WO2022249399A1 - Denial-of-service attack detection device, method, and program - Google Patents

Denial-of-service attack detection device, method, and program Download PDF

Info

Publication number
WO2022249399A1
WO2022249399A1 PCT/JP2021/020232 JP2021020232W WO2022249399A1 WO 2022249399 A1 WO2022249399 A1 WO 2022249399A1 JP 2021020232 W JP2021020232 W JP 2021020232W WO 2022249399 A1 WO2022249399 A1 WO 2022249399A1
Authority
WO
WIPO (PCT)
Prior art keywords
attack
request
responses
communication device
count value
Prior art date
Application number
PCT/JP2021/020232
Other languages
French (fr)
Japanese (ja)
Inventor
伸之 千綿
寛 吉田
Original Assignee
日本電信電話株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 日本電信電話株式会社 filed Critical 日本電信電話株式会社
Priority to PCT/JP2021/020232 priority Critical patent/WO2022249399A1/en
Priority to JP2023523865A priority patent/JPWO2022249399A1/ja
Publication of WO2022249399A1 publication Critical patent/WO2022249399A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures

Definitions

  • One aspect of the present invention is to interfere with the services provided by the website by intentionally overloading resources such as the server device and network of the website and exploiting vulnerabilities, so-called DoS (Denial of Service) attack detection device, method and program used to detect denial of service attacks.
  • DoS Delivery of Service
  • Non-Patent Document 1 flow monitoring that centrally monitors the traffic of the entire network to detect malicious attacks, and monitoring the content (payload) of all IP packets
  • packet monitoring for detecting malicious attacks by viruses and the like.
  • DoS attacks targeting server devices of specific websites include, for example, request attacks using requests and response attacks using responses.
  • the request attack is to send a large number of malicious attack requests to a specific site.
  • request attacks for example, the number of identical requests received within a certain period of time is counted, and when the number of received requests exceeds a threshold, the group of requests is regarded as an attack request and blocked. It is possible.
  • a response attack sends a large amount of malicious attack responses from the communication destination to the server device in response to a request sent from the server device of a specific site.
  • the tuple of the response is detected, for example, by a firewall (Fire Wall: FW) placed on the communication path, and if the response is determined to be invalid based on the detection result, the response is blocked. It is possible to respond by
  • the firewall determines whether the large number of responses are due to retransmission of normal responses or for attack purposes. is.
  • the reason for this is that normally, the response retransmission cycle is arbitrarily set for each communication partner terminal, and the transmission delay in the network is not constant, so it is difficult to judge normality/attack by monitoring only the response retransmission interval. .
  • the attack response can be determined by analyzing in detail the content of the received response packet by the server device.
  • the analysis process requires a large processing load and processing time, the processing capacity of the server apparatus is used, and there is a problem that countermeasures against attack responses tend to be delayed.
  • the present invention has been made in view of the above circumstances, and aims to provide a technique for detecting a malicious attack using valid responses on a communication path in a short period of time with relatively simple processing. .
  • the denial of service attack detection device or method according to the present invention for solving the above problems is a system that transmits data via a communication path between a first communication device and a second communication device,
  • the denial of service attack detection device arranged in the communication path includes a first count processing unit, a first determination processing unit, a request delay processing unit, and a second count processing. and a second determination processing unit.
  • a first count processing unit counts the number of a plurality of responses transmitted from the second communication device in an arbitrary cycle in response to the first request transmitted from the first communication device, get the count value of
  • the first determination processing unit determines whether the first count value per predetermined unit time exceeds a preset first threshold value, and determines whether the first count value exceeds the When it is determined that the first threshold is exceeded, the plurality of responses to the first request are determined as a sequence suspected of an attack, and a suspected attack monitoring state is set.
  • a request delay processing unit delays a second request transmitted from the first communication device by a preset time while the suspected attack monitoring state is set, and then transmits the second request to the second communication device. Forward.
  • the second count processing unit counts the number of responses transmitted from the second communication device to the second request to obtain a second count value. determining whether or not the second count value per unit time exceeds a second threshold, and determining that the second count value exceeds the second threshold case, the plurality of responses to the second request are determined to be an attack sequence, and information indicating that an attack has been detected is output.
  • FIG. 1 is a diagram showing an example of a sequence when a response is normally transmitted from a communication destination device.
  • FIG. 2 is a diagram showing an example of a sequence when an attack response is sent from a communication destination device.
  • FIG. 3 is a sequence diagram showing an example of detection processing according to an embodiment of the present invention when a response suspected of an attack is sent from a communication destination device.
  • FIG. 4 is a schematic block diagram of a data communication system provided with an inter-network connection device having the function of a denial of service attack detection device according to one embodiment of the present invention.
  • FIG. 5 is a block diagram showing the hardware configuration of the inter-network connection device shown in FIG.
  • FIG. 6 is a block diagram showing the software configuration of the inter-network connection device shown in FIG. FIG.
  • FIG. 7 is a flow chart showing a processing procedure and processing contents of packet transfer processing by the inter-network connection device shown in FIG.
  • FIG. 8 is a flow chart showing a processing procedure and processing contents of determination processing by the inter-network connection device shown in FIG.
  • FIG. 9 is a flow chart showing a processing procedure and processing contents of a suspected attack detection judgment processing in the judgment processing shown in FIG.
  • FIG. 10 is a flowchart showing a processing procedure and processing contents of attack detection determination processing in the determination processing shown in FIG.
  • FIG. 11 is a sequence diagram showing overall processing operations by the inter-network connection device shown in FIG.
  • FIG. 1 and 2 show an example of the connection sequence executed between the server device SV and the communication destination device TM.
  • FIG. 2 shows the sequence when the malicious communication destination device TM(N) transmits the attack response.
  • the communication destination device TM is a device TM(T) used by a legitimate user
  • the communication destination device TM(T) sends a response SYN-ACK to the request SYN sent by the server device SV, as shown in FIG. to send.
  • the communication destination device TM(T) after transmission of the response SYN-ACK, the communication destination device TM(T), in consideration of network delays, performs a retransmission sequence indicated by ACK(T) each time a predetermined time set in the timer elapses. send a response SYN-ACK to .
  • the timing of the timer is arbitrarily set for each communication destination device TM(T).
  • the server device SV receives a valid response SYN-ACK, it returns an acknowledgment ACK, after which a communication link is established between the server device SV and the communication destination device TM, enabling data transmission between the devices. become.
  • a malicious service disruptor repeatedly sends a large number of attack responses SYN-ACK in response to requests SYN from the communication destination device TM(N), as shown in ACK(N) in Fig. 2, for example.
  • an excessive load is applied to the server device SV and the communication path leading to the server device SV, and the server device SV falls into a state where it is difficult to perform data communication.
  • the inter-network connection device LT arranged between the server device SV and the network has a firewall (FW) function, the firewall function enables/disables the attack response SYN-ACK. is determined.
  • the attack response SYN-ACK is blocked thereafter. However, if the attack response SYN-ACK is determined to be valid, the attack response SYN-ACK continues to be transmitted to the server device SV, and the server device SV continues to be disturbed.
  • FIG. 3 is a sequence diagram showing an example thereof.
  • the network connecting device LT counts the number of responses SYN-ACK sent from the communication destination device TM. Then, when the number of counts per unit time exceeds the threshold value, the response SYN-ACK is determined to be a "response suspected of attack", and the "suspected attack monitoring state" is set.
  • the network connection device LT receives the request SYN by a predetermined amount TD within a range that does not result in a communication error. After being delayed, it is transferred to the destination device TM. Then, if the number of responses SYN-ACK per unit time transmitted from the communication destination device TM in response to the request SYN decreases below a predetermined value, the response SYN-ACK is determined to be a normal response, and the "attack Suspicious monitoring state” is canceled and the normal connection sequence continues. On the other hand, if the number of responses SYN-ACK per unit time is still equal to or greater than the predetermined value, the response SYN-ACK is determined to be an attack response and notified to that effect to the server device SV.
  • the network connection device LT retransmits the above DoS attack with normal responses. can be detected by distinguishing from
  • FIG. 4 is a diagram showing an example of a data communication system in which the functions of a denial of service attack detection device according to an embodiment of the present invention are provided in an inter-network connection device.
  • a data communication system according to one embodiment enables transmission of information data, for example, between an internal network LNW operated by a company or organization and a communication destination device TM used by an external general user via a wide area network INW. It is intended to be
  • the wide area network INW comprises, for example, the Internet and an access network for accessing the Internet.
  • the in-house network LNW is composed of, for example, a LAN (Local Area Network) and a wireless LAN.
  • the in-house network LNW is provided with a server device SV and an inter-network connection device LT.
  • the server device SV has functions as, for example, a Web server device, and includes, for example, a service for providing various information, a service for collecting, accumulating, and managing various user data, and performing predetermined analysis and processing on data collected from users. It provides a service that performs editing processing and provides it to the user.
  • the network connection device LT is composed of, for example, a gateway or a router.
  • the inter-network connection device LT has, as basic functions, a data transmission function between the server device SV and a plurality of communication terminals (not shown) provided in the in-house network LNW; and a data transmission function to and from the wide area network INW.
  • the in-house network LNW may be, for example, a home network operated by an individual user other than one operated by a company or organization.
  • a user terminal such as a personal computer is used instead of the server apparatus SV be done.
  • the communication destination device TM is, for example, a personal computer or a server device computer, and is originally used to receive various services provided by the server device SV of the internal network LNW.
  • a mobile information terminal such as a smart phone or a tablet terminal may be used as the communication destination device TM.
  • Inter-network connection device LT 5 and 6 are block diagrams showing the hardware configuration and software configuration of the network connection device LT, respectively.
  • the network connection device LT includes a control section 1 using a hardware processor such as a central processing unit (CPU).
  • a storage unit having a program storage section 2 and a data storage section 3 and a communication I/F 4 are connected to the control section 1 via a bus 5 .
  • the communication I/F 4 transmits and receives data to and from an external communication destination device TM connected to the wide area network INW according to the communication protocol defined by the wide area network INW and the in-house network LNW. , and data transmission/reception between the server device SV and the communication terminal in the in-house network LNW.
  • communication I/F4 is provided with the buffer which temporarily stores a received packet for transmission/reception of the said data.
  • the program storage unit 2 includes, for example, a non-volatile memory such as a HDD (Hard Disk Drive) or SSD (Solid State Drive) that can be written and read at any time as a storage medium, and a non-volatile memory such as a ROM (Read Only Memory).
  • a non-volatile memory such as a HDD (Hard Disk Drive) or SSD (Solid State Drive) that can be written and read at any time as a storage medium
  • a non-volatile memory such as a ROM (Read Only Memory).
  • middleware such as an OS (Operating System)
  • OS Operating System
  • the data storage unit 3 is, for example, a combination of a non-volatile memory such as an HDD or an SSD that can be written and read at any time and a volatile memory such as a RAM (Random Access Memory) as a storage medium.
  • a counter information storage unit 31, a delay information storage unit 32, and a suspected attack monitoring state storage unit 33 are provided as main data storage areas necessary for carrying out the embodiment.
  • the counter information storage unit 31 is used to store a count value representing the number of responses transmitted from the communication destination device TM in the connection sequence. Specifically, this count value is a value obtained by counting the number of responses received per unit time for each of the same 5-tuples.
  • the delay information storage unit 32 is used to store a "request delay state" indicating whether or not a request transmitted from the server device SV in the connection sequence is to be delayed.
  • the suspected attack monitoring state storage unit 33 is used to store the "suspected attack monitoring state" indicating that a suspected attack is being monitored.
  • the control unit 1 includes a packet monitoring processing unit 11, a response number counting processing unit 12, a request delay processing unit 13, and a determination process as processing functions necessary for executing various processes according to one embodiment of the present invention. and an attack detection notification processing unit 15 .
  • the processes by these processing units 11 to 15 are realized by causing the CPU to execute the programs stored in the program storage unit 2.
  • FIG. 1
  • the packet monitoring processing unit 11 monitors the contents of the received packet and determines whether the received packet is a request or a response. If the received packet is determined to be a response, the validity/invalidity of the response is determined based on the 5-tuple of the received packet. Then, when it is determined to be valid, the 5-tuple of the number of responses is passed to the response number count processing unit 12 .
  • the 5-tuple of a packet is header information including the source IP/port number, destination IP/port number, and protocol number of the packet.
  • the packet monitor processing unit 11 notifies the request delay processing unit 13 of a request delay processing request. Then, when a request delay processing completion notification is returned from the request delay processing unit 13 in response to this notification, a process of instructing the communication I/F 4 to transfer the received packet is performed.
  • the response number count processing unit 12 When receiving the 5 tuples of the received response from the packet monitoring processing unit 11, the response number count processing unit 12 counts the same 5 tuples as the 5 tuples stored in the counter information storage unit 31 per unit time. The count value per unit time of the received responses with the same value, that is, the 5-tuple, is added.
  • the request delay processing unit 13 stores information representing the "request delay state" in the delay information storage unit 32 when receiving a request delay instruction from the determination processing unit 14, which will be described later.
  • a request delay processing request is received from the packet monitoring processing unit 11 in this state, waiting processing is performed according to the delay time information stored in the delay information storage unit 32, and when the waiting processing is completed, request delay processing is performed. A process of returning a completion notification to the packet monitoring processing unit 11 is performed.
  • the determination processing unit 14 is periodically activated at a preset cycle, and has the following various processing functions. (1) First, based on the state information stored in the suspected attack monitoring state storage unit 33, it is determined whether or not the suspected attack is being monitored. Then, if the suspected attack is not being monitored, the count value per unit time of the received responses having the same 5-tuple stored in the counter information storage unit 31 is compared with the first threshold, and the received response is a response that suspects an attack. As a result of this determination, when it is determined that the response is suspected of an attack, the information indicating the state of suspected attack monitoring is stored in the attack suspected monitoring state storage unit 33, and the request delay processing unit 13 is notified of the request delay. The process of notifying instructions.
  • the 5-tuples stored in the counter information storage unit 31 are the same per unit time of the received response. is compared with a second threshold to determine whether the received response is a normal response or an attack response. Then, if it is an attack response, a process of transmitting information representing the detection result to that effect to the attack detection notification processing unit 15 .
  • the received response is a normal response
  • the information indicating the state of suspected attack monitoring set in the suspected attack monitoring state storage unit 33 is changed to information indicating the normal monitoring state, and the request A process of sending a request delay instruction cancellation notification to the delay processing unit 13 .
  • the attack detection notification processing unit 15 When the attack detection notification processing unit 15 receives information indicating that an attack response has been detected from the determination processing unit 14, it performs processing for transmitting an attack detection notification to the server device SV.
  • FIG. 7 to 10 are flow charts showing processing procedures and processing contents of processing executed by the control unit 1 of the network connection device LT
  • FIG. 11 is a sequence diagram showing the overall processing operation of the network connection device LT.
  • the control unit 1 monitors reception of packets in step S10 shown in FIG. Then, when the received packet is passed from the communication I/F 4, it is determined whether the received packet is a request or a response based on the content of the received packet in step S11. As a result of this determination, if the received packet is a request transmitted from the server device SV, the request delay processing request is notified to the request delay processing unit 13 in step S12.
  • the request delay processing unit 13 determines whether or not the information representing the "request delay state" is stored in the delay information storage unit 32 in steps S13 and S14. do. Then, if the information indicating the "request delay state" is not saved, the processing completion notification is sent to the packet monitor processing unit 11 without executing the delay processing.
  • the packet monitoring processing unit 11 receives the processing completion notification, it gives a received packet transfer instruction to the communication I/F 4 in step S17. As a result, the received packet held in the buffer of communication I/F4 is transmitted from communication I/F4 to wide area network INW.
  • step S11 the packet monitoring processing unit 11 determines whether the response is valid or invalid based on the received 5-tuple of the response. Determine whether it is As a result of this determination, if the response is invalid, the response is discarded without being transferred.
  • the packet monitor processing unit 11 passes the 5-tuple of the received response to the response count processing unit 12 as received response information in step S21.
  • the response count processing unit 12 reads the count value per unit time of the same 5 tuples as the 5 tuples from the counter information storage unit 31 in step S22. Then, the read count value is added, that is, incremented in step S23. As a result, the number of reception responses with the same 5-tuple received per unit time is counted.
  • the packet monitoring processing unit 11 gives a received packet transfer instruction to the communication I/F 4 in step S24.
  • the reception response packet held in the buffer of the communication I/F 4 is transmitted from the communication I/F 4 to the wide area network INW.
  • the control unit 1 of the inter-network connection device LT executes the following determining process for the received response in parallel with the process of monitoring the received packet.
  • step S30 Determining whether to execute suspected attack detection determination or attack detection determination
  • the control unit 1 of the inter-network connection device LT under the control of the determination processing unit 14, performs step Whether or not the determination timing has come is monitored at a cycle preset by S30. In this state, when the determination timing comes, the determination processing unit 14 reads the count value for each 5-tuple of the received response from the counter information storage unit 31 in step S31. Further, in step S32, the determination processing unit 14 determines whether the information indicating the "attack suspected monitoring state" or the "normal monitoring state" is stored in the suspected attack monitoring state storage unit 33. .
  • step S33 the process proceeds to step S33, and the "suspected attack detection determination" for determining whether or not the received response is a response suspecting an attack process".
  • step S34 determines whether the received response is an attack response or a normal response. Judgment processing” is executed.
  • the determination processing unit 14 as shown in FIG. Determine whether a threshold of 1 is exceeded.
  • the first threshold is set to, for example, the maximum number of normal responses received per unit time.
  • the determination processing unit 14 determines that the received response is not a response suspecting an attack, and terminates the determination processing as it is.
  • the determination processing unit 14 determines that the received response corresponds to a response suspected of an attack, and first notifies the request delay processing unit 13 of a request delay instruction in step S333.
  • the request delay processing unit 13 Upon receiving the request delay instruction, the request delay processing unit 13 causes the delay information storage unit 32 to store information representing the "request delay state" in step S334.
  • the determination processing unit 14 changes the "normal monitoring state" stored in the attack suspected monitoring state storage unit 33 to the "attack suspected monitoring state” in step S335. Then, in step S336, the determination processing unit 14 updates the count value of the number of received corresponding responses stored in the counter information storage unit 31 from the previous value to the current value.
  • step S12 notifies the request delay processing unit 13 of the request delay processing request. Then, the request delay processing unit 13 determines whether or not information representing the "request delay state" is stored in the delay information storage unit 32 in steps S13 and S14.
  • the request delay processing unit 13 proceeds to step S15 and performs a waiting process for delaying transfer of the request by the delay time according to the delay time information stored in the delay information storage unit 32 .
  • the delay time is set within a range in which the communication destination device TM does not judge the request as a communication error.
  • the request delay processing unit 13 sends a request delay processing completion notice to the packet monitor processing unit 11 at that time.
  • the packet monitoring processing unit 11 Upon receiving the request delay processing completion notification, the packet monitoring processing unit 11 issues a received packet transfer instruction to the communication I/F 4 in step S17. As a result, the received packet held in the buffer of communication I/F4 is transmitted from communication I/F4 to wide area network INW.
  • this request is delayed for a certain period of time by the network connection device LT and then transferred to the communication destination device TM.
  • the second threshold value is set to the maximum number of retransmissions of normal responses per unit time by the communication destination device TM according to the retransmission timer after the delay processing of the request. Note that the second threshold may be set to the same value as the first threshold.
  • the determination processing unit 14 determines that the received response is a response transmitted from the normal communication destination device TM(T). Then, the determination processing unit 14 shifts to step S344, and changes the information indicating the state of suspected attack monitoring set in the attack suspected monitoring state storage unit 33 to information indicating the normal monitoring state. Further, in step S345, the request delay processing unit 13 is sent a cancellation notification of the request delay instruction previously notified in the attack suspect detection determination processing.
  • the determination processing unit 14 determines that the received response is malicious communication destination device TM(N). determined to be an attack response sent from Then, in step S343, the attack detection notification processing unit 15 is notified of information indicating that the attack response has been detected.
  • the attack detection notification processing unit 15 transmits an attack detection notification to, for example, the server device SV.
  • the server device SV receives the attack detection notification, the server device SV performs a corresponding process such as refusing to receive the attack response.
  • the network connection device LT counts the number of responses SYN-ACKs transmitted from the communication destination device TM, and the number of counts per unit time exceeds the first threshold value.
  • the above response SYN-ACK is judged to be a "response suspected of an attack” and the "suspected attack monitoring state" is set.
  • the request SYN is delayed by a predetermined amount TD within a range that does not cause a communication error, and then transferred to the communication destination device TM.
  • the above response SYN-ACK is judged to be a normal response, the above "suspected attack monitoring state" is canceled, and normal operation is resumed. Continue the connection sequence.
  • the response SYN-ACK is determined as an attack response, and the server device SV is notified to that effect.
  • the network connecting device LT can perform the above-mentioned DoS attack. It is possible to detect the retransmission of a response to be detected while distinguishing it from the retransmission of a normal response.
  • the number of responses received is counted based on the 5-tuple of the received packet, and the presence or absence of an attack is determined based on the count value, so detailed monitoring and analysis of the contents of the payload of the packet It is possible to determine whether or not there is an attack without performing any processing. As a result, the processing load and processing delay of the network connection device LT can be suppressed, thereby reducing the price of the network connection device LT. It is possible to reduce the processing load when performing analysis processing for detecting attacks.
  • the control unit 1 of the network connection device LT may be provided with a verification processing unit for verifying the determination result of the presence or absence of an attack, and the threshold value may be variably controlled based on the verification result by this verification processing unit. good.
  • the function of the denial-of-service attack detection device according to the present invention is provided in the inter-network connection device LT in the in-house network LNW such as a gateway or router.
  • the function of the denial-of-service attack detection device is not limited to this, and the function of the denial-of-service attack detection device may be provided in a communication device in the wide area network INW or a relay device or the like arranged on the communication path between the wide area network INW and the in-house network LNW. good.
  • the type and functional configuration of the denial-of-service attack detection device, the processing procedure and processing contents of the denial-of-service attack detection processing, etc. can be variously modified without departing from the gist of the present invention.
  • the present invention is not limited to the above-described embodiments as they are, and can be embodied by modifying the constituent elements without departing from the gist of the invention at the implementation stage.
  • various inventions can be formed by appropriate combinations of the plurality of constituent elements disclosed in the above embodiments. For example, some components may be omitted from all components shown in the embodiments.
  • constituent elements of different embodiments may be combined as appropriate.

Abstract

One aspect of this invention is such that when the number of multiple responses transmitted from a second communication device at an arbitrary cycle are counted, the responses being those to a first request transmitted from a first communication device, and the count value per unit time thereof has been determined to exceed a first threshold value, the multiple responses are determined to be a sequence suspected to be an attack and an attack suspicion monitoring state is set. In said state, when a second request has been transmitted from the first communication device, the second request is transferred to the second communication device after having been delayed for a prescribed period of time. In addition, when the number of multiple responses to the second request transmitted from the second communication device are counted, and the count value per unit time thereof has been determined to exceed a second threshold value, the multiple responses to the second request are determined to be an attack sequence and information indicating the same is output.

