In recent years, attacks to the Internet vary everyday, and patterns of the attacks have become more and more complex. Reported cases are not only well-known attacks of sending packets stating a false send source but also attacks using a springboard, e.g., by using as a springboard a botnet of computers infected by a virus. Attacks also have so variously diversified as to make free use of plural protocols.
DNS reflector attacks using DNS (Domain Name System), which bases the Internet, have been becoming apparent as a further problem. The DNS reflector attacks observes an attack method of sending a DNS query to a computer as an attack target by spoofing a false IP (Internet Protocol) address, thereby to concentrate responses onto the attacked computer.
According to this attack method, a DNS reply is amplified multiply, by using plural cache servers on the Internet. As a result, a huge volume of packets are suddenly sent to an attacked computer. Because of the huge volume of packets sent, bands are all occupied thereby hindering services.
There is also a tendency of increase in danger of linkage to plural applications, e.g., leading to malicious web servers such as fishing by information transmitted based on emails.
Known traceback techniques based on IPpackets are to detect computers which are caused to directly make attacks, and therefore can be used to detect only springboards when attacks are made using computers as springboards.
What file has infected a computer as a springboard through what route is investigated by detailed inspections on the logs on each server or the like. However, determinations on such detailed inspections depend on human judges. A traceback dynamically depending on applications is hard to achieve.
Countermeasures against DNS attacks in actual operation are reduction of vulnerability by applying a security patch so as to prevent settings from being changed, reduction of open relay conditions by restricting service ranges for DNS cache, etc.
In this respect, Patent Literatures 1 to 6 cited below describe methods as techniques relevant to tracebacks of a source as a sender or addition of traceable information to packets.
The invention described in Patent Literature 1 relates to a method of accumulating information required for tracebacks into client computers.
The invention described in Patent Literature 2 relates to a method of adding and/or deleting information required for tracebacks to and/or from packets by a router.
The invention described in Patent Literature 3 relates to a method as follows. Each TCP PUSH packet is referred to. Among destination address port numbers and data, whether at least data mutually corresponds between the TCP PUSH packets is checked. If a TCP PUSH packet having at least data corresponds to that of another TCP PUSH packet is transmitted/received within a predetermined time period, transmission/reception of the TCP PUSH packet is determined to be an unauthorized access.
The invention described in Patent Literature 4 relates to a method of specifying an attacking packet by using, as information required for tracebacks, header information of constantly collected packets, header information of an attacking packet, and/or inter-router connection information.
The invention described in Patent Literature 5 relates to a method of specifying a springboard attack by detecting an attacking packet in a device which collects traffic, and by taking, correlation of a packet which is correlated with the attacking packet as information required for tracebacks.
The invention described in Patent Literature 6 relates to a method of determining an attack when transmission of information to one identical address reaches a given threshold.