Network system, network relay method, and network relay device

摘要

A history management unit within a discard determination unit manages transmission and reception packets related to a resource to be protected for each of users, and records communication history information for users high in use frequency through stateful measurement. A priority determination unit determines the priority of a communication on a per received packet basis on the basis of communication history information. A load determination unit determines a load level of the resource to be protected, and combines the load level with the priority of the communication determined on the per received packet basis. A discard rate determination unit and a packet discard unit implement forwarding processing, determine the priority of the communication on the per user basis, and discard communications low in the priority at a high ratio.

主权项

1. A network system comprising:
a server that has a resource to be protected, and configured to provide a service; and, a network relay device which includes an interface unit that is connected to one or more lines, and is configured to transmit or receive a packet with respect to a terminal and the server through a network, a relay hardware processor configured to conduct a first discard control for forwarding or discarding the packet on the basis of information included in a header of the received packet, a priority determination hardware processor configured to determine a priority of the received packet; a load determination hardware processor configured to determine a load state of the resource to be protected, on the basis of the load information, and, a DDoS attack prevention hardware processor configured to conduct a second discard control for forwarding or discarding the packet on a per packet basis on the basis of both the priority of the received packet and the load state of the resource to be protected, wherein: the network relay device includes a discard determination hardware processor configured to determine whether the received packet is to be forwarded or discarded, wherein the discard determination hardware processor includes: a received packet analysis hardware processor configured to determine whether the received packet is a packet which arrives at the resource to be protected, or not, and extract user identification information for specifying a user from the received packet if it is determined that the received packet is the packet which arrives at the resource to be protected; a history management hardware processor configured to prepare and record the communication history on the per user basis from the user identification information of the received packet obtained from the received packet analysis hardware processor, and retrieve and update the communication history recorded on the per user basis; a discard rate determination hardware processor configured to determine a discard rate of the preset received packet according to the priority of the received packet obtained from the priority determination hardware processor, and the load state obtained from the load determination hardware processor: and a packet discard hardware processor configured to implement a forwarding or discard determination of the packet on the basis of the discard rate of the received packet obtained from the discard rate determination hardware processor, wherein the discard control of the received packet is implemented according to the forwarding or discard determination by the discard determination hardware processor, wherein the discard control of the received packet is implemented according to the forwarding or discard determination by the discard determination hardware processor, wherein the priority determination hardware processor is configured to determine a priority of the received packet according to a preset determination criterion on the basis of the communication history recorded on the per user basis obtained from the history management hardware processor, wherein the load determination hardware processor is configured to determine a load state of the resource to be protected, on the basis of the load state due to the communication history recorded on the per user basis, or the load state notified from others.