1. Field of the Invention
The present invention relates to a network system between client computers and server computers and, more particularly, to a server computer protection apparatus for protecting a server computer against improper access that intentionally interfere with the processing of a server computer.
2. Description of the Related Art
Nowadays, computer server systems are widely used, in which an indefinite or definite number of client computers are connected to a server computer through a packet switching network, and data packets are supplied from the server computer in accordance with request packets from the client computers. A packet is a certain amount of data sent through a network. A packet basically includes a header and data body. The header contains the IP (Internet Protocol) address of a transmission destination, a source IP address, a transmission sequence number indicating the ordinal relationship between packets, and the like.
A proper access request procedure in TCP/IP (Transmission Control Protocol/IP), which is one example of a connection-type protocol. For example, FIG. 18 shows the procedure in which:
(a) a client computer sends a connection request packet (SYN (Synchronous) packet) to a server computer,
(b) the server computer sends a connection request acknowledgement packet (SYN+ACK (Acknowledgement) packet) to the client computer,
(c) the client computer sends an acknowledgement packet (ACK packet) to the server computer to establish a logical communication path (connection), which is called “3-way handshake scheme”,
(d) the client computer sends a data request packet to the server computer while the connection is previously established, wherein the data request packet is, for example, URL (Uniform Resource Locator) packet,
(e) the server computer sends the data packet requested by the URL packet from the client computer thereto. The data packet is finally received by the client computer.
There is a growing tendency toward attacks on a server computer by improper access from a client computer. The intention of the attack by improper access is to interfere with, for example, services provided by the server computer. Data provided from the server computer in response to a proper access request is actually received at the client computer side and used if the proper access request is done from the client computer to server computer. However, the access request intended to attack the server computer is made not for the purpose of receiving a data supply but for the purpose of improper accessing.
An attack to disable the data supply service provided by a target server computer by sending a large quantity of similar access requests from one client computer to the server computer is referred to as a DoS attack (Denial of Service attack). The DoS attack is difficult to discriminate from access from a proper client, and hence it is difficult to take effective measures against such attacks. There is also another form of an attack in which a plurality of client computers make DoS attacks together.
For example, general DoS attacks on the Internet harm server computers in the following manner.
(1) As shown in FIG. 19, sending a large amounts of SYN packets in a quantity exceeding the capacity of the server computer thereto, thus preventing the server computer from sending any SYN+ACK packet (“SYN flood”, hereinafter).
(2) As shown in FIG. 20, one or more improper client computers send a large number of sets of SYN and ACK packets to a server computer to establish a connection with the server computer. These clients do not send any packet such as URL packet which is originally to be sent out from a client computer side within a predetermined period of time. Thereby the server computer is left standing with establishing connection (“Established flood”, hereinafter).
(3) As shown in FIG. 21, each client computer makes proper access of sending URL packets through established connections as proper client computers do. Such proper access is done by a number of client computers substantially at the same time (at a predetermined time, for example). Thereby a large amount of accesses are concentrated on a certain server computer and its processing load is increased to interfere the normal operation of the server computer. Such attack is especially called DDoS attack (Distributed Denial of Service attack) (“Access flood”, hereinafter).
When a server computer undergoes such attacks, resources are wasted such as a memory in the server computer because it needs to ensure, for example, data supply memory for each connection request. This greatly interferes with normal access from client computers having no intention of doing harm.
A server computer protection apparatus to be placed between server computers and network is conventionally provided in order to protect the server computer against such attacks. With regard to SYN flood, the conventional server computer protection apparatus processes only the connection request which is repeated a plurality of times as a proper connection request or processes the access request from a client which has already made proper access as a proper connection request. This apparatus regards other kinds of accesses as improper accesses to reject them and discards the corresponding packets.
If, however, an attacker issues the same connection request many times to the conventional computer protection apparatus, an attack becomes successful. In addition, the conventional apparatus cannot cope with Established flood and Access flood.
Such conventional server computer protection apparatus merely operates such that improper accesses are actively detected to be blocked. It is desirable that a server computer protection apparatus protects the server computer by operating a determination process that determines whether or not an access is normal, then allows the access to pass through the apparatus if the access is determined normal or makes the access which cannot pass through the apparatus stay in it.