Frame-transfer control device, DoS-attack preventing device, and DoS-attack preventing system
First Claim
1. A frame-transfer control device configured to transfer, to a network to which a server is connected, a frame transmitted from a client in an external network, the frame-transfer control device comprising:
- a transmitting unit configured to periodically transmit a response request to the client, and to monitor a response to the response request from the client to grasp a responding state of the client;
an identifying unit configured to identify whether the frame is any one of a legitimate frame and an illegitimate frame based on the responding state; and
a limiting unit configured to transfer the legitimate frame to the server by priority, and to limit transfer of the illegitimate frame.
1 Assignment
0 Petitions
Accused Products
Abstract
A prior information collecting unit transmits in advance a SYN/ACK frame to an address of a client in an external network, and monitors a response to the SYN/ACK frame. If there is no response, the prior information collecting unit determines that the address is a valid attack address. If there is a response with a RST frame, the prior information collecting unit determines that the address is an invalid attack address. An address holding unit stores a responding state of the client. A valid attack identifying unit detects a valid attack frame having a valid attack address as a source address from among frames addressed to the server, based on information stored in the address holding unit. A flow rate limiting unit limits a flow rate at the time of transferring the valid attack frames to the server.
-
Citations
11 Claims
-
1. A frame-transfer control device configured to transfer, to a network to which a server is connected, a frame transmitted from a client in an external network, the frame-transfer control device comprising:
-
a transmitting unit configured to periodically transmit a response request to the client, and to monitor a response to the response request from the client to grasp a responding state of the client;
an identifying unit configured to identify whether the frame is any one of a legitimate frame and an illegitimate frame based on the responding state; and
a limiting unit configured to transfer the legitimate frame to the server by priority, and to limit transfer of the illegitimate frame.
-
-
2. An attack preventing device configured to protect a network to which a server is connected, from an attack from an external network, the attack preventing device comprising:
-
a transmitting unit configured to transmit a first frame to at least one client connected to the external network, and to monitor a response to the first frame from the client with a second frame, to grasp a responding state of the client;
a first storing unit configured to store the responding state corresponding to an address of the client;
an detecting unit configured to detect an offensive frame with which the network is attacked from among at least one frame transmitted from the external network toward the server, based on information stored in the first storing unit; and
a limiting unit configured to limit a flow rate of the offensive frame by adjusting a transmission band to transfer the frame to the server. - View Dependent Claims (3, 4, 5, 6)
-
-
7. An attack preventing system configured to protect a network to which a server is connected, from an attack from an external network, the attack preventing system comprising:
-
a first processing device configured to be connected to the external network; and
a second processing device configured to be connected to the network, wherein the first processing device includes a transmitting unit configured to transmit a first frame to at least one client connected to the external network, and to monitor a response to the first frame from the client with a second frame, to grasp a responding state of the client;
a first storing unit configured to store the responding state corresponding to an address of the client; and
a transferring unit configured to transfer information stored in the first storing unit to the second processing device, and the second processing device includes a second storing unit configured to store transferred information;
a detecting unit configured to detect an offensive frame with which the network is attacked from among at least one frame transmitted from the external network toward the server, based on information stored in the second storing unit; and
a limiting unit configured to limit a flow rate of the offensive frame by adjusting a transmission band to transfer the frame to the server. - View Dependent Claims (8, 9, 10, 11)
-
Specification