JP2007266931A - Communication interruption apparatus, and communication interruption program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent communication data transmitted from communication terminals that execute unauthorized communication from being transmitted to other communication terminals and thereby prevent spreading of communication terminals that conduct unauthorized communication. <P>SOLUTION: When a worm detector 6 detects that an infected terminal 1A has conducted unauthorized communication, a worm interruption apparatus 8 acquires the communication address of a data link layer or a network layer of the infected terminal 1A, and informs the infected terminal 1A about its own communication address or an address of another preset communication apparatus, when a request from the infected terminal 1A applied to the worm interruption apparatus 8 is received to inform the infected terminal 1A about the communication address of a data link layer or a network layer required for communication with a communication terminal 1B. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a communication blocking device and a communication blocking program for preventing a terminal from being spread to other terminals when it is detected that the terminal is infected with a worm.

  Conventionally, as worm detection technology, data that describes feature information called definition file for a known virus is prepared in advance, and pattern matching is performed between the file that may be infected with the virus and the definition file. It has been known. This definition file is a file that contains the characteristics of a computer virus-infected file or a worm program that repeats itself over the network, and is defined by anti-virus software (vaccine software) to detect computer viruses and worms. Each virus pattern recorded in the file is compared with the file to be inspected, and if a match with the pattern is found, it is determined that the file is infected with the virus.

  Moreover, as a worm countermeasure which is a kind of conventionally known viruses, for example, those described in Non-Patent Document 1 below can be cited.

When an infected terminal is detected by such a worm (virus) detection technique, conventionally, the network administrator is notified of the address information of the infected terminal.
http://www.nttdata.co.jp/netcom/pdf/nc04_ss_03.pdf

  As described above, after notifying the network administrator of the infected terminal, it is necessary to block or restrict communication of the infected terminal in order to prevent worm infection to other terminals in the network. However, the current situation is that the spread of worms by infected terminals cannot be completely stopped to prevent the spread.

  For example, when the worm detection device receives a copy of communication data of the infected terminal and monitors communication data corresponding to the communication data, the worm detection device cannot block communication. Also, if the worm has multiple infection methods, even if the worm detection device detects the infected terminal and then blocks the specific type of communication data of the infected terminal, communication data that spreads infection by other means is transmitted. It may be done. Therefore, the worm detection device alone cannot stop the worm infection activity completely. After detecting the worm infection activity and identifying the infected terminal, the means to prevent the worm infection activity is the worm detection device. It is required separately from the device.

  Therefore, the present invention has been proposed in view of the above-described circumstances, and prevents unauthorized communication by preventing communication data transmitted from a communication terminal that performs unauthorized communication from being transmitted to another communication terminal. An object of the present invention is to provide a communication cut-off device and a communication cut-off program that can prevent expansion of communication terminals to be performed.

  In the present invention, when an unauthorized communication detecting means for detecting unauthorized communication detects that a communication terminal connected to the network has performed unauthorized communication, the communication terminal communicates with another communication terminal. A communication blocking device for blocking, and in order to solve the above-mentioned problem, an address acquisition unit that acquires a communication address of a data link layer or a network layer of a communication terminal that has performed the unauthorized communication from the unauthorized communication detection unit; In response to detecting a request for notifying the communication address of the data link layer or the network layer of the other communication terminal that is necessary when communicating with the other communication terminal from the communication terminal that has performed unauthorized communication Or, in response to the detection of the unauthorized communication, the communication address acquired by the address acquisition means is addressed to its own communication address or other preset address. And an address notifying means for notifying the address of the communication device to the communication terminal that has performed an illegal communication.

  In the present invention, when an unauthorized communication detection module for detecting unauthorized communication detects that a communication terminal connected to the network has performed unauthorized communication, the communication terminal communicates with another communication terminal. A communication blocking program that causes a computer to implement a blocking function, and in order to solve the above-described problem, from the unauthorized communication detection module, the communication address of the data link layer or network layer of the communication terminal that performed the unauthorized communication is determined. In response to detecting an address acquisition function to be acquired and a request for notifying a communication address of a data link layer or a network layer necessary for communication with another communication terminal from a communication terminal that has performed unauthorized communication. In response to the detection of unauthorized communication, the communication address addressed to the communication address acquired by the address acquisition function An address notification function for notifying a less or preset address of the other communication device is implemented on a computer.