Description

サービス妨害攻撃検出装置、方法およびプログラムDenial of service attack detection device, method and program
 この発明の一態様は、例えばウェブサイトのサーバ装置やネットワーク等のリソースに意図的に過剰な負荷をかけたり脆弱性を突くことで、ウェブサイトが提供するサービスを妨害する、いわゆるDoS(Denial of Service)攻撃を検出するために使用されるサービス妨害攻撃検出装置、方法およびプログラムに関する。 One aspect of the present invention is to interfere with the services provided by the website by intentionally overloading resources such as the server device and network of the website and exploiting vulnerabilities, so-called DoS (Denial of Service) attack detection device, method and program used to detect denial of service attacks.
 近年、DoS攻撃は深刻化および複雑化しており、DoS攻撃に対するセキュリティ対策が不可欠になっている。DoS攻撃を検出する手法としては、例えば非特許文献1に開示されるように、ネットワーク全体のトラフィックを集中監視して悪意ある攻撃を検出するフロー監視と、全IPパケットの内容(ペイロード)を監視することでウィルス等による悪意ある攻撃を検出するパケット監視が知られている。 In recent years, DoS attacks have become more serious and complex, and security measures against DoS attacks have become essential. As a method for detecting DoS attacks, for example, as disclosed in Non-Patent Document 1, flow monitoring that centrally monitors the traffic of the entire network to detect malicious attacks, and monitoring the content (payload) of all IP packets There is known packet monitoring for detecting malicious attacks by viruses and the like.
 ところで、特定のウェブサイトのサーバ装置を狙い撃ちするDoS攻撃には、例えば、リクエストを用いたリクエスト攻撃と、レスポンスを用いたレスポンス攻撃がある。このうち、リクエスト攻撃は、特定サイトに悪意のある大量の攻撃リクエストを送信するものである。リクエスト攻撃に対しては、例えば、一定時間内における同一のリクエストの受信数をカウントして当該受信数がしきい値を超えた場合に、当該リクエスト群を攻撃リクエストと見なして遮断することで対応可能である。 By the way, DoS attacks targeting server devices of specific websites include, for example, request attacks using requests and response attacks using responses. Among these, the request attack is to send a large number of malicious attack requests to a specific site. For request attacks, for example, the number of identical requests received within a certain period of time is counted, and when the number of received requests exceeds a threshold, the group of requests is regarded as an attack request and blocked. It is possible.
 一方、レスポンス攻撃は、特定サイトのサーバ装置から送信されるリクエストに対し、通信先から悪意ある攻撃レスポンスを上記サーバ装置に大量に送りつけるものである。レスポンス攻撃に対しては、レスポンスのタプルを例えば通信経路上に配置されているファイヤウォール(Fire Wall:FW)において検出し、その検出結果によりレスポンスが無効と判定された場合に当該レスポンスを遮断することで対応可能である。 On the other hand, a response attack sends a large amount of malicious attack responses from the communication destination to the server device in response to a request sent from the server device of a specific site. For response attacks, the tuple of the response is detected, for example, by a firewall (Fire Wall: FW) placed on the communication path, and if the response is determined to be invalid based on the detection result, the response is blocked. It is possible to respond by
 ところが、悪意あるレスポンスが有効でありかつ大量に送りつけられた場合には、この大量のレスポンスが正常なレスポンスの再送によるものか或いは攻撃目的のものかを、ファイヤウォールで判別することは一般に困難である。その理由は、通常、レスポンスの再送周期は通信相手の端末ごとに任意に設定されかつネットワークにおける伝送遅延は一定ではないため、レスポンスの再送間隔のみの監視では正常/攻撃の判断が困難だからである。この場合、サーバ装置により、受信されたレスポンスのパケットの内容を詳細に解析することで、攻撃レスポンスを判別することが可能である。しかし、解析処理に多くの処理負荷と処理時間が必要となることで、サーバ装置の処理能力を割くことになるうえ、攻撃レスポンスに対する対応処置が遅れがちになるという課題がある。 However, when malicious responses are valid and sent in large numbers, it is generally difficult for the firewall to determine whether the large number of responses are due to retransmission of normal responses or for attack purposes. is. The reason for this is that normally, the response retransmission cycle is arbitrarily set for each communication partner terminal, and the transmission delay in the network is not constant, so it is difficult to judge normality/attack by monitoring only the response retransmission interval. . In this case, the attack response can be determined by analyzing in detail the content of the received response packet by the server device. However, since the analysis process requires a large processing load and processing time, the processing capacity of the server apparatus is used, and there is a problem that countermeasures against attack responses tend to be delayed.
 この発明は上記事情に着目してなされたもので、有効レスポンスを用いた悪意ある攻撃を通信経路上において比較的簡単な処理で短時間に検出できるようにする技術を提供しようとするものである。 SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and aims to provide a technique for detecting a malicious attack using valid responses on a communication path in a short period of time with relatively simple processing. .
 上記課題を解決するためにこの発明に係るサービス妨害攻撃検出装置又は方法の一態様は、第1の通信装置と第2の通信装置との間で通信経路を介してデータ伝送を行うシステムの、前記通信経路に配置されるサービス妨害攻撃検出装置に関するもので、サービス妨害攻撃検出装置は、第1のカウント処理部と、第1の判定処理部と、リクエスト遅延処理部と、第2のカウント処理部と、第2の判定処理部とを備える。 One aspect of the denial of service attack detection device or method according to the present invention for solving the above problems is a system that transmits data via a communication path between a first communication device and a second communication device, The denial of service attack detection device arranged in the communication path includes a first count processing unit, a first determination processing unit, a request delay processing unit, and a second count processing. and a second determination processing unit.
 第1のカウント処理部は、前記第1の通信装置から送信された第1のリクエストに対し前記第2の通信装置から任意の周期で送信される複数のレスポンスの数をカウントして、第1のカウント値を得る。第1の判定処理部は、所定の単位時間当たりの前記第1のカウント値が、予め設定された第1のしきい値を超えているか否かを判定し、前記第1のカウント値が前記第1のしきい値を超えていると判定された場合に、前記第1のリクエストに対する前記複数のレスポンスを攻撃が疑われるシーケンスと判断して攻撃被疑監視状態を設定する。リクエスト遅延処理部は、前記攻撃被疑監視状態が設定された状態で、前記第1の通信装置から送信された第2のリクエストを予め設定された時間だけ遅延した後、前記第2の通信装置へ転送する。第2のカウント処理部は、前記第2のリクエストに対し前記第2の通信装置から送信される複数のレスポンスの数をカウントして、第2のカウント値を得る。前記単位時間当たりの前記第2のカウント値が第2のしきい値を超えているか否かを判定し、前記第2のカウント値が前記第2のしきい値を超えていると判定された場合に、前記第2のリクエストに対する前記複数のレスポンスを攻撃シーケンスと判断して、攻撃を検出した旨の情報を出力する。 A first count processing unit counts the number of a plurality of responses transmitted from the second communication device in an arbitrary cycle in response to the first request transmitted from the first communication device, get the count value of The first determination processing unit determines whether the first count value per predetermined unit time exceeds a preset first threshold value, and determines whether the first count value exceeds the When it is determined that the first threshold is exceeded, the plurality of responses to the first request are determined as a sequence suspected of an attack, and a suspected attack monitoring state is set. A request delay processing unit delays a second request transmitted from the first communication device by a preset time while the suspected attack monitoring state is set, and then transmits the second request to the second communication device. Forward. The second count processing unit counts the number of responses transmitted from the second communication device to the second request to obtain a second count value. determining whether or not the second count value per unit time exceeds a second threshold, and determining that the second count value exceeds the second threshold case, the plurality of responses to the second request are determined to be an attack sequence, and information indicating that an attack has been detected is output.
 この発明の一態様によれば、有効レスポンスを用いた悪意のある攻撃を通信経路上において比較的簡単な処理で短時間に検出することを可能にする技術を提供することができる。 According to one aspect of the present invention, it is possible to provide a technology that enables a malicious attack using valid responses to be detected on a communication path in a short period of time with relatively simple processing.
 さらに、この発明の一態様に係る技術をネットワーク間接続装置に適用することで、サーバ装置における、有効レスポンスを用いた悪意ある攻撃を検出するための解析処理を行う際の処理負荷を抑えることが可能となる。 Furthermore, by applying the technology according to one aspect of the present invention to the inter-network connection device, it is possible to reduce the processing load in the server device when performing analysis processing for detecting malicious attacks using valid responses. It becomes possible.
図1は、通信先装置からレスポンスが正常に送信された場合のシーケンスの一例を示す図である。FIG. 1 is a diagram showing an example of a sequence when a response is normally transmitted from a communication destination device. 図2は、通信先装置から攻撃レスポンスが送りつけられたときのシーケンスの一例を示す図である。FIG. 2 is a diagram showing an example of a sequence when an attack response is sent from a communication destination device. 図3は、通信先装置から攻撃が疑われるレスポンスが送りつけられたときの、この発明の一実施形態による検出処理の一例を示すシーケンス図である。FIG. 3 is a sequence diagram showing an example of detection processing according to an embodiment of the present invention when a response suspected of an attack is sent from a communication destination device. 図4は、この発明の一実施形態に係るサービス妨害攻撃検出装置の機能を有するネットワーク間接続装置を備えるデータ通信システムの概略構成図である。FIG. 4 is a schematic block diagram of a data communication system provided with an inter-network connection device having the function of a denial of service attack detection device according to one embodiment of the present invention. 図5は、図4に示したネットワーク間接続装置のハードウェア構成を示すブロック図である。FIG. 5 is a block diagram showing the hardware configuration of the inter-network connection device shown in FIG. 図6は、図4に示したネットワーク間接続装置のソフトウェア構成を示すブロック図である。FIG. 6 is a block diagram showing the software configuration of the inter-network connection device shown in FIG. 図7は、図6に示したネットワーク間接続装置によるパケット転送処理の処理手順と処理内容を示すフローチャートである。FIG. 7 is a flow chart showing a processing procedure and processing contents of packet transfer processing by the inter-network connection device shown in FIG. 図8は、図6に示したネットワーク間接続装置による判定処理の処理手順と処理内容を示すフローチャートである。FIG. 8 is a flow chart showing a processing procedure and processing contents of determination processing by the inter-network connection device shown in FIG. 図9は、図8に示した判定処理における攻撃被疑検出判定処理の処理手順と処理内容を示すフローチャートである。FIG. 9 is a flow chart showing a processing procedure and processing contents of a suspected attack detection judgment processing in the judgment processing shown in FIG. 図10は、図8に示した判定処理における攻撃検出判定処理の処理手順と処理内容を示すフローチャートである。FIG. 10 is a flowchart showing a processing procedure and processing contents of attack detection determination processing in the determination processing shown in FIG. 図11は、図6に示したネットワーク間接続装置による全体の処理動作を示すシーケンス図である。FIG. 11 is a sequence diagram showing overall processing operations by the inter-network connection device shown in FIG.
 [適用例]
 先ずこの発明の一適用例を説明する。 
 図1および図2は、サーバ装置SVと通信先装置TMとの間で実行される接続シーケンスの一例を示したもので、図1は正規の通信先装置TM(T) が正常なレスポンスを送信した場合のシーケンスを、図2は悪意ある通信先装置TM(N) が攻撃レスポンスを送信した場合のシーケンスをそれぞれ示している。 [Application example]
First, an application example of the present invention will be described.
1 and 2 show an example of the connection sequence executed between the server device SV and the communication destination device TM. FIG. 2 shows the sequence when the malicious communication destination device TM(N) transmits the attack response.
