1. Field of the Invention
The present invention relates to a communication connection method for reliably connecting a server computer to a client computer in response to an access request from the client computer, and a server computer and a program.
The present invention also relates to an authentication method for performing communication between a client computer and server computer on a network, a server computer, a client computer and a program.
2. Description of the Related Art
Recently, client-server systems have become widely utilized in which an unspecified or specified number of client computers are connected to a server computer via a packet-exchange network using, for example, the Internet, and the server computer supplies data in response to requests from client computers.
“Packet” means a certain amount of data transmitted through a network. Packets are basically formed of a header and data. The header comprises a source Internet protocol (IP) address, destination IP address, etc. To perform a request for legal access based on transmission control protocol/Internet protocol (TCP/IP), the following, for example, is performed: (1) A client computer transmits a connection request packet (synchronization [SYN] packet) to a server computer. (2) The server computer, in turn, transmits a connection request acknowledgement packet (synchronization acknowledgement [SYN+ACK] packet) to the client computer. (3) The client computer transmits an acknowledgement (ACK) packet to the server computer, thereby establishing a logical connection to transmit and/or receive data using a higher-level application. The access scheme of this type is called a three-way handshake scheme.
When establishing a TCP/IP connection, it is necessary for the server computer to beforehand secure resources (memory area, disk area) for a certain amount of TCP connection processing. When this connection is released, the server computer releases the resources. The resources for TCP connection processing are assigned without discriminating connection requesters (users of client computers or client computers themselves). If the amount of resources is insufficient, a new connection cannot be established. Specifically, the following two problems occur: Firstly, illegitimate users may intentionally establish a connection flood in which a large number of connections are established to a server computer to use up its resources, thereby making the server computer unable to provide services to legitimate clients. Secondly, when many users of low priority are utilizing services, users of high priority cannot utilize them.
To overcome the above problems, a method has been proposed in which users are divided into groups, and resources for TCP connection processing are managed based on the order of priority of the groups (see, for example, Jpn. Pat. Appln. KOKAI Publication No. 2003-125022). This method comprises the following steps:
(1) A client computer transmits a SYN packet to a server computer;
(2) The server computer refers to the user identification of the received SYN packet (the transmitter address of the SYN packet) to identify the user group to which the connection requester belongs to; and
(3) The server computer confirms whether sufficient resources for communication processing remain for the detected user identification. If sufficient resources remain, resources for TCP connection processing are assigned to the client computer.
Thus, TCP processing resources are assigned to each user group, therefore the adverse influence of a connection flood by an illegitimate client can be limited to the user group to which the illegitimate client belongs, thereby preventing services by the server computer from being stopped. Further, by virtue of grouping in light of priority, even if a user of a low priority utilizes a large number of services, TCP processing resources can be assigned to a user of a high priority.
In the above method, a computer address (IP address, MAC address) contained in a SYN packet is used as a user identification, and TCP connection processing resources are assigned based on the user identification.
However, in the method, if a plurality of users use a single client computer, resource allocation corresponding to each user cannot be realized. Further, when IP addresses are dynamically allocated, users must register their addresses each time their addresses are changed. The MAC address contained in a SYN packet can be used only when the client computer and server computer belong to the same network. Furthermore, since IP addresses and MAC addresses can be relatively easily forged, an illegitimate client or a client of a low priority can access the server computer using a forged address, thereby using a service illegally.
In the above-described client/server system including client computers and a server computer, there is a case where when the server computer provides a service to a client computer, it identifies the connection requester (the user of the client computer or the client computer itself), and then provides a service corresponding to the authority of the identified requester.
Such identification, determination of authority and provision of a service corresponding to the authority as the above (this will hereinafter be referred to as “access control”) is generally performed in the following manner after the server computer assigns communication resources to the client computer:
(i) In accordance with a connection request from the client computer, a connection is established between the client computer and server computer.
(ii) A server application program installed in the server computer transmits, to a client application program installed in the client computer, data that instructs it to return authentication information such as a password (there also exist information items utilizing common- or public-key codes or various coded protocols).
(iii) After receiving the data, the client application program acquires authentication information, and then transmits it to the server computer (the user of the client computer inputs the authentication information, or the client application program automatically acquires it).
(iv) The server application program determines whether the acquired authentication information is legitimate, determines the authority of the connection requester if the authentication information is determined to be legitimate, and provides a service corresponding to the authority.
