Distributed Denial of Service (DDoS) attacks and computer worms have a common characteristic in which they cause to consume intentionally the network resources, such as network bandwidth, router CPUs, and server CPUs, and cause to paralyze the network infrastructure, by producing a large amount of unauthorized or unlawful traffic.
The DDoS attack is an attack to make the system stop or disable by intentionally sending processing requests whose amount exceeds the tolerance limit of the system resource, from compromised machines distributed on the network. Therefore, it has a characteristic in which the damage cannot be prevented by finding the distributed compromised machines and stopping the unauthorized or unlawful attacks from them after the simultaneous attacks start once.
Moreover, the computer worms (in the following, it is also called simply “worm”.) are programs to copy itself and repeat the infection without the intervention of the computer users. The worm uses the vulnerabilities of programs executed on the host, such as buffer overflow, heap overflow, and format string, and propagates itself among computers connected with the network while self-copying. Because the speed of the worm's self-copying and spread is very fast, and it generates a large amount of traffic during the process, the worm has a characteristic in which the damage cannot be prevented by finding hosts that are infected with the worm and stopping them after they are dispersed once, as well as the DDoS attacks.
Incidentally, the spread speed of the computer worms that have been recently prevalent became very fast, and for instance, the Code Red needed no more than 12 hours for the infection to 360 thousand hosts, and furthermore, the SQL Slammer spread out all over the world during only 10 minutes. In addition, there is a tendency in which the computer worm that has been recently prevalent includes an agent program, which carries out the DDoS attacks using the infected host. The agent program is installed into the compromised machine by this computer worm and the DDoS attacks are carried out. Specifically, the Code Red included an agent program to carry out the DDoS attacks to http://www1.whitehous.gov and the Blaster included an agent program to carry out the DDoS attacks to http://www.windowsupdate.com.
The technology to deal with such DDoS attacks is described in Japanese Patent Publication 2003-283554, and 2003-2892337. However, the technology disclosed in these Japanese Patent Publications detects the DDOS attacks from inbound packets to a specific network, and cannot deal with a case in which the DDoS attacks are carried out from the specific network, in any way, thereby there is possibility to damage other networks.
For example, as shown in FIG. 1, a backbone network 1000 is connected with a network A via a blocking apparatus 1001, network B via a blocking apparatus 1002, network C via a blocking apparatus 1003, and network D via a blocking apparatus 1004. In such a state, it assumes that computers infectedwiththecomputerwormsorcomputerswhicharecompromisedmachines for the DDoS attacks exist in the networks A and B. In the background art, because the blocking apparatuses 1001 and 1002 do not check any outbound packets from the network A or B connected with itself, packets by the DDoS attacks or packets for probing by the worms are sent out to the backbone network 1000. Therefore, the congestion occurs in the backbone network 1000. On the other hand, when the blocking apparatuses 1003 and 1004 respectively connected with the networks C and D, which are attack targets or infection destinations, detect the packets by the DDoS attacks and/or packets for probing among the inbound packets to the networks C and D, they carry out filtering of the packets by the DDoS attacks and/or packets for probing to prevent them from being sent to the networks C and D.
Incidentally, although there is a word “computer virus” similar to the “computer worm”, the computer virus is a program to infect computers via the user's intervention and is distinct from the computer worm, here. It is a camouflage program to cause subversive activities when the computer user instructs to execute without knowing its harmful effects, such as files attached to e-mail, and files linked from Hyper Text Markup Language (HTML) files. The spread speed of the computer virus is slower than that of the computer worm, and the technology to detect and quarantine the computer virus by a signature-type anti-virus software executed at clients or servers is already established. Therefore, this invention does not mention it hereafter.
As described above for the background arts, there are various problems in the method in which only the inbound traffic from the backbone network is monitored at the boundary with the backbone network to carry out the countermeasure. That is, in the DDoS attacks, although the network including the target server is protected by blocking the inbound traffic at the boundary with the backbone network, it is impossible to stop the DDoS attacks. Therefore, the backbone network bandwidth and the resource of the routers in the backbone network are consumed, and the legitimate communication is prevented. In addition, in the worm spread, it may be possible to protect the invasion of the worm from the backbone network by blocking the inbound traffic at the boundary with the backbone network. However, because it is impossible to stop the probing to search new infection destinations by the computers infected with the worm, the backbone network bandwidth and the resource of the routers in the backbone network are consumed, and the legitimate communication is prevented.
Moreover, even if in an ideal environment, the inbound traffic can be completely blocked in all of the networks connected with the backbone network, the worm may invade from portable devices, such as a notebook-type personal computer, into the networks, and in reality, the spread of the worm into the backbone network cannot be avoidable.