The present invention relates to a communication processing apparatus, a communication processing method, and a computer program. More specifically, the invention relates to a communication processing apparatus, a communication processing method and a computer program for allowing a server or like equipment connected to a network to restrict the amount of available resources in processing illustratively TCP-based communication connections depending on the party it communicates with, thereby preventing an inordinately high volume of communication traffic with low-priority users from hampering the communications of high-priority users.
The widespread use of high-speed, continuous-connection Internet services today is allowing a growing number of individuals to use their PCs as servers maintaining always-on connection with the Internet. Where the PC is used as a server in the typical household, there may be three kinds of server users: the server owner, the server owner's family members and friends, and others (i.e., general public).
These days, more and more people are inclined to disclose their diaries, web pages, digital photo images, and self-created images and/or sound data through their servers on the Internet. Individuals' servers are thus as likely to be accessed by the general public as any corporate or institutional servers. In such cases, the individuals server owner may well wish to prioritize the availability of the server service. Specifically, the owner's use should preferably be given top priority over those service requests by the general public which could hamper the owner from utilizing his or her own server as desired.
The trouble is that conventional servers have no capability of setting priorities depending on the profile of users when establishing TCP connections for the server service. A predetermined amount of TCP traffic processing resources (memory areas and disc areas) is always allocated for each user. The same resources are allocated in unrestrained fashion to every user being processed for a TCP connection or a connection request.
In an environment such as individuals' servers where users should preferably be prioritized but cannot, the resources for TCP traffic processing could be exhausted by low-priority users. The latter users, by using up the available resources, could bar high-priority users from making use of the server service. There are two cases in which the TCP traffic processing resources can be exhausted by low-priority users:
(Case 1)
This is a case in which numerous TCP connections are established by a plurality of low-priority users.
(Case 2)
This is a case where low-priority users have launched DoS (denial of services) attacks on the resources for TCP traffic processing. The DoS attack is a hacking action carried out by unscrupulous parties exhausting or disabling the resources that should be made available for legitimate users but are denied to them. Illustratively, the DoS attack involves sending large amount of data or invalid packets to the server system in question or transmitting illegal commands to the server through a loophole in the OS or an application program with a view to shutting down the system.
There are two major types of DoS attacks on TCP traffic processing resources: a SYN flood attack, and a DoS attack aimed at establishing a large number of TCP connections.
The SYN flood attack takes advantage of the limited data size of the queue for managing halfway states of TCP/IP connections being established during what is known as a three-way handshaking procedure. The attack involves sending to the target server a large number of SYN packets each requesting establishment of a TCP connection. Because the three-way handshaking procedure is never completed, numerous halfway states are being generated to flood the halfway state management queue of the target server. The server is thus disabled temporarily from establishing new TCP connections.
The DoS attack aimed at establishing a large number of TCP connections takes place generally as follows: there is a predetermined maximum number of TCP connections that can be processed at a time, dictated by the need to use limited resources such as the memory and CPU every time a TCP connection is established. If multiple machines were employed to establish numerous TCP connections with the target server and thereby exhaust all available resources, the server would become incapable of establishing any more TCP connections. Depending on its capabilities, the target server may then have to reduce its processing speeds or may undergo a system down.
One conventional countermeasure against DoS attacks is the use of a firewall or a router for filtering purposes. The filtering scheme is designed conditionally to restrict sender IP addresses and usable ports upon establishment of TCP connections; any TCP connection request failing to meet relevant conditions is rejected.
The use of the server service by users can thus be limited by the filtering method preventing DoS attacks by any unscrupulous users not authorized for service usage. However, there exists no distinction between authorized users in their right to utilize TCP connection resources of the server. For this reason, it is impossible to prevent the above-described irregularities of both case 1 and case 2.
The SYN flood attack has been countered conventionally by a method called “SYN cookies.” This is an optional feature provided by kernel versions 2.0.30 or higher of Linux OS. In a conventional TCP connection request process, resources for the connection are allocated upon receipt of a SYN packet representing the request. By contrast, the SYN-cookies feature returns a SYN-ACK packet in response to the received SYN packet without allocating any resources. The resources are allocated only after the connection is established upon receipt of an ACK packet, whereby the SYN flood attack is forestalled.
The foregoing method can prevent the SYN flood attack of case 2 above but is incapable of prioritizing users as in the convention TCP traffic processing. The incapacity to prioritize leaves the resources exhausted by TCP connections of low-priority users in case of the DoS attack aimed at establishing numerous TCP connections in both case 1 and case 2 above.
Another countermeasure against the SYN flood attack has been introduced by Microsoft Corporation with its Windows NT4.0 SP2 or higher. This feature involves taking such defensive measures as increasing the queue size and reducing time-out period settings when SYN flood attacks have flooded the queue for managing halfway states of TCP/IP connections being established. The feature is fairly effective in thwarting the SYN flood attack but, as with the SYN-cookies scheme, it can let the resources be exhausted by low-priority users launching the DoS attack requesting establishment of numerous TCP connections in both case 1 and case 2 above.
In an environment such as individuals' servers where users should preferably be prioritized somehow but cannot, the exhaustive use of the resources for TCP traffic processing by low-priority users will hamper high-priority users from making any use of the server. Problems then occur in the above-described two cases which are paraphrased as follows:
(Case 1) This is a case where a plurality of low-priority users have established numerous TCP connections.
(Case 2) This is a case in which low-priority users have launched DoS attacks on the resources for TCP traffic processing.
In each of these two cases, it is necessary that high-priority users be enabled to establish TCP connections to utilize the server.