JP3652661B2 - Method and apparatus for preventing denial of service attack and computer program therefor - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
The present invention realizes a defense method for preventing an attack aimed at causing a functional failure by sending a large amount of communication packets (communication traffic) toward an attacked person in a communication network, and a defense method thereof. The present invention relates to a communication device and a computer program.
In particular, the present invention relates to a technology for preventing a denial of service (DoS) attack, particularly a distributed denial of service (DDoS) attack in a communication network.
[0002]
[Prior art]
In recent years, DDoS attacks on well-known websites are often performed in communication networks (specifically, the Internet), which is a serious problem. The DDoS attack is a distributed DoS attack as the name indicates. A DoS attack sends a large amount of communication traffic to a computer (such as a web server) connected to a network. There are various types of DoS attacks, but they are roughly classified into the following two types. The first type aims to cause a malfunction by wasting resources of the attacked computer, and the second type simply consumes the bandwidth of the attacked communication network by a large amount of communication traffic. It aims to.
[0003]
As a first conventional technique, it is conceivable to protect a DDoS attack using a firewall device. This is based on the assumption that the source address (specifically, IP address, etc.) of a malicious attack communication packet can be specified by some means, and the corresponding source address of communication packets arriving from outside the firewall. This is a defense method in which a firewall device is discarded in a firewall apparatus so as not to adversely affect the resources of the computer inside the firewall.
[0004]
Further, as a second conventional technique, there is a defense method for which the inventors have already applied for a patent. This executes a computer program for detecting a DDoS attack or preventing a detected DDoS attack on a communication device (specifically, a router or a switch) for transferring a communication packet on a network. The environment that can be used is established, and the attacker's computer is protected from attacks by the following procedure.
The procedure is as follows. First, a communication module (border communication device, border router) closest to the attacked person's computer monitors a communication packet passing through the communication device and activates a program module for detecting a DDoS attack. When a DDoS attack is detected, a module for discarding the communication packet of the DDoS attack is activated. Then, a module for searching for a higher-level communication device, that is, a communication device closer to the attack source is activated. Next, the search module is transmitted to the searched upper communication apparatus. Then, a higher-level communication device is searched for in the higher-level communication device. In this manner, the higher order communication devices are sequentially searched, and the communication device closest to the attack source is determined as the defense position. The module that discards the communication packet of the DDoS attack is transmitted to the communication device at the defined defense position, and the defense is performed by operating this module in the communication device at the defense position.
[0005]
[Problems to be solved by the invention]
In the first prior art, since the attack communication packet reaches the position of the firewall, even if the resources of the defense target computer can be protected, communication by the attack up to the firewall is performed. There was a problem that the traffic could not be reduced and the communication bandwidth necessary for the protected computer was wasted.
[0006]
The second prior art also has a problem that there is a type of attack that cannot be detected. Further, in a situation where it is not possible to reliably determine that the traffic is an attack traffic, there is a problem that the usable communication bandwidth is narrowed due to the existence of such suspicious traffic.
[0007]
The present invention has been made in view of such circumstances, and an object thereof is to provide a defense method and apparatus capable of detecting and preventing more types of attacks, and a computer program therefor.
It is another object of the present invention to provide a protection method that not only protects the resources of the protection target computer but also prevents the communication bandwidth of the network from being wasted due to attack traffic or traffic suspected of being an attack.
[0008]
[Means for Solving the Problems]
In order to solve the above problems, the present invention provides a defense method for protecting a defense target computer connected to a network composed of a plurality of communication devices from a denial-of-service attack. Based on the command information from the boundary communication device that is a nearby communication device, the shield communication device connected within the range of a predetermined number of stages from the boundary communication device transmits a communication packet that arrives at the shield communication device. Perform analysis processing to analyze, according to the result of this analysis processing, determine the priority of the communication packet according to the possibility that the communication packet is a communication packet of attack against the defense target computer, and according to this priority The communication packet is forwarded to the transfer destination, and as a result of the analysis process, the communication packet is reliably If it is a communication packet attacks against elephants computer has turned out to gist defense denial of service attacks, characterized in that it comprises discarding shielding process of the communication packet.
[0009]
Further, the denial-of-service attack protection method of the present invention allows two or more stages of connection with the shielded communication apparatus located farthest from the boundary communication apparatus, and can dynamically change the number of stages. It is characterized by doing so.
[0010]
Further, the denial-of-service attack protection method according to the present invention is such that when the communication packet is surely an attack communication packet against the defense target computer in the shielding process, the shield communication device is more attacked. A probe program code transmission process for transmitting a probe program code to an adjacent communication device on the near side, and the probe communication device that has received the probe program code executes the probe program code to Analyzing the arriving communication packet, and as a result, if the communication packet is an attack communication packet against the defense target computer, the communication packet is discarded and the adjacent communication device closer to the attack source Probe program code Transmitted, when the packet results certain time attack analysis is not detected, characterized by further comprising a probe process to terminate the processing of the probe program code.
[0011]
Further, the denial-of-service attack protection method of the present invention captures a communication packet whose destination address is the address of the defense target computer in the probing process, and obtains the source address of the communication packet in advance. If the address is the same as the address, the communication packet is determined to be an attack packet. In other cases, the communication packet is determined not to be an attack packet.
[0012]
Further, the denial-of-service attack prevention method of the present invention captures a communication packet in which at least one of a destination address and a source address is the address of the defense target computer in the probe process, and a) the communication packet Or b) the source address of the communication packet is the address of the defense target computer and the destination address of the communication packet is the attack address. If it is the broadcast address of the original address, it is determined that the communication packet is an attack packet, and if it does not fall under either a) or b), the communication packet is not an attack packet. It is characterized by determining.
[0013]
Further, the denial-of-service attack prevention method of the present invention uses the log information including the parameter value obtained in the normal state in advance in the analysis process in the shield process, A dynamic inspection process is performed by comparing the log information.
[0014]
Further, the present invention is a shield communication device that executes processing of a defense method for protecting a defense target computer from a denial of service attack, from a boundary communication device that is a communication device closest to the defense target computer. Based on the command information, an analysis process for analyzing the communication packet arriving at the shield communication device is performed, and depending on the possibility that the communication packet is an attack communication packet against the defense target computer according to the result of the analysis process The priority of the communication packet is determined, and the communication packet is transferred to the transfer destination according to the priority. The result of the analysis processing is that the communication packet is definitely an attack communication packet against the defense target computer. If it is found that the communication packet is discarded, Is shall.
[0015]
In the shield communication device of the present invention, in the analysis process, the log information including the parameter value obtained in advance at normal time is used to compare the parameter value at the time of inspection with the log information. It is characterized in that a dynamic inspection process is executed.
[0016]
Further, the present invention is a probe communication device that executes a defense method process for protecting a defense target computer from a denial of service attack, and when a communication packet of an attack against the protection target computer is detected by the shield communication device, By receiving the probe program code from the shield communication device and executing the probe program code, the communication packet arriving at the probe communication device is analyzed, and as a result, the communication packet is an attack communication packet against the defense target computer. If it is, the communication packet is discarded and the probe program code is transmitted to the adjacent communication device closer to the attack source. Program code processing Executing the processing of the probe process to terminate In the process of the probe process, when the communication packet whose destination address is the address of the defense target computer is captured, and the transmission source address of the communication packet is the same as the attack source address obtained in advance, Determines that the communication packet is an attack packet, otherwise determines that the communication packet is not an attack packet It is characterized by doing.
[0018]
In addition, this departure Tomorrow , A probe communication apparatus that executes processing of a defense method for protecting a protection target computer from a denial-of-service attack, and when a communication packet of an attack against the protection target computer is detected by the shield communication apparatus, a probe is transmitted from the shield communication apparatus By receiving the program code and executing the probe program code, the communication packet arriving at the probe communication device is analyzed. As a result, if the communication packet is an attack communication packet against the defense target computer, the communication packet Discards the communication packet and transmits the probe program code to the adjacent communication device closer to the attack source. If the attack packet is not detected for a certain time as a result of the analysis, the processing of the probe program code is terminated. To make Executing the processing of over blanking process, In the process of the probing process, a communication packet in which at least one of a destination address and a transmission source address is the address of the defense target computer is captured, and a) an attack source from which the transmission source address of the communication packet is obtained in advance Or b) when the source address of the communication packet is the address of the defense target computer and the destination address of the communication packet is the broadcast address of the attack source address, The communication packet is determined to be an attack packet, and if the communication packet does not fall under either a) or b), it is determined that the communication packet is not an attack packet. .
