminal device in which the first time is earlier than the second time sent from the relay device as the time when the network bandwidth was below the reference when the network bandwidth exceeds the reference The communication control method according to appendix 9, wherein the permission list information is generated based on the information.
 (付記11)
 前記中継装置が前記ネットワーク帯域の監視を行う際の条件を設定することを特徴とする付記9または10に記載の通信制御方法。 (Appendix 11)
The communication control method according to appendix 9 or 10, wherein the relay device sets a condition for monitoring the network bandwidth.
 (付記12)
 前記中継装置から前記ネットワーク帯域が前記基準を超えたことを示す通知を受けた際に、他の中継装置に対応する第2の許可リスト情報を生成し、前記他の中継装置に前記第2の許可リスト情報を送信することを特徴とする付記9から11いずれかに記載の通信制御方法。 (Appendix 12)
When a notification indicating that the network bandwidth exceeds the reference is received from the relay device, second permission list information corresponding to another relay device is generated, and the second relay list information is transmitted to the other relay device. 12. The communication control method according to any one of appendices 9 to 11, wherein permission list information is transmitted.
 (付記13)
 あらかじめ設定されたパケット種別の前記パケットの伝送に要している前記ネットワーク帯域を監視し、
 前記パケットの伝送に要している前記ネットワーク帯域が基準以下であったときの時刻を最終時刻として更新し、
 前記ネットワーク帯域が前記基準を超えたことを検知した際に、前記ネットワーク帯域が前記基準を超えたことを示す情報と、前記最終時刻の情報とを輻輳通知として送信し、
 前記輻輳通知の応答として受信する前記許可リスト情報に含まれる端末装置以外から送られてくる前記パケットの転送処理を停止することを特徴とする付記9から12いずれかに記載の通信制御方法。 (Appendix 13)
Monitoring the network bandwidth required for transmission of the packet of a preset packet type;
Update the time when the network bandwidth required for transmission of the packet is below the reference as the final time,
When it is detected that the network bandwidth exceeds the reference, information indicating that the network bandwidth exceeds the reference and the information on the final time are transmitted as a congestion notification.
13. The communication control method according to any one of appendices 9 to 12, wherein a transfer process of the packet transmitted from a device other than the terminal device included in the permission list information received as a response to the congestion notification is stopped.
 (付記14)
 前記パケットの伝送に要している前記ネットワーク帯域が第1の基準以下であった場合に前記最終時刻を更新し、前記パケットの伝送に要している前記ネットワーク帯域が前記第1の基準よりも大きい第2の基準よりも大きいときに前記輻輳通知を送信することを特徴とする付記13に記載の通信制御方法。 (Appendix 14)
The last time is updated when the network bandwidth required for transmission of the packet is equal to or lower than a first reference, and the network bandwidth required for transmission of the packet is lower than the first reference. 14. The communication control method according to appendix 13, wherein the congestion notification is transmitted when larger than a large second criterion.
 (付記15)
 入力される前記パケットに前記許可リスト情報を基にフィルタリングを施し、前記許可リスト情報に含まれる端末装置以外から送られてくる前記パケットを破棄することを特徴とする付記13または14に記載の通信制御方法。 (Appendix 15)
15. The communication according to appendix 13 or 14, wherein filtering is performed on the input packet based on the permission list information, and the packet transmitted from a device other than the terminal device included in the permission list information is discarded. Control method.
 以上、上述した実施形態を模範的な例として本発明を説明した。しかしながら、本発明は、上述した実施形態には限定されない。即ち、本発明は、本発明のスコープ内において、当業者が理解し得る様々な態様を適用することができる。 The present invention has been described above using the above-described embodiment as an exemplary example. However, the present invention is not limited to the above-described embodiment. That is, the present invention can apply various modes that can be understood by those skilled in the art within the scope of the present invention.
 この出願は、2017年5月15日に出願された日本出願特願2017-96211を基礎とする優先権を主張し、その開示の全てをここに取り込む。 This application claims priority based on Japanese Patent Application No. 2017-96211 filed on May 15, 2017, the entire disclosure of which is incorporated herein.
 1  情報生成手段
 2  制御手段
 10  制御装置
 11  ネットワーク制御部
 12  フロー情報生成部
 13  情報記憶部
 20  第1の中継装置
 30  第2の中継装置
 40  外部ネットワーク装置
 50  外部ネットワーク装置
 60  外部端末
 70  外部端末
 80  外部攻撃端末
 100  通信装置
 101  転送処理部
 102  帯域監視部
 103  記憶部 DESCRIPTION OF SYMBOLS 1 Information production | generation means 2 Control means 10 Control apparatus 11 Network control part 12 Flow information generation part 13 Information storage part 20 1st relay apparatus 30 2nd relay apparatus 40 External network apparatus 50 External network apparatus 60 External terminal 70 External terminal 80 External attack terminal 100 Communication device 101 Transfer processing unit 102 Bandwidth monitoring unit 103 Storage unit