  According to the communication blocking device and the communication blocking program according to the present invention, the communication address of the data link layer or the network layer of the communication terminal that performed unauthorized communication is acquired, and another communication is performed from the communication terminal that performed unauthorized communication. In response to detecting a request for notification of the communication address of the data link layer or network layer of the other communication terminal required for communication with the terminal, or in response to detection of unauthorized communication Communicating the communication address to the communication terminal that performed the unauthorized communication to the communication address addressed to the communication terminal that performed the unauthorized communication, so that the correct address is obtained by the communication terminal that performed the unauthorized communication Can be prevented, unauthorized communication can be blocked, and expansion of communication terminals performing unauthorized communication can be prevented.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  As shown in FIG. 1, for example, the present invention provides a communication system in which communication terminals 1A and 1B are connected to a server 5 such as a web server via a switch 2, a router 3 and a switch 4 as a plurality of relay devices. When the detection device 6 and the management device 7 (unauthorized communication detection means) are notified that the unauthorized communication has been detected by the worm, the detection device 6 and the management device 7 are applied to the worm blocking device 8 that blocks infection activity by the worm. In this embodiment, for example, a case where the communication terminal 1A is infected with a worm and unauthorized communication data transmitted from the communication terminal 1A (hereinafter referred to as the infected terminal 1A) is blocked will be described.

  The worm blocking device 8 first obtains the data link layer or network layer address of the infected terminal 1A that has performed unauthorized communication from the management device 7, and communicates with the other communication terminal 1B from the infected terminal 1A. In response to detecting a request for notifying the communication address of the data link layer or network layer of the communication terminal 1B that is necessary for the communication, or in response to detection of unauthorized communication, The communication address is notified of its own communication address or the address of another communication device different from the preset communication terminal 1B. By having such address acquisition means and address notification means, the worm blocking device 8 performs notification that the infected terminal 1A has camouflaged a communication partner with which the infected terminal 1A wants to communicate, and the infected terminal 1A communicates with a non-infected communication partner. Shut off.

  In such a communication system, the worm operation of the infected terminal 1A includes port scan for the server 5, transmission of an illegal packet to the server 5 and the communication terminal 1B, and transmission of an illegal mail including a virus for the communication terminal 1B as an attached file. Etc. Here, examples of the server 5 include not only a web server but also a mail server.

  For example, the unauthorized communication data S1 transmitted from the infected terminal 1A is transmitted to the server 5 via the switch 2, the router 3, and the switch 4 with the IP address of the server 5 as the destination. Then, the worm detection device 6 acquires the communication data S2 obtained by copying the communication data S1 passing through the switch 4, and determines whether or not the copied communication data S2 is unauthorized communication data. The worm detection device 6 detects whether or not the infected terminal 1A is infected with the worm by detecting the specific behavior of the infected terminal 1A from the copied communication data S2. For example, when communication data S2 including an MX record that receives a name service directly from the infected terminal 1A is detected, or when communication data S2 including a destination that is not transmitted is detected for an uninfected communication terminal 1B or the like. The infected terminal 1A that has transmitted the communication data S2 is detected. Then, the worm detection device 6 acquires the IP address included in the communication data S2, and notifies the management device 7 of the worm detection report message S3 including the IP address of the infected terminal 1A.

  Specifically, the worm detection device 6 acquires a port number that specifies the type of application data included in the communication data S2, and the port number indicates a name service application that converts a host name into a network layer address. In addition, when the application data of the communication data S2 includes data inquiring about the network layer address of the mail server, the infected terminal 1A trying to access the mail server illegally can be detected. As another specific example, the worm detection device 6 sets a dummy setting in addition to the normal setting information in advance to the infected terminal 1A in order to detect that illegal communication data is distributed due to a computer virus. If information is stored and communication data is created and transmitted using dummy setting information by an operation by the worm, it can be determined that the infected terminal 1A is infected with the worm.

  The management device 7 is a server operated by the network administrator, receives the worm detection report message S3 from the worm detection device 6, accumulates the IP address of the infected terminal 1A included in the worm detection report message S3, and Notify the network administrator. In response to receiving the worm detection report message S3, the management device 7 notifies the worm cutoff device 8 of a communication cutoff command S4 including the IP address of the infected terminal 1A.