 通信先装置TMが正規のユーザが使用する装置TM(T) の場合、通信先装置TM(T) は、例えば図1に示すように、サーバ装置SVが送信したリクエストSYN に対しレスポンスSYN-ACK を送信する。この場合通信先装置TM(T) は、ネットワーク遅延等を考慮して、上記レスポンスSYN-ACK の送信後、ACK(T)に示す再送シーケンスによりタイマに設定された所定の計時時間が経過するごとに、レスポンスSYN-ACK を送信する。タイマの計時時間は、通信先装置TM(T) ごとに任意に設定される。サーバ装置SVは、有効なレスポンスSYN-ACK を受信すると、受信確認ACK を返送し、以後サーバ装置SVと通信先装置TMとの間には通信リンクが確立されて装置相互間でデータ伝送が可能になる。 If the communication destination device TM is a device TM(T) used by a legitimate user, the communication destination device TM(T) sends a response SYN-ACK to the request SYN sent by the server device SV, as shown in FIG. to send. In this case, after transmission of the response SYN-ACK, the communication destination device TM(T), in consideration of network delays, performs a retransmission sequence indicated by ACK(T) each time a predetermined time set in the timer elapses. send a response SYN-ACK to . The timing of the timer is arbitrarily set for each communication destination device TM(T). When the server device SV receives a valid response SYN-ACK, it returns an acknowledgment ACK, after which a communication link is established between the server device SV and the communication destination device TM, enabling data transmission between the devices. become.
 一方、悪意あるサービス妨害者が、通信先装置TM(N) から例えば図2のACK(N)に示すように、リクエストSYN に対し攻撃レスポンスSYN-ACK を繰り返し大量に送信したとする。この場合、サーバ装置SVとこのサーバ装置SVに至る通信経路に過剰な負荷が掛かり、サーバ装置SVはデータ通信を行い難い状態に陥る。この場合、例えばサーバ装置SVとネットワークとの間に配置されたネットワーク間接続装置LTがファイヤウォール(FW)機能を有していれば、このファイヤウォール機能により上記攻撃レスポンスSYN-ACK の有効/無効が判定される。そして、無効レスポンスと判定されれば、以後上記攻撃レスポンスSYN-ACK は遮断される。しかしながら、上記攻撃レスポンスSYN-ACK が有効と判定された場合には、攻撃レスポンスSYN-ACK はサーバ装置SVに伝送され続け、サーバ装置SVは妨害を受け続けることになる。 On the other hand, suppose that a malicious service disruptor repeatedly sends a large number of attack responses SYN-ACK in response to requests SYN from the communication destination device TM(N), as shown in ACK(N) in Fig. 2, for example. In this case, an excessive load is applied to the server device SV and the communication path leading to the server device SV, and the server device SV falls into a state where it is difficult to perform data communication. In this case, for example, if the inter-network connection device LT arranged between the server device SV and the network has a firewall (FW) function, the firewall function enables/disables the attack response SYN-ACK. is determined. Then, if the response is determined to be invalid, the attack response SYN-ACK is blocked thereafter. However, if the attack response SYN-ACK is determined to be valid, the attack response SYN-ACK continues to be transmitted to the server device SV, and the server device SV continues to be disturbed.
 そこで、この発明の一適用例では、例えば次のような対応策を講じている。図3はその一例を示すシーケンス図である。 Therefore, in one application example of the present invention, for example, the following measures are taken. FIG. 3 is a sequence diagram showing an example thereof.
 すなわち、ネットワーク間接続装置LTは、通信先装置TMから送信されるレスポンスSYN-ACK の数をカウントする。そして、単位時間当たりのカウント数がしきい値を超えた場合に、上記レスポンスSYN-ACK を「攻撃が疑われるレスポンス」と判断し、「攻撃被疑監視状態」を設定する。 That is, the network connecting device LT counts the number of responses SYN-ACK sent from the communication destination device TM. Then, when the number of counts per unit time exceeds the threshold value, the response SYN-ACK is determined to be a "response suspected of attack", and the "suspected attack monitoring state" is set.
 続いてネットワーク間接続装置LTは、上記「攻撃被疑監視状態」が設定された状態でサーバ装置SVから次のリクエストSYN が送信された場合に、当該リクエストSYN を通信エラーにならない範囲で所定量TD 遅延させた後、通信先装置TMへ転送する。そして、上記リクエストSYN に対し通信先装置TMから送信される単位時間当たりのレスポンスSYN-ACK の数が所定値未満に減少すれば、上記レスポンスSYN-ACK を正常なレスポンスと判断し、上記「攻撃被疑監視状態」を解除して通常の接続シーケンスを継続する。これに対し、単位時間当たりのレスポンスSYN-ACK の数が依然として上記所定値以上であれば、上記レスポンスSYN-ACK を攻撃レスポンスと判断し、その旨をサーバ装置SVに通知する。 Subsequently, when the next request SYN is transmitted from the server device SV while the above-described "suspected attack monitoring state" is set, the network connection device LT receives the request SYN by a predetermined amount TD within a range that does not result in a communication error. After being delayed, it is transferred to the destination device TM. Then, if the number of responses SYN-ACK per unit time transmitted from the communication destination device TM in response to the request SYN decreases below a predetermined value, the response SYN-ACK is determined to be a normal response, and the "attack Suspicious monitoring state” is canceled and the normal connection sequence continues. On the other hand, if the number of responses SYN-ACK per unit time is still equal to or greater than the predetermined value, the response SYN-ACK is determined to be an attack response and notified to that effect to the server device SV.
 以上のように、悪意ある通信先装置TM(N) から攻撃レスポンスSYN-ACK を大量に送りつけるDoS攻撃が行われた場合に、ネットワーク間接続装置LTにおいて、上記DoS攻撃を正常なレスポンスの再送と区別して検出することが可能となる。 As described above, when a DoS attack in which a large number of attack responses SYN-ACK is sent from a malicious communication destination device TM(N) is performed, the network connection device LT retransmits the above DoS attack with normal responses. can be detected by distinguishing from
 しかも、攻撃を疑うレスポンスが検出されても、これを即時DoS攻撃とは判断せず、その後のレスポンスSYN-ACK の受信数が変化すれば正常なレスポンスと判断される。このため、攻撃か否かを正確に判断することができ、正常と判断されればそのまま通信を継続することができる。すなわち、有効レスポンスを用いたDoS攻撃の検出と、正常な通信の継続との両立を図ることが可能となる。 Moreover, even if a response suspecting an attack is detected, it is not immediately determined to be a DoS attack, and if the number of responses SYN-ACK received after that changes, it is determined to be a normal response. Therefore, it is possible to accurately determine whether or not it is an attack, and if it is determined to be normal, communication can be continued. That is, it is possible to achieve both detection of a DoS attack using a valid response and continuation of normal communication.
 [一実施形態]
 以下、図面を参照してこの発明に係わる一実施形態を説明する。 [One embodiment]
An embodiment according to the present invention will be described below with reference to the drawings.
 (構成例)
 (1)システム
 図4は、この発明の一実施形態に係るサービス妨害攻撃検出装置の機能を、ネットワーク間接続装置に設けた場合のデータ通信システムの一例を示す図である。 
 一実施形態に係るデータ通信システムは、例えば企業や団体が運用する社内ネットワークLNWと、外部の一般ユーザが使用する通信先装置TMとの間で、広域ネットワークINWを介して情報データの伝送を可能にするものである。広域ネットワークINWは、例えば、インターネットと、このインターネットにアクセスするためのアクセスネットワークとを備える。 (Configuration example)
(1) System FIG. 4 is a diagram showing an example of a data communication system in which the functions of a denial of service attack detection device according to an embodiment of the present invention are provided in an inter-network connection device.
A data communication system according to one embodiment enables transmission of information data, for example, between an internal network LNW operated by a company or organization and a communication destination device TM used by an external general user via a wide area network INW. It is intended to be The wide area network INW comprises, for example, the Internet and an access network for accessing the Internet.
 社内ネットワークLNWは、例えばLAN(Local Area Network)および無線LANにより構成される。社内ネットワークLNWには、サーバ装置SVおよびネットワーク間接続装置LTが設けられている。サーバ装置SVは、例えばWebサーバ装置としての機能を有し、例えば、各種情報の提供サービス、ユーザの各種データを収集して蓄積し管理するサービス、ユーザから収集したデータに対し所定の解析処理や編集処理を行ってユーザに提供するサービスを提供する。 The in-house network LNW is composed of, for example, a LAN (Local Area Network) and a wireless LAN. The in-house network LNW is provided with a server device SV and an inter-network connection device LT. The server device SV has functions as, for example, a Web server device, and includes, for example, a service for providing various information, a service for collecting, accumulating, and managing various user data, and performing predetermined analysis and processing on data collected from users. It provides a service that performs editing processing and provides it to the user.
 ネットワーク間接続装置LTは、例えばゲートウェイまたはルータにより構成される。ネットワーク間接続装置LTは、基本機能として、社内ネットワークLNW内に設けられた上記サーバ装置SVおよび複数の通信端末(図示省略)間のデータ伝送機能と、上記サーバ装置SVおよび上記各通信端末と上記広域ネットワークINWとの間のデータ伝送機能とを備える。 The network connection device LT is composed of, for example, a gateway or a router. The inter-network connection device LT has, as basic functions, a data transmission function between the server device SV and a plurality of communication terminals (not shown) provided in the in-house network LNW; and a data transmission function to and from the wide area network INW.
 なお、社内ネットワークLNWは、企業や団体が運用するもの以外に、例えばユーザが個人で運用する家庭内ネットワークであってもよく、その場合上記サーバ装置SVの代わりにパーソナルコンピュータ等のユーザ端末が使用される。 The in-house network LNW may be, for example, a home network operated by an individual user other than one operated by a company or organization. In this case, a user terminal such as a personal computer is used instead of the server apparatus SV be done.
 通信先装置TMは、例えばパーソナルコンピュータまたはサーバ装置コンピュータからなり、本来は上記社内ネットワークLNWのサーバ装置SVが提供する各種サービスを受けるために使用される。なお、通信先装置TMには、スマートフォンやタブレット型端末等の携帯情報端末が用いられてもよい。 The communication destination device TM is, for example, a personal computer or a server device computer, and is originally used to receive various services provided by the server device SV of the internal network LNW. A mobile information terminal such as a smart phone or a tablet terminal may be used as the communication destination device TM.
 (2)ネットワーク間接続装置LT
 図5および図6は、それぞれネットワーク間接続装置LTのハードウェア構成およびソフトウェア構成を示すブロック図である。 (2) Inter-network connection device LT
5 and 6 are block diagrams showing the hardware configuration and software configuration of the network connection device LT, respectively.
 ネットワーク間接続装置LTは、中央処理ユニット(Central Processing Unit:CPU)等のハードウェアプロセッサを使用した制御部1を備える。そして、この制御部1に対し、バス5を介して、プログラム記憶部2およびデータ記憶部3を有する記憶ユニットと、通信I/F4を接続したものとなっている。 The network connection device LT includes a control section 1 using a hardware processor such as a central processing unit (CPU). A storage unit having a program storage section 2 and a data storage section 3 and a communication I/F 4 are connected to the control section 1 via a bus 5 .
 通信I/F4は、制御部1の制御の下、広域ネットワークINWおよび社内ネットワークLNWによりそれぞれ定義される通信プロトコルに従い、広域ネットワークINWに接続される外部の通信先装置TMとの間のデータの送受信、および社内ネットワークLNW内の上記サーバ装置SVおよび通信端末との間のデータの送受信を行う。なお、通信I/F4は、上記データの送受信のために、受信パケットを一時保存するバッファを備えている。 Under the control of the control unit 1, the communication I/F 4 transmits and receives data to and from an external communication destination device TM connected to the wide area network INW according to the communication protocol defined by the wide area network INW and the in-house network LNW. , and data transmission/reception between the server device SV and the communication terminal in the in-house network LNW. In addition, communication I/F4 is provided with the buffer which temporarily stores a received packet for transmission/reception of the said data.