Claims (15)

  1.  ネットワーク上の中継装置が転送処理を行うパケットから抽出した情報を基に、前記中継装置における前記パケットの処理内容を設定し、前記パケットの送信元の端末装置の情報を外部端末情報として生成する情報生成手段と、
     設定した前記処理内容を基に前記中継装置における前記転送処理を制御する制御手段と、
     を備え、
     前記情報生成手段は、あらかじめ設定されたパケット種別の前記パケットの伝送に要するネットワーク帯域が基準を超えたときに、前記ネットワーク帯域が前記基準以下であった間の前記外部端末情報を許可リスト情報として生成し、
     前記制御手段は、前記情報生成手段が生成した前記許可リスト情報を前記中継装置に送信することを特徴とする制御装置。     Information that sets the processing contents of the packet in the relay device based on information extracted from the packet that the relay device on the network performs transfer processing, and generates information of the terminal device that is the transmission source of the packet as external terminal information Generating means;
    Control means for controlling the transfer processing in the relay device based on the set processing content;
    With
    The information generation means uses the external terminal information while the network bandwidth is equal to or less than the reference as permission list information when a network bandwidth required for transmission of the packet of a preset packet type exceeds the reference Generate
    The control unit transmits the permission list information generated by the information generation unit to the relay device.
  2.  前記情報生成手段は、前記端末装置の情報を登録する第1の時刻と、前記端末装置の識別情報とを関連づけて前記外部端末情報を生成し、
     前記ネットワーク帯域が前記基準を超えたときに、前記中継装置から前記ネットワーク帯域が前記基準以下であった時刻として送られてくる第2の時刻よりも前記第1の時刻が前である前記端末装置の情報を基に前記許可リスト情報を生成することを特徴とする請求項1に記載の制御装置。     The information generation means generates the external terminal information by associating a first time for registering information of the terminal device with identification information of the terminal device,
    The terminal device in which the first time is earlier than the second time sent from the relay device as the time when the network bandwidth was below the reference when the network bandwidth exceeds the reference The control device according to claim 1, wherein the permission list information is generated based on the information.
  3.  前記制御手段は、前記中継装置が前記ネットワーク帯域の監視を行う際の条件を設定する手段をさらに有することを特徴とする請求項1または2に記載の制御装置。 3. The control apparatus according to claim 1, wherein the control means further includes means for setting a condition when the relay apparatus monitors the network bandwidth.
  4.  前記制御手段は、前記中継装置から前記ネットワーク帯域が前記基準を超えたことを示す通知を受けた際に、他の中継装置に対応する第2の許可リスト情報を生成し、前記他の中継装置に前記第2の許可リスト情報を送信することを特徴とする請求項1から3いずれかに記載の制御装置。 The control unit generates second permission list information corresponding to another relay device when receiving a notification from the relay device indicating that the network bandwidth exceeds the reference, and the other relay device The control device according to claim 1, wherein the second permission list information is transmitted to the control device.
  5.  端末装置からネットワークを介して入力されるパケットを、制御装置によって設定された処理内容に基づいて転送処理する転送処理手段と、
     あらかじめ設定されたパケット種別の前記パケットの伝送に要しているネットワーク帯域を監視する手段と、前記パケットの通信に要している前記ネットワーク帯域が基準以下であったときの時刻を最終時刻として更新する手段とを有する帯域監視手段と
     を備え、
     前記帯域監視手段は、前記ネットワーク帯域が前記基準を超えたことを検知した際に、前記制御装置に前記ネットワーク帯域が前記基準を超えたことを示す情報と、前記最終時刻の情報とを輻輳通知として送信し、
     前記転送処理手段は、前記最終時刻よりも前に前記転送処理を行った前記パケットの送信元の前記端末装置の情報に基づいて設定された情報である許可リスト情報を、前記輻輳通知の応答として前記制御装置から受信し、前記許可リスト情報に含まれる端末装置以外から送られてくる前記パケットの前記転送処理を停止することを特徴とする中継装置。     A transfer processing means for transferring a packet input from the terminal device via the network based on the processing content set by the control device;
    Means for monitoring the network bandwidth required for transmission of the packet of a preset packet type, and updating the time when the network bandwidth required for communication of the packet is below a reference as the final time And a bandwidth monitoring means having means for