[0019]
The present invention also relates to a communication apparatus that executes processing of a defense method for protecting a defense target computer from a denial of service attack, the arrival packet capturing unit capturing a communication packet arriving from the network side, and the communication packet An active network execution environment unit for processing a computer program that has an effect on the system, and a queue corresponding to each of a plurality of classes, and determined as a result of the processing of the computer program in the active network execution environment unit Depending on the class, a class-based queue processing unit that performs processing for placing the communication packet in the queue corresponding to the class, and communication packets sequentially from each queue provided in the class-based queue processing unit. Take out and send to the network side A packet transmission unit, and a program transfer processing unit that performs a process of transferring a computer program to be executed by the active network execution environment unit to another communication device, and the active network execution environment unit includes: A code storage unit that stores the computer program; and a code execution unit that reads and executes the computer program stored in the code storage unit. The code storage unit analyzes an incoming communication packet. As a result of this analysis, the class of the communication packet is determined according to the possibility that the communication packet is an attack communication packet, and if the communication packet is definitely an attack communication packet, the communication packet is A shield module that causes the computer to execute the discarding process, and A probe module that analyzes a communication packet to be executed, and if the communication packet is a communication packet of an attack against the defense target computer, causes the computer to execute a process of discarding the communication packet; and a process of the probe module As a result of the execution, when a communication packet of the attack is found, a self-replicating transmission module that causes the computer to execute a process of transmitting a copy of its own program code to an adjacent communication device closer to the attack source, and As a result of the processing of the probe module being executed by the computer, when a communication packet of an attack is not continuously found for a predetermined time, at least a self-annihilation module that causes the computer to execute processing for extinguishing its own program code is stored. Specially Communication device.
[0020]
Further, the present invention is a computer program for causing a computer to execute processing of a defense method for protecting a defense target computer connected to a network constituted by a plurality of communication devices from a denial of service attack, wherein the protection target computer Communication where a shield communication device connected within a predetermined number of stages from the boundary communication device arrives at the shield communication device based on command information from the boundary communication device that is the closest communication device to Analyzing the packet, and determining the priority of the communication packet according to the possibility that the communication packet is an attack communication packet against the protection target computer according to the result of the analysis process The communication packet is transferred to the transfer destination according to the result of the analysis process If it the communication packet is a communication packet attacks on reliably the protection target computer it is found is one which executes a process of discarding the shield process the communication packets to the computer.
[0021]
Further, the present invention is a computer program for causing a computer to execute processing of a defense method for protecting a defense target computer connected to a network constituted by a plurality of communication devices from a denial of service attack, and an incoming communication packet As a result, if the communication packet is a communication packet of an attack against the defense target computer, the communication packet is discarded and the computer program itself is sent to an adjacent communication device closer to the attack source. If the attack packet is not detected for a certain time as a result of the analysis, the computer is caused to execute a probe process that terminates the computer program. In the probing process, a communication packet whose destination address is the address of the defense target computer is captured, and when the transmission source address of the communication packet is the same as the address of the attack source obtained in advance, the communication packet Is determined to be an attack packet, and in other cases, the communication packet is determined not to be an attack packet. Is.
[0023]
In addition, this departure Tomorrow , A computer program for causing a computer to execute a defense method for protecting a defense target computer connected to a network composed of a plurality of communication devices from a denial of service attack, analyzing an incoming communication packet, and the result If the communication packet is an attack communication packet against the protection target computer, the communication packet is discarded and the computer program itself is transmitted to an adjacent communication device closer to the attack source, and the result of the analysis If the attack packet is not detected for a certain period of time, let the computer execute the probe process that terminates the computer program, In the probing process, a communication packet in which at least one of a destination address and a source address is the address of the defense target computer is captured, and a) an attack source address from which the source address of the communication packet is obtained in advance Or b) if the source address of the communication packet is the address of the protection target computer and the destination address of the communication packet is the broadcast address of the attack source address, If the communication packet is determined to be an attack packet and if it does not fall under either a) or b), the computer is caused to execute a process for determining that the communication packet is not an attack packet.
[0024]
DETAILED DESCRIPTION OF THE INVENTION
An embodiment of the present invention will be described below with reference to the drawings.
FIG. 1 shows a network configuration premised on the present embodiment. As shown in FIG. 1, the communication network is connected by a plurality of communication devices 7001. The communication device 7001 can be connected to one or a plurality of user computers 7000. When communication data is exchanged between user computers 7000, packets transmitted by the user computer 7000 of the transmission source are sequentially transferred by the communication device 7001 located at each node on the communication network, so that the packets are transmitted. To the destination user's computer 7000.
[0025]
Next, the configuration of the communication device will be described. FIG. 2 is a block diagram showing an internal configuration of the communication apparatus 7001 according to the present embodiment.
As shown in FIG. 2, the communication device 7001 is captured by an arrival packet capturing unit 7531 that captures a communication packet that has arrived from another communication device or a computer via a network (communication line), and an arrival packet capturing unit 7521. Class-based queue processing for controlling the communication bandwidth for each class by using a transfer processing unit 7521 that performs processing for transferring the communication packet and a queue (queue) corresponding to a plurality of classes having different priorities Unit 7532 and a packet sending unit 7533 for sending the packet output from the class-based queue processing unit 7532 to the network in order to transfer the packet to another communication device or computer.
[0026]
Further, the communication device 7001 includes an active network execution environment 7510 and a program transfer processing unit 7540.
The active network execution environment 7510 executes a program code that operates on a packet to be transferred, and includes therein a code storage unit 7512 that stores the program code and a program code read from the code storage unit 7512 A code execution unit 7511 for executing
The program transfer processing unit 7540 receives a program code to be executed in the active network execution environment 7510 from another communication device via the network, or conversely, receives another program code to be executed on the other communication device. To the other communication device.
[0027]
The code storage unit 7512 in the active network execution environment 7510 can store a DDoS attack defense program for defending against a DDoS attack. This DDoS attack defense program includes a sensor module, a shield module, a probe module, a self-replicating transmission module, and a self-extinguishing module. The sensor module has a function of detecting whether communication traffic of a DDoS attack is occurring by continuously analyzing communication packets arriving at the communication device. Based on the analysis result of the sensor module, the shield module discards the communication packet of the DDoS attack or determines the output class according to the characteristics of the communication packet so that the communication packet enters the queue corresponding to this class. A class-based queue processing unit 7532. When a DDoS attack is detected, the probe module has a function of performing protection processing in a higher-level communication device, that is, in a communication device closer to the attack source. The self-replicating transmission module has a function of transferring the DDoS attack program code itself or a part thereof via a program transfer processing unit 7540 to the upstream communication device. The self-extinguishing module has a function of ending the execution of the DDoS attack defense program itself or erasing it from the code storage unit of the communication apparatus when the DDoS attack traffic is not continued for a predetermined time or longer. . Note that in a communication device or the like that is directly adjacent to the computer to be protected, at least only the sensor module may always be operated without self-extinguishing the DDoS attack defense program.
[0028]
Next, a processing flow when the communication device 7001 transfers a communication packet will be described. A communication packet arriving from the network side is captured by the arrival packet capturing unit 7531 and transferred to the transfer processing unit 7531. The transfer processing unit 7531 passes the communication packet as it is to the class-based queue processing unit 7532 or passes the communication packet to a program running on the active network execution environment 7510 according to the destination address of the communication packet. . This program performs predetermined processing, and normally passes the communication packet to the class-based queue processing unit 7532. If the communication packet is recognized as a DDoS attack communication packet as described above, the communication packet May be discarded as is. The communication packet passed to the class-based queue processing unit 7532 is temporarily placed in the queue of the designated class, and the communication packets are sequentially extracted from the queue for each class and passed to the packet sending unit 7533. The packet sending unit 7533 sends the communication packet toward a predetermined transfer destination on the network.
