Communication scheme for preventing attack by pretending in service using anycast
First Claim
Patent Images
1. A communication device, comprising:
- a transmission unit configured to transmit a packet to a prescribed destination address;
a reception unit configured to receive a response packet for responding to the packet transmitted by the transmission unit;
a first detection unit configured to detect a source address contained in the response packet received by the reception unit;
a second detection unit configured to detect an identifier indicating that an anycast address is assigned to another communication device that has the prescribed destination address, which is contained in the response packet, when the source address detected by the first detection unit and the prescribed destination address are different; and
a verification unit configured to verify the response packet, according to the identifier detected by the second detection unit.
1 Assignment
0 Petitions
Accused Products
Abstract
In the communication system, the filtering is realized at times of transmission and reception, by a server which attaches an identifier indicating an anycast address to a source address of a response packet, a communication device which detects the identifier indicating an anycast address in the response packet and verifies the response packet, when the source address is different from the destination address, and a boundary router which detects the identifier in the packet and verifies that the response packet is a response transmitted from the server, according to information regarding servers that is stored in advance.
-
Citations
8 Claims
-
1. A communication device, comprising:
-
a transmission unit configured to transmit a packet to a prescribed destination address;
a reception unit configured to receive a response packet for responding to the packet transmitted by the transmission unit;
a first detection unit configured to detect a source address contained in the response packet received by the reception unit;
a second detection unit configured to detect an identifier indicating that an anycast address is assigned to another communication device that has the prescribed destination address, which is contained in the response packet, when the source address detected by the first detection unit and the prescribed destination address are different; and
a verification unit configured to verify the response packet, according to the identifier detected by the second detection unit. - View Dependent Claims (2)
-
-
3. A server device connected to a first network and having an anycast address, comprising:
-
a reception unit configured to receive a packet transmitted to the anycast address, from a communication device connected to a second network;
an identifier attaching unit configured to attach to a response packet for responding to the packet an identifier indicating that a source of the response packet has the anycast address; and
a transmission unit configured to transmit the response packet to the communication device.
-
-
4. A communication system, comprising:
-
a server device connected to a first network and having an anycast address;
a communication device connected to a second network; and
a boundary router device located at a boundary between the first network and the second network;
wherein the communication device has;
a first transmission unit configured to transmit a packet to the anycast address; and
a first reception unit configured to receive a response packet for responding to the packet from the server device;
the server device has;
a second reception unit configured to receive the packet transmitted to the anycast address from the communication device;
an identifier attaching unit configured to attach to the response packet for responding to the packet a first identifier indicating that the server device has the anycast address; and
a second transmission unit configured to transmit the communication device to the response packet; and
the boundary router device has;
a third reception unit configured to receive the packet destined to the server device from the communication device;
a first transfer unit configured to transfer the packet to the server device;
a fourth reception unit configured to receive the response packet for responding to the packet from the server device;
a detection unit configured to detect a second identifier indicating that a source address different from the anycast address is attached, which is contained in the response packet;
a verification unit configured to verify that the response packet is a response transmitted from the server device, according to information regarding server devices having the anycast address in the first network which is provided in advance, when the second identifier is detected by the detection unit;
a transfer control unit configured to control whether or not to transfer the response packet to the communication device, according to a verification result of the verification unit; and
a second transfer unit configured to transfer the response packet to the communication device, when the transfer control unit judges that the response packet should be transferred.
-
-
5. A communication method at a communication device, comprising:
-
transmitting a packet to a prescribed destination address;
receiving a response packet for responding to the packet;
detecting a source address contained in the response packet;
detecting an identifier indicating that an anycast address is assigned to another communication device that has transmitted the response packet, which is contained in the response packet, when the source address and the prescribed destination address are different; and
verifying the response packet, according to the identifier. - View Dependent Claims (6)
-
-
7. A computer program product for causing a computer to function as a communication device, the computer program product comprising:
-
a first computer program code for causing the computer to transmit a packet to a prescribed destination address;
a second computer program code for causing the computer to receive a response packet for responding to the packet;
a third computer program code for causing the computer to detect a source address contained in the response packet;
a fourth computer program code for causing the computer to detect an identifier indicating that an anycast address is assigned to another communication device that has transmitted the response packet, which is contained in the response packet, when the source address and the prescribed destination address are different; and
a fifth computer program code for causing the computer to verify the response packet, according to the identifier. - View Dependent Claims (8)
-
Specification