 プログラム記憶部2は、例えば、記憶媒体としてHDD(Hard Disk Drive)またはSSD(Solid State Drive)等の随時書込みおよび読出しが可能な不揮発性メモリと、ROM(Read Only Memory)等の不揮発性メモリとを組み合わせて構成したもので、OS(Operating System)等のミドルウェアに加えて、この発明の一実施形態に係る各種制御処理を実行するために必要なプログラムを格納する。 The program storage unit 2 includes, for example, a non-volatile memory such as a HDD (Hard Disk Drive) or SSD (Solid State Drive) that can be written and read at any time as a storage medium, and a non-volatile memory such as a ROM (Read Only Memory). In addition to middleware such as an OS (Operating System), it stores programs necessary for executing various control processes according to one embodiment of the present invention.
 データ記憶部3は、例えば、記憶媒体として、HDDまたはSSD等の随時書込みおよび読出しが可能な不揮発性メモリと、RAM(Random Access Memory)等の揮発性メモリと組み合わせたもので、この発明の一実施形態を実施するために必要な主たるデータ記憶領域として、カウンタ情報記憶部31と、遅延情報記憶部32と、攻撃被疑監視状態記憶部33とを備えている。 The data storage unit 3 is, for example, a combination of a non-volatile memory such as an HDD or an SSD that can be written and read at any time and a volatile memory such as a RAM (Random Access Memory) as a storage medium. A counter information storage unit 31, a delay information storage unit 32, and a suspected attack monitoring state storage unit 33 are provided as main data storage areas necessary for carrying out the embodiment.
 カウンタ情報記憶部31は、接続シーケンスにおいて通信先装置TMから送信されたレスポンスの受信数を表すカウント値を記憶するために使用される。このカウント値は、具体的には上記レスポンスの単位時間当たりの受信数を同一の5タプルごとにカウントした値である。 The counter information storage unit 31 is used to store a count value representing the number of responses transmitted from the communication destination device TM in the connection sequence. Specifically, this count value is a value obtained by counting the number of responses received per unit time for each of the same 5-tuples.
 遅延情報記憶部32は、接続シーケンスにおいてサーバ装置SVから送信されたリクエストに対し遅延処理を行う状態であるか否かを表す「リクエスト遅延状態」を保存するために使用される。 The delay information storage unit 32 is used to store a "request delay state" indicating whether or not a request transmitted from the server device SV in the connection sequence is to be delayed.
 攻撃被疑監視状態記憶部33は、攻撃被疑監視中であることを示す「攻撃被疑監視状態」を保存するために使用される。 The suspected attack monitoring state storage unit 33 is used to store the "suspected attack monitoring state" indicating that a suspected attack is being monitored.
 制御部1は、この発明の一実施形態に係る各種処理を実行する上で必要な処理機能として、パケット監視処理部11と、レスポンス数カウント処理部12と、リクエスト遅延処理部13と、判定処理部14と、攻撃検出通知処理部15とを備えている。これらの処理部11~15による処理は、いずれも上記プログラム記憶部2に格納されたプログラムを上記CPUに実行させることにより実現される。 The control unit 1 includes a packet monitoring processing unit 11, a response number counting processing unit 12, a request delay processing unit 13, and a determination process as processing functions necessary for executing various processes according to one embodiment of the present invention. and an attack detection notification processing unit 15 . The processes by these processing units 11 to 15 are realized by causing the CPU to execute the programs stored in the program storage unit 2. FIG.
 パケット監視処理部11は、通信I/F4によりパケットが受信されるごとに、受信されたパケットの内容を監視して、当該受信パケットがリクエストかレスポンスかを判定する。そして、受信パケットがレスポンスと判定された場合には、受信パケットの5タプルをもとにレスポンスの有効/無効を判定する。そして、有効と判定された場合に、上記レスポンス数の5タプルをレスポンス数カウント処理部12に渡す処理を行う。パケットの5タプルとは、パケットの送信元IP/ポート番号、宛先IP/ポート番号およびプロトコル番号を含むヘッダの情報である。 Every time a packet is received by the communication I/F 4, the packet monitoring processing unit 11 monitors the contents of the received packet and determines whether the received packet is a request or a response. If the received packet is determined to be a response, the validity/invalidity of the response is determined based on the 5-tuple of the received packet. Then, when it is determined to be valid, the 5-tuple of the number of responses is passed to the response number count processing unit 12 . The 5-tuple of a packet is header information including the source IP/port number, destination IP/port number, and protocol number of the packet.
 またパケット監視処理部11は、受信パケットがリクエストと判定された場合には、リクエスト遅延処理要求をリクエスト遅延処理部13に通知する。そして、この通知に対しリクエスト遅延処理部13からリクエスト遅延処理完了通知が返されると、通信I/F4に対し受信パケットの転送指示を与える処理を行う。 Also, when the received packet is determined to be a request, the packet monitor processing unit 11 notifies the request delay processing unit 13 of a request delay processing request. Then, when a request delay processing completion notification is returned from the request delay processing unit 13 in response to this notification, a process of instructing the communication I/F 4 to transfer the received packet is performed.
 レスポンス数カウント処理部12は、上記パケット監視処理部11から受信レスポンスの5タプルが渡されると、カウンタ情報記憶部31に記憶されている、上記5タプルと同一の5タプルの単位時間当たりのカウント値、つまり5タプルが同一の受信レスポンスの単位時間当たりのカウント値を加算処理する。 When receiving the 5 tuples of the received response from the packet monitoring processing unit 11, the response number count processing unit 12 counts the same 5 tuples as the 5 tuples stored in the counter information storage unit 31 per unit time. The count value per unit time of the received responses with the same value, that is, the 5-tuple, is added.
 リクエスト遅延処理部13は、後述する判定処理部14からリクエスト遅延指示を受け取った場合に、遅延情報記憶部32に「リクエスト遅延状態」を表す情報を保存させる。そして、この状態で上記パケット監視処理部11からリクエスト遅延処理要求を受け取ると、遅延情報記憶部32に格納されている遅延時間情報に従い待ち合わせ処理を行い、上記待ち合わせ処理が終了した時点でリクエスト遅延処理完了通知を上記パケット監視処理部11に返す処理を行う。 The request delay processing unit 13 stores information representing the "request delay state" in the delay information storage unit 32 when receiving a request delay instruction from the determination processing unit 14, which will be described later. When a request delay processing request is received from the packet monitoring processing unit 11 in this state, waiting processing is performed according to the delay time information stored in the delay information storage unit 32, and when the waiting processing is completed, request delay processing is performed. A process of returning a completion notification to the packet monitoring processing unit 11 is performed.
 判定処理部14は、予め設定された周期で定期的に起動するもので、以下の各種処理機能を有する。 
 (1) 先ず攻撃被疑監視状態記憶部33に保存されている状態情報をもとに攻撃被疑監視中か否かを判定する。そして、攻撃被疑監視中でなければ、カウンタ情報記憶部31に記憶されている、5タプルが同一の受信レスポンスの単位時間当たりのカウント値を、第1のしきい値と比較して、受信レスポンスが攻撃を疑うレスポンスに該当するか否かを判定する。この判定の結果、攻撃を疑うレスポンスと判定された場合には、攻撃被疑監視中の状態を示す情報を攻撃被疑監視状態記憶部33に保存させると共に、上記リクエスト遅延処理部13に対し上記リクエスト遅延指示を通知する処理。 The determination processing unit 14 is periodically activated at a preset cycle, and has the following various processing functions.
(1) First, based on the state information stored in the suspected attack monitoring state storage unit 33, it is determined whether or not the suspected attack is being monitored. Then, if the suspected attack is not being monitored, the count value per unit time of the received responses having the same 5-tuple stored in the counter information storage unit 31 is compared with the first threshold, and the received response is a response that suspects an attack. As a result of this determination, when it is determined that the response is suspected of an attack, the information indicating the state of suspected attack monitoring is stored in the attack suspected monitoring state storage unit 33, and the request delay processing unit 13 is notified of the request delay. The process of notifying instructions.
 (2) 上記攻撃被疑監視状態記憶部33に攻撃被疑監視中の状態を示す情報が設定されている場合に、カウンタ情報記憶部31に記憶されている5タプルが同一の受信レスポンスの単位時間当たりのカウント値を第2のしきい値と比較して、受信レスポンスが正常なレスポンスであるか、または攻撃レスポンスであるかを判定する。そして、攻撃レスポンスであればその旨の検出結果を表す情報を攻撃検出通知処理部15に伝える処理。 (2) When the information indicating the state of the suspected attack monitoring state storage unit 33 is set, the 5-tuples stored in the counter information storage unit 31 are the same per unit time of the received response. is compared with a second threshold to determine whether the received response is a normal response or an attack response. Then, if it is an attack response, a process of transmitting information representing the detection result to that effect to the attack detection notification processing unit 15 .
 (3) 一方、受信レスポンスが正常なレスポンスであれば、攻撃被疑監視状態記憶部33に設定されている攻撃被疑監視中の状態を示す情報を、通常監視状態を示す情報に変更すると共に、リクエスト遅延処理部13に対しリクエスト遅延指示の解除通知を送る処理。 (3) On the other hand, if the received response is a normal response, the information indicating the state of suspected attack monitoring set in the suspected attack monitoring state storage unit 33 is changed to information indicating the normal monitoring state, and the request A process of sending a request delay instruction cancellation notification to the delay processing unit 13 .
 攻撃検出通知処理部15は、上記判定処理部14から攻撃レスポンスを検出した旨の情報を受け取ると、攻撃検出通知をサーバ装置SVに送信する処理を行う。 When the attack detection notification processing unit 15 receives information indicating that an attack response has been detected from the determination processing unit 14, it performs processing for transmitting an attack detection notification to the server device SV.
 (動作例)
 次に、以上のように構成されたネットワーク間接続装置LTの動作例を説明する。 
 図7乃至図10はネットワーク間接続装置LTの制御部1により実行される処理の処理手順と処理内容を示すフローチャート、図11はネットワーク間接続装置LTによる全体の処理動作を示すシーケンス図である。 (Operation example)
Next, an operation example of the inter-network connection device LT configured as described above will be described.
7 to 10 are flow charts showing processing procedures and processing contents of processing executed by the control unit 1 of the network connection device LT, and FIG. 11 is a sequence diagram showing the overall processing operation of the network connection device LT.
 (1)リクエストの通常時の転送処理
 ネットワーク間接続装置LTは、通信I/F4によりパケットが受信されると、受信された上記パケットを通信I/F4のバッファに保存すると共に、制御部1に渡す。 (1) Transfer processing of requests at normal time When a packet is received by the communication I/F 4, the network connection device LT saves the received packet in the buffer of the communication I/F 4 and sends it to the control unit 1. hand over.
 制御部1は、パケット監視処理部11の制御の下、図7に示すステップS10においてパケットの受信を監視している。そして、通信I/F4から受信パケットが渡されると、ステップS11により、受信パケットの内容をもとに当該受信パケットがリクエストかレスポンスかを判定する。この判定の結果、受信パケットがサーバ装置SVから送信されたリクエストであれば、ステップS12により、リクエスト遅延処理部13に対しリクエスト遅延処理要求を通知する。 Under the control of the packet monitoring processing unit 11, the control unit 1 monitors reception of packets in step S10 shown in FIG. Then, when the received packet is passed from the communication I/F 4, it is determined whether the received packet is a request or a response based on the content of the received packet in step S11. As a result of this determination, if the received packet is a request transmitted from the server device SV, the request delay processing request is notified to the request delay processing unit 13 in step S12.