[0029]
Next, an outline of a method for preventing a DDoS attack throughout the entire network by the above-described communication apparatuses operating in a cooperative manner will be described. FIG. 3 is a logical schematic diagram showing a defense mechanism according to this embodiment.
In FIG. 3, reference numeral 7000a denotes an attacked person's computer. There is a possibility that the computer 7001a of the attacked person is a server computer of a famous website, for example, and a defense mechanism works when this computer 7000a is subjected to a DDoS attack. Reference numerals 7001a to 7001e denote communication apparatuses (specifically, routers, switches, and the like) constituting the network, and correspond to the communication apparatus 7001 described with reference to FIG.
[0030]
Among these communication devices (7001a to 7001e), the communication device 7001a is directly adjacent to the attacker's computer 7000a, that is, a point of contact with the network when viewed from the attacker's computer 7000a side. Therefore, the communication device having such a position is referred to as an “edge communication device”. The boundary communication device plays a role as a defense command source, that is, a center that controls the entire defense mechanism.
Further, the communication devices 7001b and 7001c (shielded communication devices) play a role as shields such as inspecting communication traffic based on a command from the defense command source and discarding communication packets of the DDoS attack.
Further, the communication device 7001e (probe communication device) plays a role as a probe for performing defense at a higher level than the shield.
[0031]
The specific processing contents of each communication device as a defense command source, shield, and probe will be described below.
One of the processes performed by the defense command source is setting a shield level. Here, the shield level is the number of steps (depth) of connection of the communication device to the outside of the network as seen from the defense command source. In the configuration shown in FIG. 3, since the shield level is set to “2”, the first-stage communication device 7001b and the second-stage communication device 7001c are shielded when viewed from the defense command source communication device 7001a. Play a role. Although FIG. 3 shows an example in which the shield level is set to “2”, it can be set to other levels, and the level can be changed dynamically. For example, when the degree of attack of the attacked person on the computer 7000a is large, the attack level can be dynamically changed so as to increase the shield level.
The defense command source controls all shield modules that are transferred from the defense command source and operate on other communication devices. Further, the defense command source can also stop the operation of the shield module in operation as necessary.
[0032]
As will be described later, since the shield module performs two types of inspection, local static inspection and local dynamic inspection, on each communication device (7001b, 7001c), certain attacks are effectively prevented by the shield module. can do. However, some other attacks can only be detected by analyzing the status data of the entire network. Therefore, the defense command source performs a global dynamic inspection process.
[0033]
When the defense according to the present embodiment is applied to the network, the defense command source initially performs a learning stage process. In the process of this learning stage, snapshot data of arrival packets (communication traffic) is periodically acquired, and the characteristic data of the network in a normal state is acquired by performing statistical processing on the snapshot data. This feature data represents a feature pattern that differs for each network according to the purpose of use of the computer to be protected. The feature data in the normal state is referred to as “fingerprint data” for convenience.
[0034]
When fingerprint data is obtained in the learning stage, in the next stage, the defense command source can detect an abnormality by using the fingerprint data. The abnormality that can be detected here is, for example, that the distribution of the source address stored in the header portion of the arrival packet varies abnormally (high randomness), and such an abnormality is detected. This means that an attack using a packet in which the source address is spoofed by a randomly selected address is being carried out. Once an anomaly is detected, the defense command source can issue a new packet filtering rule to all shields.
[0035]
Next, specific processing contents of the shield (the role played by the communication devices 7001b and 7001c in FIG. 3) will be described.
The shield is designed to serve as a “first stage” response to combat DDoS attacks.
On each communication device, the shield module monitors a communication packet transferred to the computer that is the defense target. This can be achieved by calling a specific program code on the active network execution environment using a packet having a specific communication address (IP address) as a trigger in the mechanism of the active network described later. Therefore, the control of the shield module covers all communication packets related to the owner of the module.
[0036]
FIG. 4 is a schematic diagram showing an overview of the processing of classifying communication packets by the shield module. As shown in the figure, when a communication packet to be processed by the shield module arrives from the network side via the input interface, it is temporarily placed in the input queue and sequentially passed to the shield module. The class-based queue processing unit 7532 has three queues whose output (sending to the network) priority is “high”, “medium”, and “low”, respectively. Then, the class-based queue processor 7532 stores communication packets in a queue corresponding to the class determined by the shield module operating on the active network execution environment 7510, and sequentially extracts the communication packets from each queue. Output.
[0037]
The shield module that operates on each communication device has a classification function for classifying communication traffic by class. This classification function is used to determine the probability that an incoming communication packet constitutes flood traffic of a DDoS attack. You can ask for it. Then, communication packets belonging to the class most likely to be a DDoS attack, that is, communication packets of the most suspicious class are designated to enter the lowest priority queue ("low"), and the class-based queue It is passed to the processing unit 7532. Conversely, normal communication packets belonging to the class that is least likely to be a DDoS attack are designated to enter the highest priority queue (“high”). A communication packet of an intermediate class of suspiciousness is designated to enter a queue having a priority of “medium”.
[0038]
The shield module performs output processing using a class-based queue as described above, thereby obtaining the following two effects.
The first effect is that while the protected computer is under attack, suspicious communication traffic is difficult to reach the protected computer, while highly likely communication traffic reaches the protected computer. It is a point that can increase the possibility of doing. That is, the bandwidth of suspicious communication traffic can be suppressed and the bandwidth of normal communication traffic can be secured.
The second effect is that flexibility and accuracy can be provided by an algorithm for detecting a DDoS attack.
[0039]
It can be said that the above two effects greatly improve the defense method as compared with the conventional technique in which whether or not the communication packet is a DDoS attack communication packet is determined in a binary manner. This is because when communication traffic occupying a wider bandwidth than normal communication traffic flows, whether the communication traffic is caused by a DDoS attack, or the amount of normal communication happens to peak. This is because it is not a problem that can be simply determined. Moreover, even if it is confirmed that it is a DDoS attack, it is difficult to separate flood packets and legitimate communication packets caused by a DDoS attack with high reliability. In other words, in order to minimize damage that makes it difficult to reach even normal communication packets, the detection algorithm is an attack communication packet rather than a binary true / false judgment. It can be said that it is desirable to calculate the possibility (probability). Then, only communication packets that are very likely to be attack communication packets should be discarded.
[0040]
The classification function in the shield module performs two types of inspection, local static inspection and local dynamic inspection, as described below.
A local static check is a check that is performed without being based on a state, and is a check that is performed on each incoming packet based on a number of static parameters. Here, the static parameters are the source address and destination address of the communication packet, the parameters on the communication protocol included in the header (specifically, the IP header), the communication packet length, the destination port number, ICMP (Internet) -Control message protocol) type.
[0041]
For example, if the protected computer is a website server, the shielded computer will not send a “ping” request to the other computers, so the shield will send to the protected computer. Directed type 0 ICMP packets (echo responses) and UDP (User Datagram Protocol) with a source port number of 7 can be discarded as soon as they are detected.
Another example of an abnormality that can be detected by static inspection is a communication packet having the same source address and destination address. Since such a communication packet is an attack aimed at the computer having the address falling into a communication packet transmission / reception loop, the shield should discard all such communication packets.
[0042]
The local dynamic inspection is an inspection performed based on a state, and is an inspection performed using a log file (log information) recorded by the shield. This log file records and holds values of certain parameters as data used for detecting an abnormality over a predetermined period.
[0043]
Here, a specific example of the dynamic inspection will be described. In the first specific example, when an abnormal packet or a suspicious packet continuously flows in, the duration time is inspected. For example, if a communication packet of the specified maximum size suddenly flows from the same source for 5 minutes, the shield increases the degree of suspicion of the communication packet from the source address. The communication packet from the transmission source address is put into the output queue of “low” priority.
