One of attacks on information processors connected with a network is a DoS attack (Denial-of-Service attack).
The DoS attack intends to impose a heavy load of communication processing on an information processor by sending a huge amount of network traffic to the target information processor by the attack.
The DoS attack is to aim at a security hole of the target information processor or to simply request a great deal of service following a legitimate procedure.
DoS attacks by a plurality of senders are called DDoS (Distributed DoS).
Meanwhile, in industrial control systems, utilizing open computer networks is advanced.
Formerly, manufacturers used to use their proprietary protocols and information processors, and software running thereon also used to be of their proprietary specification.
At the present, the use of TCP/IP protocols which are standards for the Internet and the utilization of universal OS are advanced.
The adoption of these protocols and OS has various merits such as reducing equipment cost, affinity for connection with the Internet, abundance of engineers, which enabled construction of industrial monitoring systems at low cost.
In contrast to these merits, however, a concern about such systems is exposure to DoS attack. For example, if an information processor (such as a notebook computer or PDA) infected by a computer virus has connected to an industrial monitoring system, not only the information processor itself performs a DoS attack, but also the infection may spread to other information processors on which an universal OS and software with a security hole run.
Japanese Patent Application Laid-Open No. 2005-167344 discloses that: the amount of data received per unit time is measured, the amount of data received is restricted by decreasing the allowable amount of communication when the amount of data received exceeds a threshold value for receive restriction; the restriction on the amount of data received per unit time is canceled when the amount of data received becomes lower than a threshold value for canceling the receive restriction. In particular, a bandwidth is switched between 100 Mbps and 10 Mbps in Ethernet. This can restrict the amount of data received, while keeping communication on.
According to Japanese Patent Application Laid-Open No. 2003-283555, when a gateway detects DDoS attack-suspect packets, it notifies an upstream communication device of a restricted value of the network bandwidth for transmitting the attack-suspect packets. It is disclosed that the network bandwidth for transmitting the attack-suspect packets is restricted by repeating this notification procedure up to the most upstream point of the network. This can improve network congestion and prevent service stop due to DDoS attack.
However, in Japanese Patent Application Laid-Open No. 2005-167344, the amount of data received can be restricted, but the receive processing is not restricted; therefore, a negative impact due to DoS attack still occurs.
Particularly, because the performance of information processors used in industrial control systems is relatively low, restricting the amount of data received is not a solution.
In the case of Japanese Patent Application Laid-Open No. 2003-283555, because a restricted value of the network bandwidth is notified to an upstream network device in the network, it is impossible to cope with a DoS attack occurring in a same LAN.
A common problem associated with Japanese Patent Application Laid-Open No. 2005-167344 and Japanese Patent Application Laid-Open No. 2003-283555 is the load of processing to discriminate between DoS attack-suspect packets and significant packets after taking in packets.
In Japanese Patent Application Laid-Open No. 2005-167344, receive processing is performed for both DoS attack-suspect packets and significant packets, i.e., for all packets even under a condition in which the amount of data received is restricted.
In Japanese Patent Application Laid-Open No. 2003-283555, discrimination between DoS attack-suspect packets and significant packets should be made according to a predetermined evaluation criterion in order to detect DoS attack-suspect packets and restrict the network bandwidth therefor.
Under a situation of receiving a large amount of packets such as under a DoS attack, the processing for such discrimination itself becomes a burden for the information processor and there is a possibility of system down occurring in the worst case.
The present invention is intended to provide an information processor in which a risk of system down and overload of communication processing are avoided even if it is placed in over-traffic state such as under a DoS attack.