  When the communication blocking instruction S4 including the IP address of the infected terminal 1A is notified from the management device 7, the worm blocking device 8 is addressed to the IP address, and the infected terminal 1A infects the server 5, the communication terminal 1B, etc. The communication data S5 for preventing the enlargement of the message can be transmitted to the infected terminal 1A. As shown in FIG. 2, when the worm blocking device 8 performs communication between a transmission terminal 1A that is a communication terminal that transmits communication data and a reception terminal 1B that receives the communication data, the transmission terminal 1A Processing to access a DNS (Domain Name System) server (not shown) to obtain an IP address from the host name of the receiving terminal 1B (step ST1 in FIG. 3), ICMP Redirect message in the ICMP (Internet Control Message Protocol) mechanism Is used to obtain the IP address of the appropriate router from the IP address of the receiving terminal 1B (step ST2 in FIG. 3), and the MAC address from the IP address of the communication partner using the ARP (Address Resolution Protocol) mechanism. Of the transmitting terminal 1A infected by the worm by one of the processes (step ST3 in FIG. 3) Block or guide communication data to block unauthorized communication.

  Next, a process for blocking unauthorized communication of the infected terminal 1A according to the operation of the infected terminal 1A described above will be described.

  First, the process in which the infected terminal 1A accesses the server 5, which is an actual DNS server, to block the activity of acquiring the IP address of the communication terminal 1B and other communication devices such as a server that manages the infection status of the worm. This will be described with reference to FIGS. 4 and 5. FIG.

  As shown in FIG. 4, the worm blocking device 8 relays the name service request from the infected terminal 1A via the router 3 to the server 5 (not shown) as a DNS server. Copy and receive the request. Here, the terminal name (host name) of the communication terminal 1B that the infected terminal 1A wants to communicate with is “host1.sample.com”, the IP address is “10.20.30.40”, and the terminal name (host) of the worm blocking device 8 Name) is “wormfw.sample.com” and the IP address is “192.168.1.1”, the worm blocking device 8 infects its own IP address as an IP address corresponding to the host name of the communication terminal 1B. Notify terminal 1A. That is, the worm blocking device 8 acts as a forged DNS server and blocks communication from the infected terminal 1A to the communication terminal 1B without notifying the IP address of the communication terminal 1B requested by the infected terminal 1A. Further, the worm blocking device 8 can guide communication data from the infected terminal 1A to itself by notifying the infected terminal 1A of its own IP address.

  As shown in FIG. 5, the worm blocking device 8 includes a basic software processing unit 11 and a communication control application processing unit 12 by installing basic software and a communication control application. Configured.

  The basic software processing unit 11 includes a communication interface unit 21 connected to a network and a TCP (Transmission Control Protocol) / IP (Internet Protocol) communication control unit 22. When the communication interface unit 21 receives communication data from the network via the switch 2 or the router 3, the basic software processing unit 11 performs communication control application processing according to the port number of the TCP header by the TCP / IP communication control unit 22. The communication data is passed to the unit 12. In addition, when the application data is passed from the communication control application processing unit 12, the basic software processing unit 11 adds a TCP header and an IP header to the application data by the TCP / IP communication control unit 22, and the communication interface unit 21. To send to the network.

  The worm blocking device 8 is arranged so as to copy and intercept the communication data passing through the switch 2 in FIG. 1 so that the basic software processing unit 11 can receive it. The TCP / IP communication control unit 22 inquires the IP address from the DNS server in the transport layer header when the communication block instruction S4 from the management device 7 in the received communication data and the transport layer protocol is UDP or TCP. Communication data in which a port number representing a service is stored is passed to the communication control application processing unit 12.

  The communication control application processing unit 12 performs a process for the worm blocking device 8 to disguise as a DNS server to block or guide the communication of the infected terminal 1A. The communication control application processing unit 12 includes an infected terminal information receiving unit 23, an infected terminal information list 24, and a forged DNS message generating unit 25.

  When the basic software processing unit 11 receives the communication cutoff command S4 from the management device 7, the communication control application processing unit 12 receives the communication cutoff command S4 at the infected terminal information receiving unit 23. Upon receiving the communication cutoff command S4, the infected terminal information receiving unit 23 stores the IP address of the infected terminal 1A included in the communication cutoff command S4 in the infected terminal information list 24.

