1. Field of the Invention
The present invention relates to an unauthorized access prevention technology, and more specifically to a technology for executing an unauthorized access prevention service that, for example, an Internet service provider (ISP) provides to its customers, and in particular to a technology to implement an effective countermeasure against unauthorized access that is represented by distributed denial of services.
2. Description of the Related Art
Denial of services (hereinafter abbreviated to “DoS”) stands for an attack that makes a system stop operating or incapable of operating by purposely transmitting a processing demand that is beyond a tolerable limit of the system resource, and DoS is characterized in that it is difficult to discriminate a reasonable processing demand from an unreasonable processing demand. An attack made in the form in which many attack sources are distributed in a network is called distributed denial of services (hereinafter abbreviated to “DDoS”). DDoS is explained in full detail, for example, in the following publication.
“Trends in Denial of Service Attack Technology” by Kevin J. Houle and George M. Weaver published from CERT Coordination Center in October, 2001, retrieved on Feb. 17, 2003 by the Internet <URL:http://www.cert.org/archive/pdf/Dos_trends.pdf>
Conventional technologies to prevent DDoS are largely classified into the following two methods, and each of the two methods can be further subdivided as follows.
I. Method that Replaces the Constituents Used in the Present Network
(1) Technology to Prevent DDoS by Expanding IP Packet
This is the technology to make the search of an attacker source and the uniformity of each transmitter source that transmits a processing demand possible by adding return-path information to the IP packet as well as by replacing the present router or firewall by the one that can understand the expanded IP packet.
(2) Technology to Prevent DDoS Without Expanding IP Packet
Included in this technology is, for example, the technology disclosed in Japanese Unexamined Patent Publication No. 2002-164938. This technology is such that the router that receives a packet-filtering program that is propagated in an edge router and is transmitted to each router executes the program and shuts off the traffic from the attacker source, and the router that can receive and execute this program is used in place of a router used for the present network.
II. Method that Uses the Constituents as they are that are Used for the Present Network
Described below are the details of this method with reference to FIG. 1. In a network constitution example shown in FIG. 1, a customer site 1000 operates a Web system 1001, and the customer site 1000 is equipped with a firewall 1002 to prevent unauthorized access to the Web system 1001.
The Web system 1001 is connected to an edge router 2001 via the firewall 1002. The edge router 2001 is managed by an ISP-A 2000 that is an Internet service provider.
An attacker that intends to perform DDoS against the Web system 1001 accesses a POP (point of presence) edge router 3001 managed by an ISP-B 3000 that is an Internet service provider that is logically adjacent to the ISP-A 2000 in the network and attacks the Web system.
A regular user who uses services of this Web system 1001 accesses the POP edge router 4001 managed by the ISP-C 3000 that is an Internet service provider adjacent to the ISP-A 2000 in the network and receives the services provided by the Web system 1001.
(1) Technology to Prevent DDoS by an Attack-Target Customer Site
This is the technology in which a system that employs an unauthorized access detection technology used in an intrusion detection system (hereinafter abbreviated to “IDS”) and a packet control (such as filtering and flow-rate control) technology is arranged on the network border between the ISP-A 2000 and the customer site 1000 (in FIG. 1, arranged in the edge router 2001), and when said system detects any DDoS, said system shuts off only a specific unauthorized packet that flows from the ISP-A 2000 to the customer site 1000.
(2) Technology to Prevent DDoS by a Single ISP
This is the technology in which the IDS is arranged on the network border between the ISP-A 2000 and the customer site 1000 (in FIG. 1, arranged in the edge router 2001), a packet control device is arranged on the network border between the ISP-A 2000 and the adjacent ISP (in FIG. 1, arranged in the edge routers 2002 and 2003), and when the IDS detects any unauthorized access, the IDS identifies the flow source of the packet using an IP traceback technology that identifies the upstream flow of an attack packet that pretends to be a transmitter source, and shuts off only an unauthorized packet on the border between the ISP 2000 and the adjacent ISP (in FIG. 1, the edge router 2002).
(3) Technology to Prevent DDoS by Cooperation of a Plurality of ISPs
This is the technology that is realized when the manager of ISP-A 2000 who has identified that the ISP adjacent to the flow source is the ISP-B 3000 based on the technology to prevent DDoS by a single ISP described in the preceding item asks the manager of ISP-B 3000 manually by telephone to take a countermeasure. As a result, this technology has not been established yet at the moment.
