This invention relates to a packet relay apparatus configured to mirror packets in a network.
There is an increasing security risk from distributed denial of service (DDoS) attacks, advanced persistent threat, and other such attacks. In order to minimize the damage from an attack, it is necessary to monitor attack packets that cause the attack on a network positioned upstream of an attack target, and protect the attack target from the attack when an attack is detected.
In order to analyze signs of a large-scale attack and prepare a countermeasure, it is necessary to monitor and analyze attack sign packets on the network that show a sign of an attack. Therefore, traffic data is collected by the packet relay apparatus, for example, a router or a switch constructing the network by using a mirror function of the packet relay apparatus to transmit the packets in the packet relay apparatus to an analyzer that has an attack analysis function.
When the occurrence of an attack or an attack sign is detected as a result of the analysis of the collected traffic data by the analyzer, a countermeasure for protecting against the attack is implemented based on the analysis result. As described later, there are various different types of attacks that utilize networks, including logic attacks that exploit a vulnerability of a system, attacks that spoof the transmission source, flood attacks in which a large amount of packets are transmitted to consume network bandwidth resources and server processing resources, for example, and attack signs trying to gain entry into a target.
The information required for analysis, the analysis method, the difficulty of analysis, and other such matters are different for each attack type, and hence various analyzers are provided in accordance with the attack type, for example, a firewall (FW), an intrusion detection system (IDS), an intrusion protection system (IPS), a web application firewall (WAF), a DDoS attack countermeasure apparatus, and a forensic server.
When performing attack analysis, the analysis performance of the analyzers are a constraint, and the packet relay apparatus cannot analyze all of the traffic to be relayed. As a result, in “Large-Scale Edge Router and High-Speed Traffic Monitoring Technologies”, The Institute of Electronics, Information and Communication Engineers Technical Report, IA, Internet Architecture 109 (421) 47-52, 2010-02-12, there is disclosed a technology in which a condition for identifying the traffic to be analyzed in detail is set in a switch, and only specific traffic is transferred to an IDS, which is a type of analyzer.