  The infected terminal information list 24 is list data stored in a storage medium, and is formed by listing IP addresses from the infected terminal information receiving unit 23 as IP addresses infected with a worm. In this infected terminal information list 24, the IP address of the infected terminal 1A is associated with the MAC address of the infected terminal 1A, time information, and the like.

  The spoofed DNS message generation unit 25 uses TCP / IP communication control for communication data in which the transport layer protocol is UDP or TCP, and the transport layer header stores a port number representing a service that inquires the DNS server for an IP address. From the unit 22. The spoofed DNS message generation unit 25 monitors the communication data so that the infected terminal 1A whose IP address is stored in the infected terminal information list 24 includes a request for inquiring the actual DNS server for the IP address from the host name. Whether data or communication data related to unauthorized communication is transmitted is monitored. The forged DNS message generator 25 then sends the IP address stored in the infected terminal information list 24 when the source IP address of the communication data received by the DNS server or the communication data related to unauthorized communication is matched. Generates a response packet of the forged DNS server. At this time, the forged DNS message generation unit 25 stores its own IP address or a preset IP address of another communication device in the application data storage area as a response packet of the DNS server, and performs TCP / IP communication control. Pass to part 22.

  In addition, the basic software processing unit 11 stores the port number of the transport layer header indicating that it is a DNS server response packet under the control of the communication control application processing unit 12, and sets the IP address destination to the infected terminal 1A. Create the communication data and send it to the network.

  As described above, according to the worm blocking device 8, when the communication data of the DNS including the IP address of the infected terminal 1A and inquiry of the IP address from the host name or communication data related to unauthorized communication is received, the communication data Regardless of the host name included in the IP address, a self IP address is returned as a fake IP address, so that it is possible to prevent the infected terminal 1A from acquiring a correct IP address and to block communication using DNS. In addition, in response to a DNS inquiry from the infected terminal 1A or unauthorized communication, the IP address of another communication device such as a server managing the infection status of the worm is used instead of the IP address of the worm blocking device 8 itself. The response destination of the infected terminal 1A can be guided to the other communication device. This prevents the spread of infection by the infected terminal 1A.

  The installation location of the worm blocking device 8 acting as the above-described camouflaged DNS server may be any of a bridge type, a switch type, a router type, and a horizontal type as long as communication can be intercepted. However, the communication line connected between the communication terminals or the relay device connected to the relay device such as the switch 2 that relays the communication data communicated between the communication terminals, and the communication data passing through the communication line or the relay device is monitored. When the worm blocking device 8 is configured as a device, the infected terminal 1A can communicate with the infected terminal 1A by using a technique using an impersonated ICMP Redirect message described later of the infected terminal 1A or a technique using an impersonated ARP message described later. It is necessary to guide to the worm interrupting device 8. 1 shows an example in which the infected terminal 1A and the worm blocking device 8 are connected to the same subnet (segment) via the switch 2. However, even if they are arranged in different subnets, The communication with the infected terminal 1A can be blocked by operating as a DNS server.

  Next, in response to a route change request notification (ICMP Redirect message) requesting the infected terminal 1A to communicate via an optimal communication route in the network, or for communication data related to unauthorized communication, Processing for notifying the address of another communication device set in advance will be described with reference to FIGS. In addition, about the part similar to the above-mentioned, the detailed description is abbreviate | omitted by attaching | subjecting the same code | symbol.

  This ICMP Redirect message is a message for notifying the communication terminal of the optimum gateway router in a network in which two or more gateway routers exist in the communication path of the communication terminal. The worm blocking device 8 prevents the spread of infection by the infected terminal 1A by using the ICMP Redirect message to block or guide the communication of the infected terminal 1A.

  When the infected terminal 1A receives the ICMP Redirect message, the infected terminal 1A changes its own routing table so that the communication data is transmitted to the IP address of the gateway router of the optimum route included in the ICMP Redirect message. By using such an operation, the worm blocking device 8 includes its own IP address or the IP address of another communication device in the ICMP Redirect message, and transmits the communication data from the infected terminal 1A to itself or another communication device. Induce.