Information on the technologies with regard to DDoS is available from the following publication. “Distributed Denial of Service (DDoS) Attacks/Tools” by Dave Dittrich, retrieved on Feb. 17, 2003 on the Internet <URL: http://staff.washington.edu/dittrich/misc/ddos>
It can be said that to prevent DDoS at a place closer to the attack transmitter source located on the path from the attack transmitter source to the attack-target customer site is a more effective countermeasure. This is because if a countermeasure is implemented at a place closer to the attack-target customer site, the attack-target customer site can be protected, but since the DDoS cannot be prevented due to the congestion of networks on the path and the processing delay of the routers, the situation is after all the same as the fact that the service is nullified to the user who uses the service of the site from the Internet.
In the method mentioned in I among the methods described above, DDoS cannot be prevented without replacing the router used in the present network by the router provided with a new protocol, thus entailing expenditure for replacing the router. In addition, there is a problem in that it takes a considerably long time until a new protocol and a router that can handle the new protocol are widely spread.
Furthermore, since the reliability of communications cannot be ensured in the state in which DDoS is occurring, the router cannot receive the program in the technology disclosed in Japanese Unexamined Patent Publication No. 2002-164938 mentioned above, and as a result, the traffic from the attacker source might not be shut off. In the technology disclosed in this publication, on the other hand, the router itself might become an attack target of DDoS. Also, in the technology disclosed in this publication, an action for propagating a program is performed, but this action is not familiar with the way of thinking about a security policy in each organization, so that the employment of this technology is left over, and DDoS might not be prevented cross-sectionally throughout the whole organization.
With regard to the method of II among the methods described above, there are considered to be the following problems.
First of all, in the technology to prevent DDoS by an attack-target customer site, a countermeasure is implemented on the border between the ISP and the attack-target customer site, so that it is not possible to take any effective measure for the congestion of networks in the ISP and the deterioration of the processing capability of the router. Consequently, the influence that the DDoS gives to other customers of the ISP cannot be prevented.
In the example shown in FIG. 1, a countermeasure against the DDoS by an attacker to the Web system 1001 via the ISP-B 3000 is implemented in the edge router 2001, and this method influences the provision of services to a regular user who accesses the Web system 1001 via the ISP-C 4000.
Next, in the technology to prevent DDoS by a single ISP, since a countermeasure is implemented on the border between an ISP and an adjacent ISP, the influence to the network in the user's ISP becomes minimal. However, this technology cannot cope with the congestion of networks and the deterioration of the processing capability of the router, and as a result, it cannot prevent the influence that a regular packet that flows from the adjacent ISP to the user's ISP receives. Moreover, since a countermeasure can be implemented only on the network border that is connected at all times, this technology cannot appropriately prevent the attack received from the transiently-connected network in which a connecting substance changes with a lapse of time.
In the example shown in FIG. 1, as a countermeasure is implemented by the edge router 2002 against DDoS by an attacker to the Web system via the ISP-B 3000, this method little influences the provision of services to a regular user who accesses the Web system 1001 via the ISP-C 4000, but it does influence the provision of services to a regular user who accesses the Web system 1001 via the ISP-B 3000. Moreover, in the case of FIG. 1, when an attacker who attacks the Web system 1001 by connecting the Web system 1001 to the POP edge router 3001 that the ISP-B 3000 manages once cuts off the connection of the Web system 1001 to the POP edge router 3001 and connects the Web system 1001 to the POP edge router 3001 again, the IP address of the attacker source changes, so it is difficult to implement the countermeasure by the edge router 2002 that the ISP-A 2000 manages.
In the case of the technology to prevent DDoS by cooperation of a plurality of ISPs, a countermeasure can be implemented at a place closer to the attack transmitter source, but under the present circumstances, the managers of ISPs must communicate with each other by telephone and cope with problems while respecting both parties' security policy, thereby requiring a tremendous amount of time to work out the countermeasure. In addition, since there is no method for attesting each person in charge at each ISP, problems such as reliability of information in operating the system and pretending to be a person in charge at an ISP arise in this technology. There is another problem in that when the technology to prevent DDoS by cooperation of a plurality of ISPs is employed, the operation history is not recorded.