In the second specific example, the inspection is performed using the ratio of the amount (the number of packets, the amount of data, etc.) between the arrival packet to the specific computer and the transmission packet from the computer. In general, the ratio between arrival and transmission differs for each computer (system, for example, a website system). However, when a certain computer is viewed, the ratio is substantially constant. Therefore, an average ratio between arrival and transmission over a long period of time is calculated in advance. Based on the average ratio, a threshold value of the ratio between arrival and transmission for detecting an abnormality is determined. If the ratio between arrival and transmission exceeds this threshold during the inspection, it can be regarded as abnormal. Note that an upper limit value and a lower limit value may be determined in advance, and may be regarded as abnormal when the ratio between arrival and transmission exceeds the upper limit value or falls below the lower limit value.
[0044]
In the third specific example, the inspection is performed using the distribution of the transmission source address of the communication packet. When viewed over a long period of time in a normal situation, the distribution of source addresses of communication packets should be almost constant. However, when a DDoS attack is performed, since the source address is camouflaged using a randomly selected address, when the degree of variation of the source address is abnormally high, in other words, when the randomness is high, Attacks can be detected.
FIGS. 5A and 5B are graphs showing the distribution status of the source IP addresses, respectively. FIG. 5 (a) shows an example of normal distribution, and FIG. 5 (b) shows an example of distribution when receiving a DDoS attack. The horizontal axis represents an IP address, and the vertical axis represents the appearance of a communication packet. It represents the number of times (or the frequency of appearance). As shown in FIG. 5A, in normal times, only a small number of communication packets with a specific small number of source addresses appear, and the number of appearances of communication packets with other source addresses is small or zero. The number of appearances tends to concentrate on a specific address. On the other hand, as shown in FIG. 5B, when a DDoS attack is being performed, addresses for impersonation are selected at random, so that the number of appearances is uniform for all transmission source addresses. In other words, the degree of the distribution of the number of appearances varies greatly in the IP address space.
[0045]
A method of handling such randomness in numerical values will be described. Let k be the number of all existing IP addresses. By measuring the appearance frequency of the i-th (1 ≦ i ≦ k) IP address over a long period of time, the i-th appearance frequency e (i) expected during a predetermined period is obtained in advance. Then, the number o (i) of the actual appearance of the i-th IP address during a predetermined period is obtained at the time of inspection. And for all IP addresses
d (i) = ((o (i) -e (i)) ^ 2) / e (i)
And the sum of d (i) for all i where 1 ≦ i ≦ k is calculated. When this sum exceeds a predetermined threshold, it can be regarded as abnormal.
[0046]
In addition to the three types of specific examples described above, inspections using various parameters such as communication packet length and TTL (Time-To-Live) values are possible, and the randomness of these parameter values is abnormal. It is possible to check whether a DDoS attack is being performed by detecting a case where the DDoS attack is high or a case where the degree of constantness is abnormally high.
[0047]
As shown in FIG. 3, the following two effects can be obtained by distributing the shield to a plurality of communication devices.
The first effect is that a DDoS attack can be easily absorbed, and abnormal communication traffic can be hardly increased.
The second effect is that communication traffic can be inspected at a plurality of different locations.
[0048]
Next, specific processing contents of the probe (the role played by the communication device 7001e in FIG. 3) will be described.
The defense method of the present embodiment further uses a probe in addition to defense using a shield for the purpose of minimizing damage caused by the DDoS attack. Whereas the shield was designed to act as a “first stage” response as described above, the probe was designed to serve as a traceback and “second stage” response. Yes.
In other words, when it is determined that the communication packet is definitely an attack communication packet against the defense target computer during the shielding process, the shield communication device transmits the probe program code to the adjacent communication device closer to the attack source. The probe program code transmission process is performed.
In addition, the probe communication device that has received the probe program code executes the probe program code to analyze a communication packet that arrives at the probe communication device, and as a result, the communication packet is used for attack communication against the defense target computer. If the packet is a packet, the communication packet is discarded and the probe program code is transmitted to an adjacent communication device closer to the attack source. A probe process for ending the probe program code process is performed.
[0049]
If the defense mechanism of this embodiment confirms a DDoS attack and decides to completely block flood traffic due to the attack, a probe is sent toward the source of the flood traffic. There are two purposes.
The first objective is to secure as much network bandwidth as possible by blocking flood traffic as upstream as possible. A second purpose is to collect evidence of an attack intended for legal use.
This probe is also implemented as an active network active code. That is, the probe module behaves like an agent that moves the communication device from the communication device in stages from downstream to upstream.
In this embodiment, the algorithm of the probe module is designed so as to cope with the DDoS attack of two models of A type and B type described below.
[0050]
First, the A type DDoS attack will be described.
FIG. 6 is a schematic diagram showing an A-type DDoS attack. In this A type model, an attack is performed by a master (an attacking computer) and a slave (computer) invaded by the master. The master computer uploads the DDoS attack program to the slave computer. This communication between the master and the slave is called control traffic. Each slave computer sends a huge amount of packets to the attacked computer. At this time, the source address of the communication packet sent from the slave computer to the victim computer is often camouflaged for the purpose of preventing the attacker from specifying the attack source.
[0051]
Next, a B-type DDoS attack will be described.
FIG. 7 is a schematic diagram showing a B-type DDoS attack. For example, a DDoS attack using “Smurf” or “Fraggle” is included in this B type. A feature of the B-type attack is that communication traffic is amplified using a network in order to increase damage to the computer of the attacked person. When the master (attacking source computer) commands the slave computer, the slave computer broadcasts an ICMP echo request packet and a UDP port 7 (echo) packet to several networks. At this time, the source address of each echo request packet is camouflaged, and the address of the attacker's computer is stored as the source address. Therefore, all the computers connected to the network to which the echo request packet is broadcast (the computer of the legitimate user) try to transmit an echo response packet to the attacked computer. In this way, the flood traffic amplified by the network goes to the attacker's computer.
[0052]
Next, processing for responding to the A-type DDoS attack by the probe will be described.
In general, it is impossible to tell whether the source address of a certain communication packet is spoofed or not. Therefore, initially, an assumption is made that the source addresses of all communication packets are forged.
[0053]
FIG. 8 shows pseudo program code describing a probe algorithm for coping with an A-type DDoS attack. Hereinafter, a description will be given with reference to FIG.
The source address of the attack traffic detected by the shield module is stored in the variable “attSrc”.
In this embodiment, each active code executed in an active network execution environment is owned by a specific owner, and is authorized so that all communication packets related to the owner can be fully controlled. It is assumed. Therefore, on each communication device, the probe module can capture all packets relating to the owner of the probe module and make them a processing target.
[0054]
As shown in FIG. 3, starting from the shield communication device, the replica of the probe module is sequentially transferred to adjacent communication devices in the direction of the attack source by the function of the self-replicating transmission module. .
The code of the probe module shown in FIG. 8 arrives at a new node (communication device) u and starts executing.
[0055]
First, in the first line of the pseudo code illustrated in FIG. 8, the value “false” is stored in the variable “exploded”.
Next, a loop (do-while) from the second line to the eleventh line of the pseudo code is executed.
In the third line of the pseudo code, the function “capturePacketByDest ()” is used to capture a communication packet whose destination address is the address (IP address) of the attacked computer, and the data of the communication packet is changed to a variable (structure). Field) Store in “p”.
In the fourth line of the pseudo code, if the source address (p.src) of the communication packet stored in the variable “p” is equal to the value of the variable “attSrc”, that is, the source address of the attack traffic is equal. Then, the process from the 5th line to the 9th line is executed. Otherwise, the communication packet is released by the function of the function “releasePacket (p)” on the 10th line, that is, sent to the destination communication device.
If it is determined in the process on the fourth line that the packet is an attack traffic communication packet, the communication packet stored in the variable “p” on the fifth line of the pseudo code by the function “discard (p)”. Is destroyed. In other words, attack traffic is stopped here. Further, in the processing from the seventh line to the ninth line of the pseudo code, the node adjacent to the node u and not the original node that transmitted the probe module to the node u, that is, all upstream The self-replication of the probe module itself is transferred to the node v (communication device, which may be plural).