 リクエスト遅延処理部13は、上記パケット監視処理部11からリクエスト遅延処理要求を受け取ると、ステップS13、S14により遅延情報記憶部32に「リクエスト遅延状態」を表す情報が保存されているか否かを判定する。そして、「リクエスト遅延状態」を表す情報が保存されていなければ、遅延処理を行わずにパケット監視処理部11に対し処理完了通知を送る。パケット監視処理部11は、上記処理完了通知を受け取ると、ステップS17により通信I/F4に対し受信パケット転送指示を与える。この結果、通信I/F4のバッファに保持されている受信パケットが、通信I/F4から広域ネットワークINWへ送信される。 Upon receiving the request delay processing request from the packet monitor processing unit 11, the request delay processing unit 13 determines whether or not the information representing the "request delay state" is stored in the delay information storage unit 32 in steps S13 and S14. do. Then, if the information indicating the "request delay state" is not saved, the processing completion notification is sent to the packet monitor processing unit 11 without executing the delay processing. When the packet monitoring processing unit 11 receives the processing completion notification, it gives a received packet transfer instruction to the communication I/F 4 in step S17. As a result, the received packet held in the buffer of communication I/F4 is transmitted from communication I/F4 to wide area network INW.
 (2)レスポンスの受信数のカウント処理
 パケット監視処理部11は、ステップS11において受信パケットがレスポンスと判定されると、受信された上記レスポンスの5タプルをもとに当該レスポンスが有効であるか無効であるかを判定する。この判定の結果、無効であれば上記レスポンスを転送せずに破棄する。 (2) Counting the Number of Responses Received When the received packet is determined to be a response in step S11, the packet monitoring processing unit 11 determines whether the response is valid or invalid based on the received 5-tuple of the response. Determine whether it is As a result of this determination, if the response is invalid, the response is discarded without being transferred.
 一方、受信されたレスポンスが有効であれば、パケット監視処理部11はステップS21により、受信された上記レスポンスの5タプルを受信レスポンス情報としてレスポンス数カウント処理部12に渡す。上記受信レスポンスの5タプルが渡されると、レスポンス数カウント処理部12は、ステップS22により、カウンタ情報記憶部31から上記5タプルと同一の5タプルの単位時間当たりのカウント値を読み込む。そして、読み込まれた上記カウント値をステップS23により加算、つまりインクリメントする。この結果、5タプルが同一の受信レスポンスの単位時間当たりの受信数のカウント処理が行われる。 On the other hand, if the received response is valid, the packet monitor processing unit 11 passes the 5-tuple of the received response to the response count processing unit 12 as received response information in step S21. When the 5 tuples of the received response are delivered, the response count processing unit 12 reads the count value per unit time of the same 5 tuples as the 5 tuples from the counter information storage unit 31 in step S22. Then, the read count value is added, that is, incremented in step S23. As a result, the number of reception responses with the same 5-tuple received per unit time is counted.
 またパケット監視処理部11は、ステップS24により通信I/F4に対し受信パケット転送指示を与える。この結果、通信I/F4のバッファに保持されている受信レスポンスのパケットが、通信I/F4から広域ネットワークINWへ送信される。 Also, the packet monitoring processing unit 11 gives a received packet transfer instruction to the communication I/F 4 in step S24. As a result, the reception response packet held in the buffer of the communication I/F 4 is transmitted from the communication I/F 4 to the wide area network INW.
 (3)受信レスポンスの判定処理
 ネットワーク間接続装置LTの制御部1は、上記受信パケットの監視処理と並行して、受信されたレスポンスに対する判定処理を以下のように実行する。 (3) Determining Process of Received Response The control unit 1 of the inter-network connection device LT executes the following determining process for the received response in parallel with the process of monitoring the received packet.
 (3-1)攻撃被疑検出判定と攻撃検出判定とのいずれを実行するかの判定
 ネットワーク間接続装置LTの制御部1は、判定処理部14の制御の下、図8に示すように、ステップS30により予め設定された周期で判定タイミングになったか否かを監視している。この状態で、判定タイミングになると判定処理部14は、ステップS31によりカウンタ情報記憶部31から受信レスポンスの5タプルごとのカウント値を読み込む。また判定処理部14は、ステップS32において、攻撃被疑監視状態記憶部33に「攻撃被疑監視状態」を示す情報が保存されているか、「通常監視状態」を示す情報が保存されているかを判定する。この判定の結果、「通常監視状態」を示す情報が保存されていれば、ステップS33に移行し、受信されたレスポンスが攻撃を疑うレスポンスであるか否かを判定するための「攻撃被疑検出判定処理」を実行する。これに対し、「攻撃被疑監視状態」を示す情報が保存されていれば、ステップS34に移行して、受信されたレスポンスが攻撃レスポンスであるか正常なレスポンスであるかを判定する、「攻撃検出判定処理」を実行する。 (3-1) Determining whether to execute suspected attack detection determination or attack detection determination The control unit 1 of the inter-network connection device LT, under the control of the determination processing unit 14, performs step Whether or not the determination timing has come is monitored at a cycle preset by S30. In this state, when the determination timing comes, the determination processing unit 14 reads the count value for each 5-tuple of the received response from the counter information storage unit 31 in step S31. Further, in step S32, the determination processing unit 14 determines whether the information indicating the "attack suspected monitoring state" or the "normal monitoring state" is stored in the suspected attack monitoring state storage unit 33. . As a result of this determination, if the information indicating the "normal monitoring state" is stored, the process proceeds to step S33, and the "suspected attack detection determination" for determining whether or not the received response is a response suspecting an attack process". On the other hand, if the information indicating the "suspected attack monitoring state" is stored, the process proceeds to step S34 to determine whether the received response is an attack response or a normal response. Judgment processing” is executed.
 (3-2)攻撃被疑検出判定処理
 判定処理部14は、図9に示すようにステップS331、S332により、カウンタ情報記憶部31から読み込んだ受信レスポンス受信数のカウント値が、予め設定された第1のしきい値を超えているか否かを判定する。ここで、第1のしきい値は、例えば正常なレスポンスの単位時間当たりの受信数の最大値に設定される。判定処理部14は、上記判定の結果、カウント値が第1のしきい値以下であれば、受信されたレスポンスは攻撃を疑うレスポンスではないと判断し、そのまま判定処理を終了する。 (3-2) Suspected Attack Detection Determination Processing The determination processing unit 14, as shown in FIG. Determine whether a threshold of 1 is exceeded. Here, the first threshold is set to, for example, the maximum number of normal responses received per unit time. As a result of the determination, if the count value is equal to or less than the first threshold value, the determination processing unit 14 determines that the received response is not a response suspecting an attack, and terminates the determination processing as it is.
 一方、上記判定の結果、カウント値が第1のしきい値を超えていたとする。この場合判定処理部14は、受信されたレスポンスは攻撃を疑うレスポンスに該当すると判断し、先ずステップS333によりリクエスト遅延処理部13に対しリクエスト遅延指示を通知する。上記リクエスト遅延指示を受け取るとリクエスト遅延処理部13は、ステップS334により、遅延情報記憶部32に「リクエスト遅延状態」を表す情報を保存させる。 On the other hand, it is assumed that the count value exceeds the first threshold value as a result of the above determination. In this case, the determination processing unit 14 determines that the received response corresponds to a response suspected of an attack, and first notifies the request delay processing unit 13 of a request delay instruction in step S333. Upon receiving the request delay instruction, the request delay processing unit 13 causes the delay information storage unit 32 to store information representing the "request delay state" in step S334.
 また判定処理部14は、ステップS335により、攻撃被疑監視状態記憶部33に保存されている「通常監視状態」を、「攻撃被疑監視状態」に変更する。そして判定処理部14は、ステップS336により、カウンタ情報記憶部31に記憶されている、対応するレスポンスの受信数のカウント値を前回の値から現在の値に更新する。 Also, the determination processing unit 14 changes the "normal monitoring state" stored in the attack suspected monitoring state storage unit 33 to the "attack suspected monitoring state" in step S335. Then, in step S336, the determination processing unit 14 updates the count value of the number of received corresponding responses stored in the counter information storage unit 31 from the previous value to the current value.
 (3-3)リクエストの遅延処理
 ネットワーク間接続装置LTの制御部1は、パケット監視処理部11の制御の下、図7のステップS11において次のリクエストが受信されたことを検出すると、ステップS12によりリクエスト遅延処理部13に対しリクエスト遅延処理要求を通知する。そうするとリクエスト遅延処理部13は、ステップS13、S14により遅延情報記憶部32に「リクエスト遅延状態」を表す情報が保存されているか否かを判定する。 (3-3) Request Delay Processing When the control unit 1 of the inter-network connection device LT detects that the next request is received in step S11 of FIG. 7 under the control of the packet monitoring processing unit 11, step S12. notifies the request delay processing unit 13 of the request delay processing request. Then, the request delay processing unit 13 determines whether or not information representing the "request delay state" is stored in the delay information storage unit 32 in steps S13 and S14.
 この判定の結果、いま遅延情報記憶部32に「リクエスト遅延状態」を表す情報が保存されていたとする。そうするとリクエスト遅延処理部13は、ステップS15に移行し、遅延情報記憶部32に格納されている遅延時間情報に従い、リクエストの転送を上記遅延時間だけ遅らせる待ち合わせ処理を行う。ここで、上記遅延時間は、通信先装置TMにおいてリクエストが通信エラーと判定されない範囲に設定される。リクエスト遅延処理部13は、上記待ち合わせ処理が終了すると、その時点でリクエスト遅延処理完了通知をパケット監視処理部11に送る。 Assume that as a result of this determination, information representing the "request delay state" is currently stored in the delay information storage unit 32. Then, the request delay processing unit 13 proceeds to step S15 and performs a waiting process for delaying transfer of the request by the delay time according to the delay time information stored in the delay information storage unit 32 . Here, the delay time is set within a range in which the communication destination device TM does not judge the request as a communication error. Upon completion of the waiting process, the request delay processing unit 13 sends a request delay processing completion notice to the packet monitor processing unit 11 at that time.
 パケット監視処理部11は、上記リクエスト遅延処理完了通知を受け取ると、ステップS17により通信I/F4に対し受信パケット転送指示を与える。この結果、通信I/F4のバッファに保持されている受信パケットが、通信I/F4から広域ネットワークINWへ送信される。 Upon receiving the request delay processing completion notification, the packet monitoring processing unit 11 issues a received packet transfer instruction to the communication I/F 4 in step S17. As a result, the received packet held in the buffer of communication I/F4 is transmitted from communication I/F4 to wide area network INW.
 すなわち、攻撃被疑監視中の状態で、サーバ装置SVから次のリクエストが送信された場合、このリクエストはネットワーク間接続装置LTにより一定時間遅延処理されたのち、通信先装置TMへ転送される。 That is, when the next request is sent from the server device SV while a suspected attack is being monitored, this request is delayed for a certain period of time by the network connection device LT and then transferred to the communication destination device TM.
 (3-4)攻撃検出判定処理
 上記したようにリクエストの転送タイミングを遅延させると、通信先装置TMが正常に動作する装置TM(T) であれば、再送タイマの動作に従うため単位時間当たりに再送されるレスポンスの数が減少する。これに対し、通信先装置TMが悪意ある妨害者が使用する装置TM(N) であれば、再送タイマの動作を無視してレスポンスを送信するため、単位時間当たりに再送されるレスポンスの数は減少しない。 (3-4) Attack detection determination process If the transfer timing of the request is delayed as described above, if the communication destination device TM is a device TM(T) that operates normally, the retransmission timer will follow the operation of the retransmission timer. Reduces the number of retransmitted responses. On the other hand, if the communication destination device TM is a device TM(N) used by a malicious interferer, the response is transmitted ignoring the operation of the retransmission timer, so the number of responses retransmitted per unit time is not decrease.
 そこで、判定処理部14は、攻撃検出判定処理に移行すると、図10に示すように、先ずステップS341、S342により、カウンタ情報記憶部31から読み込んだ受信レスポンス受信数のカウント値が、予め設定された第2のしきい値を超えているか否かを判定する。ここで、第2のしきい値は、リクエストの遅延処理後に、通信先装置TMが再送タイマに従い単位時間に正常なレスポンスを再送する数の最大値に設定される。なお、第2のしきい値は第1のしきい値と同一値に設定されてもよい。 Therefore, when the judgment processing unit 14 shifts to the attack detection judgment processing, as shown in FIG. It is determined whether or not the second threshold is exceeded. Here, the second threshold value is set to the maximum number of retransmissions of normal responses per unit time by the communication destination device TM according to the retransmission timer after the delay processing of the request. Note that the second threshold may be set to the same value as the first threshold.
