In recent years, network security has become of ever increasing importance due to the establishment of laws protecting individual information and IP (Internet Protocol) network lifelines typified by the Internet.
Many companies and individuals routinely install devices for protection against illegal communications such as FW (firewalls), IDS (Intrusion Detection Systems), and IPS (Intrusion Prevention Systems) at access points with the communication service provider in order to prevent attacks on the server installed for that network and prevent information leaks from PC installed in that network and in that way protect their information resources.
These types of devices that protect against illegal communications detect hosts attempting illegal communications, and along with rejecting the illegal communication from the detected host or limiting the bandwidth of the illegal communication, also safeguard legal communications.
Illegal communications using TCP protocol are rejected, and legal communications using TCP protocol are protected by methods such as storing the communication status in the session table and judging whether the communication is legal or not according to a proxy reply via a SYN-ACK packet (See Christoph L. Schuba, Ivan V. Krsul, Markus G. Kuhn, Eugene H. Spafford, Aurobindo Sundarum, Diego Zamboni, “Analysis of a Denial of Service Attack on a TCP”, IEEE Symposium, May 1997, P. 208-223).
However there are also attacks that cannot be prevented just by installing these illegal communication protective devices (FW, IDS, IPS) at access points. An attacker might for example use a captured server and multiple zombie servers to send massive amounts of packets to a router on the communication path where a client PC is communicating with a Web server, to lower that router's packet transmit capability. The packets flowing between the PC and server are in that case discarded at router that was attacked so that normal communication is impossible.
Defending against these type of attacks required the communication service provider to add functions to protect against illegal communications in the edge router at the connection point with other networks on the upstream side of that network, analyze all communications carried out on the network, to reliably detect and reject all types of illegal communications in order to prevent attacks on routers and servers including DDoS (Distributed Denial of Service) and massive amounts of communications such as P2P (Peer to Peer) that cripple communications.
Though company and private networks are generally connected with the communication service provider's network at one point, the communication service provider's network on the other hand is connected with other communication service provider networks at multiple points.
The communication service provider network utilizes shortest path search algorithms such as RIP (See C. Hedrick “Routing Information Protocol”, RFC1058, June 1998.) and OSPF (See J. Moy, “OSPF Version 2”, RFC1583 March 1994.) as routing protocols within the network. Therefore in some cases, the forward path and return paths during communication with the host might be different.
Protecting against illegal communications requires making a session table for recording communication data including the connection request source address, connection request destination address, and the recording time showing the time that the most recent communication occurred.
Methods for overwriting communication data recorded in the session table include searching the table utilizing a hash mark and where there is no matching data, overwriting data with the oldest recorded time among the multiple communication data (See “Resisting SYN flooding DoS attacks with a SYN cache”, Proceedings of USENIX BSDCon′ 2002, February 2002, p. 89-98”.