[0056]
In the conditional expression of the 11th line of the pseudo code, if the attack traffic is not found for a predetermined time, the loop from the 2nd line to the 11th line is exited, and the function of the self-extinguishing module is performed on the 12th line. To make self disappear. In other words, if the communication apparatus once started operating as a probe but is not in a position upstream of the attack, the role as a probe is terminated.
[0057]
As described above, the purpose of the algorithm shown in FIG. 8 is to find a communication device located closest to the attack source and block unnecessary traffic at that location. As a result, it is possible to prevent an attack communication packet from flowing downstream, and to prevent an unnecessary load from being applied to an intermediate communication device.
When the probe reaches the communication device closest to the attack source, the probe performs processing for reporting the position information (evidence information such as an IP address) to the defense command source.
[0058]
Next, processing for responding to the B-type DDoS attack by the probe will be described.
As described above, in a B-type DDoS attack, a communication packet sent from an attack source (slave) to a network used for amplification has a spoofed source address. However, the legitimate source address of each computer is stored in the header of the communication packet of the flood traffic sent from the computer belonging to the network used for amplification to the attacked computer. Since the shield initially stores the address of the computer belonging to the network used for amplification in the variable “attSrc”, the probe is amplified as long as the algorithm shown in FIG. 8 is used. Can only reach the network used for the purpose, and cannot send the probe to a communication device that is closer to the true attacker. Therefore, a new algorithm is used as a probe for coping with the B-type DDoS attack.
[0059]
FIG. 9 shows pseudo program code describing a probe algorithm for coping with a B-type DDoS attack. Hereinafter, a description will be given with reference to FIG.
The feature of the pseudo program code shown in FIG. 9 is the processing of the third and fourth lines. In the third line of the same code, a communication packet related to the address of the attacked person's computer is captured by the function of the function “capturePacketAssociatedWith ()”. That is, for example, a communication packet in which either the transmission source address or the destination address is the same as the address of the attacked person's computer is captured. Moreover, the conditional expression for the determination by the “if” statement on the fourth line of the same code is not only the case where the transmission source address of the captured communication packet is equal to the variable “attSrc”, but the transmission source address is the computer of the attacked person Even if the destination address is a broadcast address of the address stored in the variable “attSrc”, the value is described as “true”. For example, when the IP address of the attack source stored in the variable “attSrc” is “101.102.103.104”, “101.102.103.255” is the broadcast address. By making the conditional expression of the “if” statement on the fourth line like this, the address of the attacked computer is the source address, and the broadcast address of the network used for amplification is the destination address. Communication packets, that is, spoofed communication packets sent from the attack source (slave in FIG. 7) to the network for amplification can be discarded (the process of the fifth line of the same code), and further the attack source The probe module can be sent to a communication device close to (processing of the sixth to ninth lines of the same code).
[0060]
The attack source IP address stored in the variable “attSrc” may be a plurality of addresses. Further, as the probe moves from the communication device to the communication device, the information on the attack source IP address is also passed.
[0061]
Note that in order for the above-described defense mechanism to function, it is not always necessary that all communication devices constituting the network have an active network execution environment.
That is, the network is not composed of only active nodes, but may be a mixture of active nodes and inactive nodes (nodes of communication devices that do not have an active network execution environment and only transfer communication packets). In this case, the DDoS attack defense program code is transferred between the active nodes and executed only at the active nodes. The inactive node simply serves to transfer communication packets.
[0062]
Next, with reference to FIGS. 10 to 13, an example of an active network realization method assumed in the present embodiment will be described.
[0063]
FIG. 10 is a block diagram illustrating an internal configuration of the communication apparatus 7001. As shown in FIG. 10, communication lines 7004a, 7024b, 7024c, and 7024d are connected to the communication apparatus 7001, and the communication apparatus 7001 transmits packets to other adjacent communication apparatuses via these communication lines. It can be exchanged. The communication device 7001 also includes interface units 7023a to 7023d corresponding to the communication lines 7024a to 7024d, a transfer processing unit 7021 for performing packet transfer processing, and a transfer destination at the time of packet transfer. A transfer destination table 7022 for storing information and an active network execution environment 7010 for performing processing on active packets are provided. The active network execution environment 7010 includes therein a code execution unit 7011 for executing an active code (program) and a code storage unit 7012 for storing the active code. Here, the active code is a code of a computer program that operates on a packet in an active network.
[0064]
Here, an outline of an operation example of the communication apparatus 7001 will be described with reference to FIG. When a packet arrives from another adjacent communication device via the communication line 7024d, the interface unit 7023d receives the packet and passes it to the transfer processing unit 7021. The transfer processing unit 7021 reads the source address and the destination address stored in the header portion of the passed packet, and further stores them in the transfer destination table storage unit 7022 using these addresses as keys. By referring to the transfer destination table, it is determined how to deal with the packet.
[0065]
Handling of packets can be roughly divided into two types. There are a case where an active code is applied to the packet and a case where the packet is directly transferred to another communication apparatus.
If the active code is to be applied to the packet as a result of referring to the transfer destination table, the transfer processing unit 7021 passes the packet to the active network execution environment 7010. In the active network execution environment 7010, the code execution unit 7011 receives the packet, reads the active code to be applied to the packet from the code storage unit 7012, and executes it. Note that the code execution unit 7011 may transfer the packet that has been processed as a result of executing the active code to the transfer processing unit 7021 and transfer it to another communication device if necessary.
As a result of referring to the transfer destination table, when the active code is not applied to the packet and the packet should be transferred to another transfer device as it is, the transfer processing unit 7021 displays the interface unit (7023a) corresponding to the appropriate transfer destination. And the interface unit transfers the packet to another communication device via a communication line (7024a, 7024b, 7024c, etc.).
[0066]
Here, the case where a packet arrives from another communication device via the communication line 7024d has been described as an example, but the processing when the packet arrives via another communication line is the same.
[0067]
Next, how the transfer processing unit 7021 in the communication device 7001 determines the action on the packet (whether to apply the active code or simply transfer it to another communication device) will be specifically described.
[0068]
In the framework on which this embodiment is based, the active network execution environment is activated based on the IP address specified in the packet. Here, a set of all (global) IP addresses is represented by I. A packet having a source IP address of s and a destination IP address of d is represented as (s, d). It is assumed that all active codes stored in the active network execution environment of the communication device belong to a specific user, and a set of IP addresses owned by a specific user is represented as O.
[0069]
In this framework, each active code belonging to the specific user is a packet represented by a set A according to the following expression, and is received by a communication device (node) having the active network execution environment. Has access to any packet. That is,
A = {(s, d) ε [(O × I) ∪ (I × O)] | s ≠ d}
It is. In other words, the meaning of this expression is that an active code belonging to a specific user has access rights to a packet whose source or destination address is any of all IP addresses owned by that user. It is to have.
[0070]
When n active codes belonging to the user are stored in a communication device (node), the i-th (1 ≦ i ≦ n) active code is a set C (i) (C (i) ⊆A). The active network execution environment is requested in advance to capture and process the packets belonging to. That is, for the user, the active network execution environment is activated by a packet (s, d) that is an element of the union of c (1) ∪c (2) ∪... ∪c (n). Such a packet can be called an “active packet”.
[0071]
FIG. 11 is a schematic diagram illustrating an example of a transfer destination table stored in the transfer destination table storage unit 7022 illustrated in FIG. Information necessary for realizing the above framework can be stored in such a transfer destination table.
[0072]
As shown in FIG. 11, the transfer destination table includes items of type, destination address (Destination), source address (Source), and transfer destination (Send to). The type item represents the type of entry in the table and takes a value of either “Active” or “Regular”. The items of destination address and source address correspond to the destination IP address and source IP address of the packet to be transferred, respectively. The item of transfer destination represents the identification information of the active code to be applied or the IP address of the communication device of the transfer destination to be applied to the packet whose combination of the destination address and the source address matches.
