Currently, there is a problem of reflective DDoS attack (Distributed Denial of Service attack) that uses reply packets of the UDP (User Datagram Protocol) for the DNS (Domain Name System), the NTP (Network Time Protocol), or the like. For example, if the attacker transmits DNS request packets with a fake transmission-source IP address to a large number of open resolvers that are spread in the network, each of the open resolvers resolves the name and transmits a reply packet to the fake transmission-source IP address. As a result, a large number of reply packets are centered on the fake transmission source (i.e., the target). Thus, the attacker applies loads of some hundreds of Gbps to the target network.
Here, as the protocol used for the DNS or the NTP is the UDP, it is difficult to block the above-described attacks by using the stateful inspection function of firewall. Therefore, there is a disclosed technology in which, when a request packet (i.e., allowable request packet) of the DNS or the NTP is received from the target side, a border router in the network adds the IP address and the port number of the transmission source of the request packet to the white list, and the border router transfers a reply packet (allowable reply packet), whose destination is the IP address and the port number described in the white list, but blocks (discards) other reply packets of the DNS or the NTP. According to this technology, it is possible to block attack packets and also reach allowable reply packets to the target.