 判定処理部14は、上記判定の結果、カウント値が第2のしきい値以下であれば、受信されたレスポンスは正常な通信先装置TM(T) から送信されたレスポンスであると判断する。そして判定処理部14は、ステップS344に移行して、攻撃被疑監視状態記憶部33に設定されている攻撃被疑監視中の状態を示す情報を、通常監視状態を示す情報に変更する。またステップS345により、リクエスト遅延処理部13に対し、先に攻撃被疑検出判定処理において通知したリクエスト遅延指示の解除通知を送る。 If the result of the above determination is that the count value is equal to or less than the second threshold value, the determination processing unit 14 determines that the received response is a response transmitted from the normal communication destination device TM(T). Then, the determination processing unit 14 shifts to step S344, and changes the information indicating the state of suspected attack monitoring set in the attack suspected monitoring state storage unit 33 to information indicating the normal monitoring state. Further, in step S345, the request delay processing unit 13 is sent a cancellation notification of the request delay instruction previously notified in the attack suspect detection determination processing.
 一方、上記ステップS341、S342による判定の結果、カウント値が第2のしきい値を超えていると判定されると、判定処理部14は受信されたレスポンスは悪意ある通信先装置TM(N) から送信された攻撃レスポンスであると判断する。そして、ステップS343において、上記攻撃レスポンスが検出された旨の情報を攻撃検出通知処理部15に通知する。 On the other hand, if it is determined that the count value exceeds the second threshold value as a result of determination in steps S341 and S342, the determination processing unit 14 determines that the received response is malicious communication destination device TM(N). determined to be an attack response sent from Then, in step S343, the attack detection notification processing unit 15 is notified of information indicating that the attack response has been detected.
 上記検出結果の情報が通知されると、攻撃検出通知処理部15は攻撃検出通知を例えばサーバ装置SVに送信する。サーバ装置SVは、上記攻撃検出通知を受け取ると、攻撃レスポンスの受信拒否等の対応処理を行う。 When notified of the detection result information, the attack detection notification processing unit 15 transmits an attack detection notification to, for example, the server device SV. When the server device SV receives the attack detection notification, the server device SV performs a corresponding process such as refusing to receive the attack response.
 (作用・効果)
 以上述べたように一実施形態では、ネットワーク間接続装置LTにおいて、通信先装置TMから送信されるレスポンスSYN-ACK の数をカウントし、単位時間当たりのカウント数が第1のしきい値を超えた場合に、上記レスポンスSYN-ACK を「攻撃が疑われるレスポンス」と判断して「攻撃被疑監視状態」を設定する。そしてこの状態で、サーバ装置SVから次のリクエストSYN が送信された場合に、当該リクエストSYN を通信エラーにならない範囲で所定量TD 遅延させた後、通信先装置TMへ転送し、上記リクエストSYN に対し通信先装置TMから送信される単位時間当たりのレスポンスSYN-ACK の数が減少すれば、上記レスポンスSYN-ACK を正常なレスポンスと判断し、上記「攻撃被疑監視状態」を解除して通常の接続シーケンスを継続する。これに対し、単位時間当たりのレスポンスSYN-ACK の数が依然として上記所定値以上であれば、上記レスポンスSYN-ACK を攻撃レスポンスと判断し、その旨をサーバ装置SVに通知するようにしている。 (action/effect)
As described above, in one embodiment, the network connection device LT counts the number of responses SYN-ACKs transmitted from the communication destination device TM, and the number of counts per unit time exceeds the first threshold value. In this case, the above response SYN-ACK is judged to be a "response suspected of an attack" and the "suspected attack monitoring state" is set. In this state, when the next request SYN is transmitted from the server device SV, the request SYN is delayed by a predetermined amount TD within a range that does not cause a communication error, and then transferred to the communication destination device TM. On the other hand, if the number of response SYN-ACKs sent from the communication destination device TM per unit time decreases, the above response SYN-ACK is judged to be a normal response, the above "suspected attack monitoring state" is canceled, and normal operation is resumed. Continue the connection sequence. On the other hand, if the number of response SYN-ACKs per unit time is still equal to or greater than the predetermined value, the response SYN-ACK is determined as an attack response, and the server device SV is notified to that effect.
 従って一実施形態によれば、悪意ある通信先装置TM(N) から攻撃レスポンスSYN-ACK を大量に送りつけるDoS攻撃が行われた場合に、ネットワーク間接続装置LTにおいて、上記DoS攻撃を目的とするレスポンスの再送を正常なレスポンスの再送と区別して検出することが可能となる。 Therefore, according to one embodiment, when a DoS attack in which a large number of attack responses SYN-ACK is sent from a malicious communication destination device TM(N) is carried out, the network connecting device LT can perform the above-mentioned DoS attack. It is possible to detect the retransmission of a response to be detected while distinguishing it from the retransmission of a normal response.
 しかも、攻撃を疑うレスポンスが検出された場合にこれを即時DoS攻撃とは判断せず、その後のレスポンスSYN-ACK の受信数の変化に応じて攻撃か否かを判断するようにしているので、レスポンスSYN-ACK の当初の再送周期のみでは判断しきれなかった攻撃の有無を正確に判断することができる。そして、その結果正常なレスポンスSYN-ACKであれば、以後接続シーケンスを継続することが可能となる。すなわち、有効レスポンスを用いたDoS攻撃が行われた場合の、当該攻撃の検出と正常な通信の継続との両立を図ることが可能となる。 Moreover, when a response suspected of an attack is detected, it is not immediately determined to be a DoS attack. It is possible to accurately determine whether or not there is an attack that could not be determined based only on the initial retransmission cycle of the response SYN-ACK. If the result is a normal response SYN-ACK, the connection sequence can be continued thereafter. That is, when a DoS attack using a valid response is performed, it is possible to achieve both detection of the attack and continuation of normal communication.
 また一実施形態では、受信パケットの5タプルをもとにレスポンスの受信数をカウントし、そのカウント値に基づいて攻撃の有無を判定しているので、パケットのペイロードの内容の詳細な監視・解析処理を行うことなく攻撃の有無の判定が可能となる。その結果、ネットワーク間接続装置LTの処理負荷と処理遅延を抑えることができ、これによりネットワーク間接続装置LTの低価格化を図ることができ、さらにサーバ装置SVにおける、有効レスポンスを用いた悪意ある攻撃を検出するための解析処理を行う際の処理負荷を抑えることが可能となる。 In one embodiment, the number of responses received is counted based on the 5-tuple of the received packet, and the presence or absence of an attack is determined based on the count value, so detailed monitoring and analysis of the contents of the payload of the packet It is possible to determine whether or not there is an attack without performing any processing. As a result, the processing load and processing delay of the network connection device LT can be suppressed, thereby reducing the price of the network connection device LT. It is possible to reduce the processing load when performing analysis processing for detecting attacks.
 [その他の実施形態]
 (1)前記一実施形態では、攻撃が疑われるレスポンスの検出とその後の攻撃被疑監視中における攻撃の有無の判定のためのしきい値を予め固定した場合を例にとって説明した。しかし、例えばネットワーク間接続装置LTの制御部1に攻撃の有無の判定結果を検証する検証処理部を設け、この検証処理部による検証結果に基づいて上記しきい値を可変制御するようにしてもよい。 [Other embodiments]
(1) In the above embodiment, the case where the threshold value for detecting a response suspected of an attack and determining whether or not there is an attack during subsequent attack suspected monitoring is fixed in advance has been described as an example. However, for example, the control unit 1 of the network connection device LT may be provided with a verification processing unit for verifying the determination result of the presence or absence of an attack, and the threshold value may be variably controlled based on the verification result by this verification processing unit. good.
 (2)前記一実施形態では、DoS攻撃と判定された場合に、その旨をサーバ装置SVに通知する場合を例にとって説明したが、ネットワーク間接続装置LTにおいて上記DoS攻撃と判定された攻撃レスポンスのそれ以後のサーバ装置SVへの転送を遮断するようにしてもよい。 (2) In the above embodiment, when a DoS attack is determined, the server device SV is notified to that effect. transfer to the server device SV thereafter may be blocked.
 (3)前記一実施形態では、この発明に係るサービス妨害攻撃検出装置の機能をゲートウェイやルータ等の社内ネットワークLNW内のネットワーク間接続装置LTに設けた場合を例にとって説明した。しかしそれに限らず、サービス妨害攻撃検出装置の機能を、広域ネットワークINW内の通信装置または当該広域ネットワークINWと社内ネットワークLNWとの間の通信経路上に配置される中継装置等に設けるようにしてもよい。その他、サービス妨害攻撃検出装置の種類や機能構成、サービス妨害攻撃検出処理の処理手順と処理内容等についても、この発明の要旨を逸脱しない範囲で種々変形して実施できる。 (3) In the above embodiment, the case where the function of the denial-of-service attack detection device according to the present invention is provided in the inter-network connection device LT in the in-house network LNW such as a gateway or router has been described as an example. However, the function of the denial-of-service attack detection device is not limited to this, and the function of the denial-of-service attack detection device may be provided in a communication device in the wide area network INW or a relay device or the like arranged on the communication path between the wide area network INW and the in-house network LNW. good. In addition, the type and functional configuration of the denial-of-service attack detection device, the processing procedure and processing contents of the denial-of-service attack detection processing, etc. can be variously modified without departing from the gist of the present invention.
 以上、本発明の実施形態を詳細に説明してきたが、前述までの説明はあらゆる点において本発明の例示に過ぎない。本発明の範囲を逸脱することなく種々の改良や変形を行うことができることは言うまでもない。つまり、本発明の実施にあたって、実施形態に応じた具体的構成が適宜採用されてもよい。 Although the embodiments of the present invention have been described in detail above, the above description is merely an example of the present invention in all respects. It goes without saying that various modifications and variations can be made without departing from the scope of the invention. That is, in implementing the present invention, a specific configuration according to the embodiment may be appropriately adopted.
 要するにこの発明は、上記実施形態そのままに限定されるものではなく、実施段階ではその要旨を逸脱しない範囲で構成要素を変形して具体化できる。また、上記実施形態に開示されている複数の構成要素の適宜な組み合せにより種々の発明を形成できる。例えば、実施形態に示される全構成要素から幾つかの構成要素を削除してもよい。さらに、異なる実施形態に亘る構成要素を適宜組み合せてもよい。 In short, the present invention is not limited to the above-described embodiments as they are, and can be embodied by modifying the constituent elements without departing from the gist of the invention at the implementation stage. Also, various inventions can be formed by appropriate combinations of the plurality of constituent elements disclosed in the above embodiments. For example, some components may be omitted from all components shown in the embodiments. Furthermore, constituent elements of different embodiments may be combined as appropriate.
 LNW…社内ネットワーク
 SV…サーバ装置
 LT…ネットワーク間接続装置
 INW…広域ネットワーク
 TM,TM(T) ,TM(N) …通信先装置
 1…制御部
 2…プログラム記憶部
 3…データ記憶部
 4…通信I/F
 5…バス
 11…パケット監視処理部
 12…レスポンス数カウント処理部
 13…リクエスト遅延処理部
 14…判定処理部
 15…攻撃検出通知処理部
 31…カウンタ情報記憶部
 32…遅延情報記憶部
 33…攻撃被疑監視状態記憶部 LNW...In-house network SV...Server device LT...Inter-network connection device INW...Wide area network TM, TM(T), TM(N)...Communication destination device 1...Control unit 2...Program storage unit 3...Data storage unit 4...Communication interface
5 Bus 11 Packet monitoring processor 12 Response count processor 13 Request delay processor 14 Judgment processor 15 Attack detection notification processor 31 Counter information storage 32 Delay information storage 33 Suspected attack Monitoring state storage