[0073]
An entry whose type value is “active” designates an active code to be applied to the target packet, and information for identifying the active code is written in the transfer destination item.
The entry whose type value is “normal” specifies the address of the communication device that is the transfer destination of the target packet, and the IP address of the communication device that is the transfer destination is written in the item of the transfer destination. .
[0074]
In the example of the transfer destination table shown in FIG. 11, in the first entry, the type is “active”, the destination address is “1.2.3.4”, and the source address is “Any” (anything is possible). "And the transfer destination is" active code A ". This is because, regardless of the source address, if the destination address matches “1.2.3.4”, the active network execution environment is activated with the corresponding packet as a trigger, and the active code A Is executed.
In the second entry, the type is “active”, the destination address is “10.50.0.0”, the source address is “11.12.13.14”, and the transfer destination is “Active code B”. This indicates that when both the destination address and the transmission source address match the above values, the active network execution environment is activated with the corresponding packet as a trigger, and the active code B is executed.
In the third entry, the type is “active”, the destination address is “Any”, the source address is “157.2.3.0”, and the transfer destination is “active”. Code C ". This is because, regardless of the destination address, if the source address matches “157.2.3.0”, the active network execution environment is started with the corresponding packet as a trigger, and the active code C is Indicates that it will be executed.
[0075]
As shown in FIG. 11, in the transfer destination table, an entry whose type is “active” exists above an entry whose type is “normal”. An entry whose type is “active” is applied with priority over an entry whose type is “normal”. Each entry is applied only to a packet arriving at the communication apparatus, and is not applied to a packet transmitted for transfer.
[0076]
The configuration of the communication apparatus described above will be summarized.
The interface unit illustrated in FIG. 10 is provided for each communication line, and receives a packet arriving from the communication line and performs a process of transmitting the packet to the communication line.
Further, the transfer destination table storage unit includes a packet source address and / or destination address pattern, a program (active code) information corresponding to the pattern, or a transfer destination address information corresponding to the pattern. Is stored in the transfer destination table.
The active network execution environment stores the program in advance and executes the program.
The transfer processing unit refers to the transfer destination table based on a source address or a destination address of the received packet when the received packet arriving from the communication line is transferred from the interface unit, and the transfer destination table If the destination address information corresponding to the address pattern of the received packet is registered in the interface unit corresponding to the destination address so that the received packet is sent to the predetermined destination address. When the information of the program corresponding to the address pattern of the received packet is registered in the transfer destination table, the active network execution environment unit starts the program and passes the received packet to the program .
[0077]
Next, a model related to active code security in this embodiment will be described. This security model is to ensure that each active code only works on packets that involve the owner of the active code. For this purpose, this security model is based on the existence of a public key infrastructure.
[0078]
FIG. 12 is a schematic diagram showing the security model and the processing procedure in the model. In FIG. 12, reference numeral 7051 denotes a user terminal device of the user A, and 7061 denotes a certification authority device. The function of the certificate authority may be provided by a public institution, or may be provided by an ISP (Internet Service Provider).
In the example shown in FIG. 12, the IP address of the user terminal device 7051 is “1.2.3.4”. Hereinafter, a procedure of processing for user A to register active code A in communication apparatus 7001 will be described. In the following, the user A may be a developer of the active code A, but there is no necessity, and the user A obtains the active code A developed by another developer and registers it in the communication device 7001. You can do it.
[0079]
First, as shown in (1), the user terminal device 7051 of the user A generates a key pair, that is, a public key and a secret key, using a known technique.
Then, as shown in (2), the user terminal device 7051 registers the public key generated above in the certificate authority device 7061. At this time, the certificate authority device 7061 verifies the IP address of the user terminal device 7051. If this verification is performed correctly, the public key itself, information for identifying the user A, and the IP address “1.2.3.4” of the user terminal device 7051 are stored in the certificate authority device 7061.
[0080]
Next, as shown in (3), the user terminal device 7051 performs processing for digitally signing the active code A using the secret key generated above.
Then, as shown in (4), the user terminal device 7051 performs a process of registering the active code A signed with the secret key in the communication device 7001.
[0081]
In response to this, the communication device 7001 obtains the electronic certificate of the user A who registered the active code A from the certificate authority device 7061 as shown in (5). This electronic certificate includes information for identifying the user A, the IP address “1.2.3.4”, and the public key registered in (2) above.
Then, as shown in (6), the communication device 7001 verifies the electronic signature of the active code A registered in (4) above using the public key of the user A extracted from the electronic certificate. If this is correctly verified, the communication device 7001 performs processing for introducing the active code A into the active network execution environment. Accordingly, necessary entries are added to the transfer destination table.
[0082]
Once the processes of (1) and (2) are performed and the public key of user A is registered in the certificate authority apparatus 7061, the user terminal apparatus 7051 is activated using the secret key corresponding to the public key. Any number of modules can be registered in the communication apparatus 7001.
[0083]
In other words, the communication device 7001 includes a registration unit (not shown), which receives a program electronically signed with the user's private key from the user's terminal device and receives the user's electronic certificate. The digital signature program is verified using the public key of the user included in the received digital certificate received from the certificate authority device. If this verification is successful, the address pattern corresponding to the program is verified. And the program information are registered in the transfer destination table, and if this verification fails, the program information is not registered in the transfer destination table.
[0084]
In order for the above-described procedure for registering the active code to the communication device to function effectively, the following two points are assumed.
As a first premise, it is known in advance to which communication device (node) the user should register the active code. Alternatively, a directory service is provided for identifying which communication device (node) should register the active code.
As a second premise, the communication device (node) can acquire the public key of the target certificate authority offline beforehand, acquire it from another certificate authority, or acquire it by some other means.
[0085]
Next, control for resolving the contradiction will be described.
In a certain communication apparatus (node), n active codes are registered, and the i-th (1 ≦ i ≦ n) and j-th (1 ≦ j ≦ n) active codes are respectively set C (i) ( Set (c (i) ∩c (j)) is an empty set when it is defined to be for packets belonging to C (i) ⊆A) and set C (j) (C (j) ⊆A) There may be a combination of i and j, where i ≠ j. That is, the definition is such that a certain packet is applied to both the i-th active code and the j-th active code. Such a contradiction is resolved by one of the following two scenarios.
[0086]
The first conflict resolution scenario is for packet (s, d):
(SεO (k) ΛdεO (l)) Λ (k ≠ l)
To be
(S, d) εc (i) ∩c (j)
It is about the case that becomes. However, O (k) and O (l) are sets of IP addresses owned by users k and l, respectively.
That is, for a certain packet, both the active code for the source user and the active code for the destination user are registered in the communication device, and this packet (s, d) has arrived at such a communication device. Is the case. In such a case, it may be desirable to preferentially apply the destination user's active code.
[0087]
That is, in the pattern registered in the transfer destination table, the first entry in which only the source address is specified and the destination address can be anything, and only the destination address is specified and the source address is whatever A second entry that is considered good, and when a received packet matches both the first entry and the second entry, the second entry takes precedence over the first entry. Thus, the program corresponding to the pattern of the second entry is started.
[0088]
In this way, prioritizing the active code of the destination user over the active code of the source user establishes a mechanism that protects against a DDoS (Distributed DoS, Distributed Denial of Service) attack using the active network function. This is especially important when doing so. By doing so, the active code of the destination user, who can be an attacked person, is given priority over the active code of the potential attacker.
[0089]
The second conflict resolution scenario relates to the case where two or more active codes to be applied for a packet (s, d) are registered by the same user. In such a case, it may be desirable that the oldest registered one of the corresponding active codes is applied with priority over the other. This is because when the user tries to register a new active code, it is guaranteed that the old active code is deleted in advance in order to make the new active code effective.
[0090]
Next, an example of implementation of a communication device that functions as a node of an active network as described above will be described. FIG. 13 is a schematic diagram when a communication apparatus that processes an active packet by using a Java (registered trademark) virtual machine (JVM) on Linux is realized.