    When the bandwidth monitoring unit detects that the network bandwidth exceeds the reference, the bandwidth monitoring unit notifies the control device of information indicating that the network bandwidth exceeds the reference, and information on the final time. Send as
    The transfer processing means uses, as a response to the congestion notification, permission list information, which is information set based on information of the terminal device that is the transmission source of the packet that has performed the transfer processing before the final time. A relay apparatus characterized by stopping the transfer process of the packet received from the control apparatus and sent from other than the terminal apparatus included in the permission list information.
  6.  前記帯域監視手段は、前記パケットの伝送に要している前記ネットワーク帯域が第1の基準以下であった場合に前記最終時刻を更新し、前記パケットの伝送に要している前記ネットワーク帯域が前記第1の基準よりも大きい第2の基準よりも大きいときに前記輻輳通知を送信することを特徴とする請求項5に記載の中継装置。 The bandwidth monitoring unit updates the final time when the network bandwidth required for transmission of the packet is equal to or lower than a first reference, and the network bandwidth required for transmission of the packet The relay apparatus according to claim 5, wherein the congestion notification is transmitted when it is larger than a second criterion that is larger than the first criterion.
  7.  前記転送処理手段は、入力される前記パケットに前記許可リスト情報を基にフィルタリングを施し、前記許可リスト情報に含まれる端末装置以外から送られてくる前記パケットを破棄することを特徴とする請求項5または6に記載の中継装置。 The transfer processing means performs filtering on the input packet based on the permission list information, and discards the packet transmitted from a device other than the terminal device included in the permission list information. 5. The relay device according to 5 or 6.
  8.  請求項1から4いずれかに記載の制御装置と、
     請求項5から7いずれかに記載の中継装置からなる第1の中継装置および第2の中継装置と
     を備え、
     前記第1の中継装置は、前記ネットワーク帯域が前記基準を超えたことを検知した際に、前記制御装置に前記輻輳通知を送信し、
     前記制御装置は、前記輻輳通知に含まれる前記最終時刻を基に前記許可リスト情報を生成し、
     前記第1の中継装置は、前記制御装置から前記輻輳通知の応答として送られてくる前記許可リスト情報を基に、入力される前記パケットの処理を行うことを特徴とする通信システム。     A control device according to any one of claims 1 to 4,
    A first relay device and a second relay device comprising the relay device according to claim 5,
    The first relay device transmits the congestion notification to the control device when detecting that the network bandwidth exceeds the reference,
    The control device generates the permission list information based on the last time included in the congestion notification,
    The communication system, wherein the first relay device processes the input packet based on the permission list information sent as a response to the congestion notification from the control device.
  9.  ネットワーク上の中継装置が転送処理を行うパケットから抽出した情報を基に、前記中継装置における前記パケットの処理内容を設定し、
     前記パケットの送信元の端末装置の情報を外部端末情報として生成し、
     設定した前記処理内容を基に前記中継装置における前記転送処理を制御し、
     あらかじめ設定されたパケット種別の前記パケットの伝送に要するネットワーク帯域が基準を超えたことを検知した際に、前記ネットワーク帯域が前記基準以下であった間の前記外部端末情報を許可リスト情報として生成し、
     生成した前記許可リスト情報を前記中継装置に送信することを特徴とする通信制御方法。     Based on the information extracted from the packet that the relay device on the network performs the transfer process, the processing content of the packet in the relay device is set,
    Generate information of the terminal device that is the source of the packet as external terminal information,
    Control the transfer process in the relay device based on the set processing content,
    When it is detected that the network bandwidth required for transmitting the packet of a preset packet type exceeds a reference, the external terminal information while the network bandwidth is equal to or less than the reference is generated as permission list information. ,
    A communication control method, comprising: transmitting the generated permission list information to the relay device.