Claims (7)

  1.  第1の通信装置と第2の通信装置との間で通信経路を介してデータ伝送を行うシステムの、前記通信経路に配置されるサービス妨害攻撃検出装置であって、
     前記第1の通信装置から送信された第1のリクエストに対し前記第2の通信装置から任意の周期で送信される複数のレスポンスの数をカウントして、第1のカウント値を得る第1のカウント処理部と、
     所定の単位時間当たりの前記第1のカウント値が、予め設定された第1のしきい値を超えているか否かを判定し、前記第1のカウント値が前記第1のしきい値を超えていると判定された場合に、前記第1のリクエストに対する前記複数のレスポンスを攻撃が疑われるシーケンスと判断して攻撃被疑監視状態を設定する第1の判定処理部と、
     前記攻撃被疑監視状態が設定された状態で、前記第1の通信装置から送信された第2のリクエストを予め設定された時間だけ遅延した後、前記第2の通信装置へ転送するリクエスト遅延処理部と、
     前記第2のリクエストに対し前記第2の通信装置から送信される複数のレスポンスの数をカウントして、第2のカウント値を得る第2のカウント処理部と、
     前記単位時間当たりの前記第2のカウント値が第2のしきい値を超えているか否かを判定し、前記第2のカウント値が前記第2のしきい値を超えていると判定された場合に、前記第2のリクエストに対する前記複数のレスポンスを攻撃シーケンスと判断して、攻撃を検出した旨の情報を出力する第2の判定処理部と
     を具備するサービス妨害攻撃検出装置。     A denial-of-service attack detection device arranged in a communication path of a system that performs data transmission via a communication path between a first communication device and a second communication device,
    a first counting method for obtaining a first count value by counting a plurality of responses transmitted from the second communication device in an arbitrary cycle in response to a first request transmitted from the first communication device; a count processing unit;
    determining whether the first count value per predetermined unit time exceeds a preset first threshold value, and determining whether the first count value exceeds the first threshold value; a first determination processing unit configured to set a suspected-attack monitoring state by determining that the plurality of responses to the first request are a sequence suspected of being an attack when it is determined that an attack is suspected;
    A request delay processing unit that delays a second request transmitted from the first communication device by a preset time and then transfers the second request to the second communication device while the suspected attack monitoring state is set. When,
    a second count processing unit for obtaining a second count value by counting the number of responses transmitted from the second communication device in response to the second request;
    determining whether or not the second count value per unit time exceeds a second threshold, and determining that the second count value exceeds the second threshold a denial-of-service attack detection apparatus, comprising: a second judgment processing unit that judges the plurality of responses to the second request as an attack sequence and outputs information indicating that an attack has been detected.
  2.  前記第2の判定処理部は、前記第2のカウント値が前記第2のしきい値を超えていないと判定された場合に、前記第2のリクエストに対する前記複数のレスポンスを正常なシーケンスと判断して前記攻撃被疑監視状態の設定を解除する、請求項1に記載のサービス妨害攻撃検出装置。 The second determination processing unit determines that the plurality of responses to the second request are a normal sequence when it is determined that the second count value does not exceed the second threshold value. 2. The denial-of-service attack detection device according to claim 1, wherein the setting of said attack suspected monitoring state is cancelled.
  3.  前記第1および第2のカウント処理部は、前記レスポンスを表すパケットに含まれるタプルをもとに、内容が同一のタプルごとに前記レスポンスの数をカウントする、請求項1または2に記載のサービス妨害攻撃検出装置。 3. The service according to claim 1, wherein said first and second count processing units count the number of said responses for each tuple having the same content based on tuples included in packets representing said responses. Jamming attack detector.
  4.  前記各処理部は、前記第1の通信装置がローカルエリアネットワークに収容されている場合に、前記ローカルエリアネットワークと前記通信経路との間に設置されるネットワーク間接続装置に設けられる、請求項1乃至3のいずれかに記載のサービス妨害攻撃検出装置。 2. The processing units are provided in an inter-network connection device installed between the local area network and the communication path when the first communication device is accommodated in the local area network. 4. A denial of service attack detection device according to any one of 1 to 3.
  5.  第1の通信装置と第2の通信装置との間で通信経路を介してデータ伝送を行うシステムの、前記通信経路に配置される装置により実行されるサービス妨害攻撃検出方法であって、
     前記第1の通信装置から送信された第1のリクエストに対し前記第2の通信装置から任意の周期で送信される複数のレスポンスの数をカウントして、第1のカウント値を得る過程と、
     所定の単位時間当たりの前記第1のカウント値が、予め設定された第1のしきい値を超えているか否かを判定し、前記第1のカウント値が前記第1のしきい値を超えていると判定された場合に、前記第1のリクエストに対する前記複数のレスポンスを攻撃が疑われるシーケンスと判断して攻撃被疑監視状態を設定する過程と、
     前記攻撃被疑監視状態が設定された状態で、前記第1の通信装置から送信された第2のリクエストを予め設定された時間だけ遅延した後、前記第2の通信装置へ転送する過程と、
     前記第2のリクエストに対し前記第2の通信装置から送信される複数のレスポンスの数をカウントして、第2のカウント値を得る過程と、
     前記単位時間当たりの前記第2のカウント値が第2のしきい値を超えているか否かを判定し、前記第2のカウント値が前記第2のしきい値を超えていると判定された場合に、前記第2のリクエストに対する前記複数のレスポンスを攻撃シーケンスと判断して、攻撃を検出した旨の情報を出力する過程と
     を具備するサービス妨害攻撃検出方法。     A denial of service attack detection method performed by a device arranged on a communication path of a system in which data transmission is performed between a first communication device and a second communication device via the communication path, the method comprising:
    a step of counting the number of a plurality of responses transmitted from the second communication device in an arbitrary cycle in response to the first request transmitted from the first communication device to obtain a first count value;
    determining whether the first count value per predetermined unit time exceeds a preset first threshold value, and determining whether the first count value exceeds the first threshold value; a step of determining the plurality of responses to the first request as a sequence suspected of an attack and setting a suspected attack monitoring state when it is determined that an attack is suspected;
    a step of delaying a second request transmitted from the first communication device by a preset time and then transferring the second request to the second communication device in the state where the suspected attack monitoring state is set;
    a step of counting the number of responses transmitted from the second communication device to the second request to obtain a second count value;
    determining whether or not the second count value per unit time exceeds a second threshold, and determining that the second count value exceeds the second threshold a denial of service attack detection method comprising: judging the plurality of responses to the second request as an attack sequence, and outputting information indicating that an attack has been detected.
  6.  前記攻撃を検出した旨の情報を出力する過程は、前記第2のカウント値が前記第2のしきい値を超えていないと判定された場合に、前記第2のリクエストに対する前記複数のレスポンスを正常なシーケンスと判断して前記攻撃被疑監視状態の設定を解除する、請求項5に記載のサービス妨害攻撃検出方法。 The step of outputting information indicating that the attack has been detected outputs the plurality of responses to the second request when it is determined that the second count value does not exceed the second threshold. 6. The denial-of-service attack detection method according to claim 5, wherein the sequence is determined to be normal and the setting of the suspected attack monitoring state is canceled.
  7.  請求項1乃至4のいずれかに記載のサービス妨害攻撃検出装置が備える前記各処理部による処理を、前記サービス妨害攻撃検出装置が備えるプロセッサに実行させるプログラム。 A program that causes a processor included in the denial of service attack detection device to execute processing by each of the processing units included in the denial of service attack detection device according to any one of claims 1 to 4.
PCT/JP2021/020232 2021-05-27 2021-05-27 Denial-of-service attack detection device, method, and program WO2022249399A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2021/020232 WO2022249399A1 (en) 2021-05-27 2021-05-27 Denial-of-service attack detection device, method, and program
JP2023523865A JPWO2022249399A1 (en) 2021-05-27 2021-05-27