[0091]
In the example shown in FIG. 13, a dedicated IP stack is constructed as part of the process. Thus, a transfer destination table as shown in FIG. 11 is realized, and an entry can be added to or deleted from the transfer destination table from the execution environment (active network execution environment). As a result, the IP stack in the kernel becomes unnecessary, and routing in the kernel is inactivated. Then, a copy of the arrival packet is created from the data link portion, and the packet can be supplemented by the Java (registered trademark) virtual machine through the library libcap.
[0092]
The dedicated IP stack constructed as part of the processing is an active packet, that is, a packet having an IP address (destination IP address, source IP address, or a combination thereof) that matches a predetermined definition on the forwarding destination table. Passed to the active code that is run on the execution environment. On the other hand, normal packets other than active packets are transferred to adjacent communication devices or the like in the same manner as the IP stack in the kernel. All packets sent from this communication device, whether active packets or normal packets, are sent through the library library. By doing so, the transmission source address recorded in the header of each processed packet is sent to the network in the state where the original transmission source address remains unchanged.
[0093]
Further, it is possible to implement a security model by using “java.security” which is a standard Java (registered trademark) API (application program interface). This standard API provides most of the functions necessary to build a security model. Also, as the format for the certificate, the “X.509” certificate format can be used, and the IP address of the owner of the active code is set to the distinguished name (DN, distinguished name) of “X.509”. By including in part, the security model of the present embodiment can be realized.
[0094]
Needless to say, in the above implementation, a communication apparatus having an active network execution environment is constructed by using a computer system. Then, the above-described series of processing, that is, creation and capture of a copy of an incoming packet, processing of transfer of an active packet and a normal packet while referring to a transfer destination table, and activation of an active code in an active network execution environment Each process such as execution of the process and transmission of the processed packet to the network is stored in a computer-readable recording medium in the form of a program, and the computer reads and executes the program Thus, the above processing is performed. Here, the computer-readable recording medium means a magnetic disk, a magneto-optical disk, a CD-ROM, a DVD-ROM, a semiconductor memory, or the like. Alternatively, the computer program may be distributed to the computer via a communication line, and the computer that has received the distribution may execute the program.
[0095]
The embodiments of the present invention have been described in detail above with reference to the drawings. However, the specific configuration is not limited to these embodiments, and includes a design and the like within a scope not departing from the gist of the present invention.
For example, in the above embodiment, the communication address is written as a 4-byte IP address on the premise that the Internet protocol is used. However, in the next generation IP using an address having a larger number of bytes or a communication network using another completely different protocol. The present invention can also be applied.
[0096]
【The invention's effect】
As described above, according to the present invention, the shield communication device performs an analysis process for analyzing an incoming communication packet, and the communication packet is an attack communication packet against the defense target computer according to a result of the analysis process. The priority of the communication packet is determined according to the possibility, and the communication packet is transferred to the transfer destination according to the priority. For this reason, it is possible to minimize the damage that makes it difficult for normal communication packets to reach under attack, compared to the case where the prior art was used to determine whether or not the packet was an attack binary. it can. Even in a stage where it is not possible to determine whether or not the packet is an attack packet, the bandwidth occupied by the suspicious communication packet can be narrowed down in stages.
[0097]
In addition, according to the present invention, two or more stages are allowed as the number of connection stages with the shield communication apparatus located farthest from the boundary communication apparatus, that is, the number (depth) of the shield communication apparatus is two or more. Therefore, the load of the defense process can be distributed, and the defense is performed at a position closer to the attack source, so that it is possible to effectively use the bandwidth of the downstream communication line without wasting it.
[0098]
Further, according to the present invention, when an attack is detected, the function of the probe is moved stepwise from the shield communication device to the upstream, so that it is possible to defend at a location closer to the attack source. As a result, the bandwidth of the downstream communication line can be used effectively, and the process of collecting evidence information about the attack source can be performed.
[0099]
Further, according to the present invention, as a probe process, when a communication packet whose destination address is the address of the defense target computer is captured, and the source address of the communication packet is the same as the address of the attack source obtained in advance Since it is determined that the communication packet is an attack packet, the A-type DDoS attack described in the description of the embodiment can be prevented.
[0100]
Further, according to the present invention, as a probe process, a communication packet in which at least one of a destination address and a transmission source address is the address of the defense target computer is captured, and the transmission source address of the communication packet is the protection target computer Even when the destination address of the communication packet is the broadcast address of the attack source address, it is determined that the communication packet is an attack packet. Therefore, the B-type DDoS described in the description of the embodiment is used. Can defend attacks.
[0101]
In addition, according to the present invention, the introduction of the dynamic inspection makes it possible to detect and defend against attacks that could not be detected by the prior art.
[Brief description of the drawings]
FIG. 1 shows a network configuration premised on an embodiment of the present invention.
FIG. 2 is a block diagram showing an internal configuration of the communication apparatus according to the embodiment.
FIG. 3 is a logical schematic diagram showing a defense mechanism according to the embodiment;
FIG. 4 is a schematic diagram illustrating an overview of processing for classifying communication packets by the shield module according to the embodiment;
FIGS. 5A and 5B are graphs showing a distribution state of transmission source IP addresses used when the shield module according to the embodiment performs a dynamic inspection, in which FIG. 5A is a normal distribution and FIG. 5B is under attack. An example of the distribution of time is shown.
FIG. 6 is a schematic diagram showing an A-type DDoS attack.
FIG. 7 is a schematic diagram showing a B-type DDoS attack.
FIG. 8 is pseudo program code describing a probe algorithm for responding to an A-type DDoS attack, in accordance with one embodiment of the present invention.
FIG. 9 is a pseudo program code describing a probe algorithm for coping with a B-type DDoS attack according to the embodiment;
FIG. 10 is a block diagram showing an internal configuration of a communication apparatus according to the embodiment.