  10.  前記端末装置の情報を登録する第1の時刻と、前記端末装置の識別情報とを関連づけて前記外部端末情報を生成し、
     前記ネットワーク帯域が前記基準を超えたときに、前記中継装置から前記ネットワーク帯域が前記基準以下であった時刻として送られてくる第2の時刻よりも前記第1の時刻が前である前記端末装置の情報を基に前記許可リスト情報を生成することを特徴とする請求項9に記載の通信制御方法。     Generating the external terminal information by associating the first time for registering the terminal device information with the identification information of the terminal device;
    The terminal device in which the first time is earlier than the second time sent from the relay device as the time when the network bandwidth was below the reference when the network bandwidth exceeds the reference 10. The communication control method according to claim 9, wherein the permission list information is generated based on the information.
  11.  前記中継装置が前記ネットワーク帯域の監視を行う際の条件を設定することを特徴とする請求項9または10に記載の通信制御方法。 The communication control method according to claim 9 or 10, wherein conditions for the relay device to monitor the network bandwidth are set.
  12.  前記中継装置から前記ネットワーク帯域が前記基準を超えたことを示す通知を受けた際に、他の中継装置に対応する第2の許可リスト情報を生成し、前記他の中継装置に前記第2の許可リスト情報を送信することを特徴とする請求項9から11いずれかに記載の通信制御方法。 When a notification indicating that the network bandwidth exceeds the reference is received from the relay device, second permission list information corresponding to another relay device is generated, and the second relay list information is transmitted to the other relay device. 12. The communication control method according to claim 9, wherein permission list information is transmitted.
  13.  あらかじめ設定されたパケット種別の前記パケットの伝送に要している前記ネットワーク帯域を監視し、
     前記パケットの伝送に要している前記ネットワーク帯域が基準以下であったときの時刻を最終時刻として更新し、
     前記ネットワーク帯域が前記基準を超えたことを検知した際に、前記ネットワーク帯域が前記基準を超えたことを示す情報と、前記最終時刻の情報とを輻輳通知として送信し、
     前記輻輳通知の応答として受信する前記許可リスト情報に含まれる端末装置以外から送られてくる前記パケットの転送処理を停止することを特徴とする請求項9から12いずれかに記載の通信制御方法。     Monitoring the network bandwidth required for transmission of the packet of a preset packet type;
    Update the time when the network bandwidth required for transmission of the packet is below the reference as the final time,
    When it is detected that the network bandwidth exceeds the reference, information indicating that the network bandwidth exceeds the reference and the information on the final time are transmitted as a congestion notification.
    The communication control method according to any one of claims 9 to 12, wherein a transfer process of the packet transmitted from other than the terminal device included in the permission list information received as a response to the congestion notification is stopped.
  14.  前記パケットの伝送に要している前記ネットワーク帯域が第1の基準以下であった場合に前記最終時刻を更新し、前記パケットの伝送に要している前記ネットワーク帯域が前記第1の基準よりも大きい第2の基準よりも大きいときに前記輻輳通知を送信することを特徴とする請求項13に記載の通信制御方法。 The last time is updated when the network bandwidth required for transmission of the packet is equal to or lower than a first reference, and the network bandwidth required for transmission of the packet is lower than the first reference. The communication control method according to claim 13, wherein the congestion notification is transmitted when larger than a large second criterion.
  15.  入力される前記パケットに前記許可リスト情報を基にフィルタリングを施し、前記許可リスト情報に含まれる端末装置以外から送られてくる前記パケットを破棄することを特徴とする請求項13または14に記載の通信制御方法。 15. The packet according to claim 13 or 14, wherein filtering is performed on the input packet based on the permission list information, and the packet sent from other than a terminal device included in the permission list information is discarded. Communication control method.
PCT/JP2018/018279 2017-05-15 2018-05-11 Control device, relay device, communication system, and communication control method WO2018212086A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
JP2017-096211 2017-05-15
JP2017096211 2017-05-15