Using an access control scheme of an application level as described above, a legitimate connection requester can be selected from an unspecified number of clients, and a service corresponding to the authority of the requester can be provided.
However, the above-described access control scheme is executed provided that connection is established, and hence it cannot control the establishment of connection itself. In other words, the access control scheme cannot prevent a denial-of-service (DoS) attack or a distributed-denial-of-service (DDoS) attack, in which an illegitimate client or illegitimate clients establish to exhaust the connection processing resources of the server computer. The DoS attack is behavior by an illegitimate client to use up or make unusable the resources that should be used by a legitimate client, in order to prevent the legitimate client from using the resources. The DDoS attack is DoS attacks performed by a plurality of client computers.
Further, the above-described access control scheme is executed by application software, and attacks on software cannot be prevented. An attack on software is an attack exploiting bugs that exist in application software. Using bugs, an attacker can make a detour to avoid authentication processing in a computer to attack, and can acquire authority to use the computer. For example, when bugs exist in the authentication portion of SSH (Secure Shell) as a protocol for realizing reliable remote control of computers through the Internet, if an attacker transmits an attack code to a computer, instead of legitimate authentication information, they can use the computer.
Such problems as cannot always be solved simply by access control by an application can be overcome by access control performed on a client computer using the TCP layer or IP layer of TCP/IP. This technique enhances the security of the server computer. As such a technique, there is a method in which a list that stores source IP addresses, destination port numbers, etc., for determining whether connection is allowable is installed in a server computer, and a received packet is inspected using the list to determine whether connection is allowable.
Access control using the source IP addresses, destination port numbers, etc., however, has the following problems:
(1) This control scheme is vulnerable to forged IP addresses. In general, IP addresses can be easily forged, and port numbers can be arbitrarily designated. Accordingly, an illegitimate client computer can easily make a detour by transmitting a packet that contains a forged source IP address.
(2) This control scheme cannot identify each user. Each client computer can be identified using the source IP address. However, if a plurality of users use a client computer, they cannot be identified.
(3) This control scheme cannot deal with dynamic IP addresses. In access control using IP addresses, it is necessary to beforehand register the IP addresses of client computers as access control targets. However, in mobile environments or dynamic host configuration protocol (DHCP) environments, the IP addresses of client computers dynamically change, which makes it impossible to use the access control scheme.
There is a conventional authentication method using port access, which solves the problems of the access control scheme using IP addresses and port numbers (see, for example, Jpn. Pat. Appln. KOKAI Publication No. 2003-91503).
In this method:
(1) A client computer transmits a packet to a plurality of authentication ports provided in a server computer;
(2) The server computer confirms whether the client computer has accessed all authentication ports (their specific port numbers are private);
(3) The server computer having all the authentication ports accessed opens a communication port (its specific number is public); and
(4) The client computer accesses the communication port of the server computer to perform communication.
This method utilizes, as the identification information of a connection requester, the pattern of access by the client computer to the server computer.
An illegitimate client does not know a plurality of authentication ports, therefore cannot establish a connection to the server computer. Thus, the problems raised by the authentication method using an application can be solved as in the case of access control using the IP layer or TCP layer. Moreover, by making access patterns (combinations of authentication port numbers in the above case) correspond to respective users, the users of a single client computer can be identified individually. In this method, it is sufficient if access by the same IP address to authentication ports is considered, and it is not necessary to set IP addresses for determining allowance/disallowance.
Thus, the above method can solve the problems raised by access control using an application, and solve the two problems raised by the conventional access control scheme using the TCP layer or IP layer, which concern the fact that the method cannot identify each of the users and the fact that the method cannot deal with dynamic IP addresses.
Although the authentication method using the access pattern of the TCP layer can solve part of the problems raised by the conventional access control scheme using the TCP layer or IP layer, it cannot completely prevent attacks using forged IP addresses. In this method, a server computer opens a communication port (its specific number is public) after confirming whether a client computer has accessed all authentication ports (their specific port numbers are private), and determines that the client computer connected to the opened communication port is a legitimate connection requester. However, in this method, it is not determined whether the client computer connected to the opened communication port and the client computer having accessed the authentication ports are actually the same connection requester. Therefore, this method cannot prevent an illegitimate client from accessing the opened communication port just when a legitimate connection requester accesses the authentication ports and the communication port is opened. Thus, in the conventional method, even an illegitimate client who does not know the authentication ports can establish a connection if they use a forged IP address.