FIG. 11 is a schematic diagram illustrating an example of a transfer destination table stored in a transfer destination table storage unit according to the embodiment;
FIG. 12 is a schematic diagram showing a security model and processing procedures in the model according to the embodiment;
FIG. 13 is a schematic diagram when the communication apparatus according to the embodiment is realized so as to process an active packet using a Java (registered trademark) virtual machine (JVM) on Linux;
[Explanation of symbols]
7000 user's computer
7001 Communication device
7010 Active network execution environment
7011 Code execution part
7012 Code storage unit
7021 Transfer processing unit
7022 Transfer destination table storage unit
7023a, 7023b, ... interface section
7024a, 7024b, ... Communication line
7051 User terminal device
7061 Certificate Authority equipment
7510 Active network execution environment
7511 Code execution part
7512 code storage unit
7521 Transfer processing unit
7531 Arrival packet capture unit
7532 Class-based queue processor
7533 Packet sending part
7540 Program transfer processor

Claims (14)

A defense method for protecting a defense target computer connected to a network composed of a plurality of communication devices from a denial of service attack,
Based on the command information from the boundary communication device that is the communication device closest to the defense target computer, the shield communication device connected within a predetermined number of stages from the boundary communication device is the shield communication device. An analysis process is performed to analyze a communication packet arriving at the network, and the priority of the communication packet is determined according to a possibility that the communication packet is an attack communication packet against the defense target computer according to a result of the analysis process. The communication packet is forwarded to the transfer destination according to the priority, and the communication packet is determined when the analysis process has determined that the communication packet is definitely an attack communication packet against the defense target computer. A method of protecting against denial of service attacks, characterized by having a shield process of destroying. A method of preventing denial of service attacks according to claim 1,
Protection against denial of service attacks characterized by allowing two or more stages to be connected to the shielded communication apparatus located farthest from the boundary communication apparatus and dynamically changing the number of stages. Method. A method of preventing denial of service attacks according to claim 1,
When it is determined that the communication packet is an attack communication packet against the defense target computer in the shield process, the probe program code is used for an adjacent communication device closer to the attack source. Probe program code transmission process,
The probe communication device that has received the probe program code analyzes the communication packet that arrives at the probe communication device by executing the probe program code, and as a result, the communication packet is an attack communication packet against the defense target computer. If it is, the communication packet is discarded and the probe program code is transmitted to the adjacent communication device closer to the attack source. A denial-of-service attack defense method, further comprising: a probe process for terminating the processing of the program code. A method of preventing denial of service attacks according to claim 3,
In the probing process, a communication packet whose destination address is the address of the defense target computer is captured, and when the transmission source address of the communication packet is the same as the address of the attack source obtained in advance, the communication packet is A denial-of-service attack prevention method, characterized in that it is determined to be an attack packet, and in other cases, the communication packet is determined not to be an attack packet. A method of preventing denial of service attacks according to claim 3,
In the probe process, a communication packet in which at least one of a destination address or a source address is the address of the defense target computer is captured,
a) When the source address of the communication packet is the same as the address of the attack source obtained in advance, or
b) When the source address of the communication packet is the address of the defense target computer and the destination address of the communication packet is the broadcast address of the attack source address,
Determines that the communication packet is an attack packet,
A method of preventing a denial-of-service attack, characterized in that if neither of the above-mentioned a) or b) applies, the communication packet is determined not to be an attack packet. A method of preventing denial of service attacks according to claim 1,
In the analysis process in the shielding process, the dynamic inspection is performed by comparing the log information with the parameter value at the time of inspection, using the log information including the parameter value obtained in advance at the normal time. A method of preventing denial-of-service attacks characterized by performing processing. A shielded communication device that executes processing of a defense method for protecting a defense target computer from a denial of service attack,
Based on the command information from the boundary communication device that is the communication device closest to the defense target computer, an analysis process for analyzing the communication packet arriving at the shield communication device is performed, and according to the result of the analysis process, The priority of the communication packet is determined according to the possibility that the communication packet is an attack communication packet against the protection target computer, and the communication packet is transferred to the transfer destination according to the priority. As a result, a shielded communication apparatus, which executes a process of discarding the communication packet when it is determined that the communication packet is definitely an attack communication packet against the defense target computer. The shield communication device according to claim 7,
In the analysis process, a dynamic inspection process is performed by comparing the log information with a parameter value at the time of inspection using log information including a parameter value obtained in advance at the normal time. A shield communication device characterized by the above. A probe communication device that executes processing of a defense method for protecting a defense target computer from a denial of service attack,
When a communication packet of an attack against the protection target computer is detected by the shield communication device, by receiving the probe program code from the shield communication device and executing the probe program code,
When a communication packet arriving at the probe communication device is analyzed, and the communication packet is an attack communication packet against the defense target computer as a result, the communication packet is discarded and the communication closer to the attack source is further adjacent. The probe program code is transmitted to the apparatus, and when a packet of an attack is not detected for a certain period of time as a result of analysis, a probe process is executed to end the probe program code .
In the process of the probing process, a communication packet whose destination address is the address of the defense target computer is captured, and when the transmission source address of the communication packet is the same as the attack source address obtained in advance, the communication packet A probe communication apparatus, characterized in that a packet is determined to be an attack packet, and otherwise determined that the communication packet is not an attack packet . A probe communication device that executes processing of a defense method for protecting a defense target computer from a denial of service attack,
When a communication packet of an attack against the protection target computer is detected by the shield communication device, by receiving the probe program code from the shield communication device and executing the probe program code,
When a communication packet arriving at the probe communication device is analyzed, and the communication packet is an attack communication packet against the defense target computer as a result, the communication packet is discarded and the communication closer to the attack source is further adjacent. The probe program code is transmitted to the apparatus, and when a packet of an attack is not detected for a certain period of time as a result of analysis, a probe process is executed to end the probe program code.
In the processing of the probe process, a communication packet in which at least one of a destination address or a source address is the address of the defense target computer is captured,
a) When the source address of the communication packet is the same as the address of the attack source obtained in advance, or
b) When the source address of the communication packet is the address of the defense target computer and the destination address of the communication packet is the broadcast address of the attack source address,
Determines that the communication packet is an attack packet,
A probe communication device, wherein if neither of the above a) or b) corresponds, the communication packet is determined not to be an attack packet. A communication device that executes processing of a defense method for protecting a defense target computer from a denial of service attack,
An arrival packet capturing unit that captures a communication packet arriving from the network side;
An active network execution environment unit for processing a computer program that acts on the communication packet;
A queue corresponding to each of a plurality of classes is provided, and according to a class determined as a result of processing of the computer program in the active network execution environment unit, the communication packet is placed in the queue corresponding to the class. A class-based queue processor for processing;
A packet sending unit that sequentially extracts communication packets from each queue included in the class-based queue processing unit and sends them to the network side;
A program transfer processing unit that performs a process of transferring a computer program for execution in the active network execution environment unit to and from another communication device;
The active network execution environment unit includes a code storage unit that stores a computer program, and a code execution unit that reads and executes the computer program stored in the code storage unit,
In the code storage unit,
The communication packet that arrives is analyzed, and as a result of the analysis, the class of the communication packet is determined according to the possibility that the communication packet is an attack communication packet, and the communication packet is surely an attack communication packet. If there is a shield module that causes the computer to execute processing to discard the communication packet,
A probe module that analyzes a communication packet that arrives, and, as a result, causes the computer to execute processing for discarding the communication packet when the communication packet is a communication packet of an attack on the defense target computer;
If the attack module is found as a result of the computer executing the probe module process, a copy of its own program code is further transmitted to the adjacent communication device closer to the attack source. A self-replicating transmission module,
As a result of the computer executing the processing of the probe module, at least a self-annihilation module for causing the computer to execute processing for extinguishing its own program code when an attack communication packet is not continuously found for a predetermined time is stored. A communication device characterized by comprising: A computer program for causing a computer to execute a process of a defense method for protecting a defense target computer connected to a network constituted by a plurality of communication devices from a denial of service attack,
Based on the command information from the boundary communication device that is the communication device closest to the defense target computer, the shield communication device connected within a predetermined number of stages from the boundary communication device is the shield communication device. An analysis process is performed to analyze a communication packet arriving at the network, and the priority of the communication packet is determined according to a possibility that the communication packet is an attack communication packet against the defense target computer according to a result of the analysis process. The communication packet is forwarded to the transfer destination according to the priority, and the communication packet is determined when the analysis process has determined that the communication packet is definitely an attack communication packet against the defense target computer. A computer program that causes a computer to execute a shield process that destroys the process. A computer program for causing a computer to execute a process of a defense method for protecting a defense target computer connected to a network constituted by a plurality of communication devices from a denial of service attack,
Analyzing the arriving communication packet, and as a result, when the communication packet is an attack communication packet against the defense target computer, the communication packet is discarded and the adjacent communication device closer to the attack source When the computer program itself is transmitted and the packet of the attack is not detected for a certain period of time as a result of the analysis, the computer is caused to execute a probe process that terminates the computer program ,
In the probing process, a communication packet whose destination address is the address of the defense target computer is captured, and when the transmission source address of the communication packet is the same as the address of the attack source obtained in advance, the communication packet is determines that the packet attack, other computer programs the communication packet Ru to execute the process of determining not to be the packet of attack computer in the case of. A computer program for causing a computer to execute a process of a defense method for protecting a defense target computer connected to a network constituted by a plurality of communication devices from a denial of service attack,
Analyzing the arriving communication packet, and as a result, when the communication packet is an attack communication packet against the protection target computer, the communication packet is discarded and the communication device closer to the attack source When the computer program itself is transmitted and the packet of the attack is not detected for a certain period of time as a result of the analysis, the computer is caused to execute a probe process that terminates the computer program,
In the probe process, a communication packet in which at least one of a destination address or a source address is the address of the defense target computer is captured,
a) When the source address of the communication packet is the same as the address of the attack source obtained in advance, or
b) When the source address of the communication packet is the address of the defense target computer and the destination address of the communication packet is the broadcast address of the attack source address,
Determines that the communication packet is an attack packet,
A computer program that causes a computer to execute a process of determining that the communication packet is not an attack packet when neither of the above a) or b) applies.

Images