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2021/020232 WO2022249399A1 (en) 2021-05-27 2021-05-27 Denial-of-service attack detection device, method, and program

Publications (1)

Publication Number Publication Date
WO2022249399A1 true WO2022249399A1 (en) 2022-12-01

Family

ID=84229628

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2021/020232 WO2022249399A1 (en) 2021-05-27 2021-05-27 Denial-of-service attack detection device, method, and program

Country Status (2)

Country Link
JP (1) JPWO2022249399A1 (en)
WO (1) WO2022249399A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117118752A (en) * 2023-10-23 2023-11-24 山东爱书人家庭教育科技有限公司 Method, system, device and medium for resisting information attack

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006331015A (en) * 2005-05-25 2006-12-07 Mitsubishi Electric Corp Server device protection system
EP1975829A1 (en) * 2007-03-28 2008-10-01 British Telecmmunications public limited campany Identifying abnormal network traffic conditions
JP2013223005A (en) * 2012-04-13 2013-10-28 Nippon Telegr & Teleph Corp <Ntt> Dos attack detection apparatus

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2006331015A (en) * 2005-05-25 2006-12-07 Mitsubishi Electric Corp Server device protection system
EP1975829A1 (en) * 2007-03-28 2008-10-01 British Telecmmunications public limited campany Identifying abnormal network traffic conditions
JP2013223005A (en) * 2012-04-13 2013-10-28 Nippon Telegr & Teleph Corp <Ntt> Dos attack detection apparatus

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117118752A (en) * 2023-10-23 2023-11-24 山东爱书人家庭教育科技有限公司 Method, system, device and medium for resisting information attack
CN117118752B (en) * 2023-10-23 2024-01-09 山东爱书人家庭教育科技有限公司 Method, system, device and medium for resisting information attack

Also Published As

Publication number Publication date
JPWO2022249399A1 (en) 2022-12-01

Similar Documents

Publication Publication Date Title
US11818167B2 (en) Authoritative domain name system (DNS) server responding to DNS requests with IP addresses selected from a larger pool of IP addresses
US9578055B1 (en) Thwarting drone-waged denial of service attacks on a network
US8584236B2 (en) Method and apparatus for detecting abnormal traffic in a network
US8392991B2 (en) Proactive test-based differentiation method and system to mitigate low rate DoS attacks
US8904535B2 (en) Proactive worm containment (PWC) for enterprise networks
US10097520B2 (en) Method and apparatus for causing delay in processing requests for internet resources received from client devices
US9843590B1 (en) Method and apparatus for causing a delay in processing requests for internet resources received from client devices
KR20110089179A (en) Network intrusion protection
Abramov et al. TCP Ack storm DoS attacks
CN110266678B (en) Security attack detection method and device, computer equipment and storage medium
Jamjoom et al. Persistent dropping: An efficient control of traffic aggregates
KR20120060655A (en) Routing Method And Apparatus For Detecting Server Attacking And Network Using Method Thereof
Hugelshofer et al. OpenLIDS: a lightweight intrusion detection system for wireless mesh networks
Kavisankar et al. A mitigation model for TCP SYN flooding with IP spoofing
Mohammadi et al. SYN‐Guard: An effective counter for SYN flooding attack in software‐defined networking
WO2002025402A2 (en) Systems and methods that protect networks and devices against denial of service attacks
WO2022249399A1 (en) Denial-of-service attack detection device, method, and program
Bala et al. Quality based Bottom-up-Detection and Prevention Techniques for DDOS in MANET
Kumar et al. An analysis of tcp syn flooding attack and defense mechanism
JP7363503B2 (en) Information processing device, information processing method, and information processing system
Abbas Securing the network against malicious programmable switches
Wagner et al. A fast worm scan detection tool for vpn congestion avoidance
KR20110080971A (en) Method and system for preventing denial of service attacks
KR20120059914A (en) Method And Apparatus For Evaluating Products Of Detecting DDoS Attack
Huang et al. A behavior-based ingress rate-limiting mechanism against DoS/DDoS attacks

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21943046

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2023523865

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE