A network control technique which is called Software Defined Networking (SDN) is known. For example, OpenFlow (registered trademark) is a typical technique of the SDN, and enables software to realize flexible network management by separating a network route controlling function from a packet transferring function. More specifically, OpenFlow is composed of a control application, a controller which performs network route control, and a switch which performs packet transfer processing according to an instruction of the controller.
Meanwhile, securing network safety is an important task for network administrators. In recent years in particular, DoS (Denial of Service) attacks transmitting a large amount of traffic to a target server by operating multiple terminals have been increasing. A network under the DoS attack causes problems such as a decrease in processing performances of a router and a firewall, a decrease in processing performance of a target server, and significant consumption of disk resources due to enormous logs. Further, attackers usually spoof transmission source addresses, and therefore network administrators generally have difficulty in accurately specifying the attackers. Therefore, it is not possible to take effective measures for excluding the attackers.
When there are a large number of accesses such as DoS attacks on a network including the dynamic route controlling function such as OpenFlow in particular in a short time, a switch generates a great number of new flow inquiries (Packet-in) to a controller in a short time. In this case, if no countermeasure is taken, an excessive processing load is applied to the controller or a packet transfer destination server, and the controller or the packet transfer destination server is thus likely to become unable to perform processing.
In this regard, a method has been proposed for suppressing loads applied to a switch by causing a controller to authenticate (accessibility determination) a packet distribution source user and to determine and discard unauthorized packets based on a defined pattern when a DoS attack on a system which controls a network by using the OpenFlow technique occurs (see, for example, Patent Literature 1).