Publications (1)

Publication Number Publication Date
WO2018212086A1 true WO2018212086A1 (en) 2018-11-22

Family

ID=64273748

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2018/018279 WO2018212086A1 (en) 2017-05-15 2018-05-11 Control device, relay device, communication system, and communication control method

Country Status (1)

Country Link
WO (1) WO2018212086A1 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009239525A (en) * 2008-03-26 2009-10-15 Nippon Telegr & Teleph Corp <Ntt> Filtering device, filtering method, and filtering program
US20150012618A1 (en) * 2012-02-16 2015-01-08 Orange Technique for processing a data stream between a server and a client entity
JP2017005402A (en) * 2015-06-08 2017-01-05 アラクサラネットワークス株式会社 Communication device
WO2017073089A1 (en) * 2015-10-27 2017-05-04 アラクサラネットワークス株式会社 Communication device, system, and method

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009239525A (en) * 2008-03-26 2009-10-15 Nippon Telegr & Teleph Corp <Ntt> Filtering device, filtering method, and filtering program
US20150012618A1 (en) * 2012-02-16 2015-01-08 Orange Technique for processing a data stream between a server and a client entity
JP2017005402A (en) * 2015-06-08 2017-01-05 アラクサラネットワークス株式会社 Communication device
WO2017073089A1 (en) * 2015-10-27 2017-05-04 アラクサラネットワークス株式会社 Communication device, system, and method

Similar Documents

Publication Publication Date Title
US9749011B2 (en) Physical unidirectional communication apparatus and method
US10931711B2 (en) System of defending against HTTP DDoS attack based on SDN and method thereof
JP2007235341A (en) Apparatus and network system for performing protection against anomalous communication
US20170195241A1 (en) Communication flow control system, communication flow control method, and communication flow processing program
WO2017073089A1 (en) Communication device, system, and method
JP2007006054A (en) Packet repeater and packet repeating system
US9456030B2 (en) Methods of operating load balancing switches and controllers using modified flow entries
KR20120060655A (en) Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof
US10313238B2 (en) Communication system, communication method, and non-transitiory computer readable medium storing program
WO2020040027A1 (en) Communication control system, network controller and computer program
WO2014129624A1 (en) Control device, communication system, path switching method, and program
US20130081131A1 (en) Communication system, communication device, server, and communication method
TWI586124B (en) Communication node, communication system, packet processing method and program
JP2006235876A (en) Dos attack countermeasure system and dos attack countermeasure method
JP2015091106A (en) Communication device, control device, network system, and network monitoring control method
JP2008278357A (en) Communication line disconnecting apparatus
WO2018212086A1 (en) Control device, relay device, communication system, and communication control method
US20140286358A1 (en) Global state synchronization for securely managed asymmetric network communication
JP2016019031A (en) Filtering device and filtering method
US20170093734A1 (en) Communication apparatus, control apparatus, communication system, and transmission control method
JP2017034627A (en) System and method for communication control
KR101316903B1 (en) Method and appratus for synchronizing session in high availability system
CN113364797B (en) Network system for preventing DDOS attack
KR101948984B1 (en) SDN for detecting switch damage and controller including the same
JP5879223B2 (en) Gateway device, gateway system and computer system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 18803054

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 18803054

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: JP