  As shown in FIG. 6, the worm blocking device 8 is installed in the same segment (same subnet) as the infected terminal 1A via the switch 2, receives the communication blocking command S4 from the management device 7, and receives the infected terminal 1A. Are added to the infected terminal information list 24 of FIG. Here, the IP address of the router 3 is set as the default gateway in the infected terminal 1A.

  On the other hand, the worm blocking device 8 stores its own IP address or the IP address of another communication device as a fake IP address in the ICMP Redirect message, and transmits it to the infected terminal 1A, for impersonation in the optimum route. It becomes a gateway router. This process is performed by the camouflaged ICMP Redirect generation unit 31 shown in FIG.

  The camouflaged ICMP Redirect generation unit 31 determines whether the IP address included in the communication cutoff command S4 from the management device 7 is added to the infected terminal information list 24 at a preset time interval, and a new IP address is When added, a spoofed ICMP Redirect message including the IP address of the infected terminal 1A as a destination and including its own IP address or the IP address of another communication device is generated. As a result, for example, the infected terminal 1A is notified that the IP address of the gateway router of the optimum route is its own IP address “192.168.1.1”, and the routing table of the infected terminal 1A is updated, The subsequent communication data from the infected terminal 1A can be guided to itself.

  Further, the worm blocking device 8 may transmit an ICMP Redirect message to the infected terminal 1A so that the gateway router for only a specific IP address becomes a fake IP address. For example, the infected terminal 1A can be prevented from accessing a gateway router necessary for the infected terminal 1A to communicate with an important server.

  Furthermore, when the IP address of the infected terminal 1A is added to the infected terminal information list 24 and the infected terminal 1A intercepts that the infected terminal 1A has performed communication, the worm blocking device 8 performs communication. An ICMP Redirect message may be transmitted in which the gateway router for the intended IP address is a fake IP address. Thereby, even if the infected terminal 1A transmits illegal communication data to the network, it can be prevented from being relayed by the gateway router. Depending on the OS (Operation System) of the communication apparatus, there is a setting that does not receive ICMP Redirect that does not specify the destination IP address. In this case, the worm blocking device 8 needs to be installed in a place where the communication of the infected terminal 1A can be intercepted in advance, or a function capable of guiding the communication of the infected terminal 1A to itself by another means. Each time the infected terminal 1A transmits a communication packet addressed to a new IP address, the worm blocking device 8 transmits an ICMP Redirect message to make the gateway of the communication packet addressed to the IP address a fake IP address. As a result, the gateway router with which the infected terminal 1A is to communicate is updated with a fake IP address as needed, and the communication data from the infected terminal 1A is prevented from being transmitted to the outside through the gateway router.

  Next, the communication address of the data link layer corresponding to the communication address of the network layer of the infected terminal 1A is acquired by the worm blocking device 8, and the communication of the data link layer of the other communication terminal transmitted from the infected terminal 1A is acquired. FIG. 8 and FIG. 9 show processing for notifying the infected terminal 1A of its own communication address or the address of another communication device set in advance in response to detection of an address request message or unauthorized communication. The description will be given with reference. In addition, about the part similar to the above-mentioned, the detailed description is abbreviate | omitted by attaching | subjecting the same code | symbol.

  In order to communicate in the same network, the worm blocking device 8 and the infected terminal 1A need to acquire the MAC address of the communication partner, and use ARP, which is a protocol for acquiring the MAC address. Then, by transmitting the ARP packet conforming to the ARP that is disguised to the infected terminal 1A by the worm blocking device 8, the communication of the infected terminal 1A is blocked or guided to prevent the spread of infection by the infected terminal 1A.

  When the worm blocking device 8 is installed in the same segment (same subnet) as the infected terminal 1A, the worm blocking device 8 notifies the communication blocking command S4 from the management device 7 and the infected terminal information list 24 indicates the infected terminal 1A. Add an IP address. In this state, the worm blocking device 8 periodically issues an ARP request for notifying the infected terminal 1A that the MAC address corresponding to each IP address is a fake MAC address for all IP addresses in the same segment. The MAC address included in the ARP reply for the process to be transmitted or the ARP request from the infected terminal 1A is set as a fake MAC address. Thus, the worm blocking device 8 can guide the communication of the infected terminal 1A from the infected terminal 1A to the fake MAC address.

  Specifically, as shown in FIG. 8, when the worm blocking device 8, the infected terminal 1A, and the communication terminal 1B exist in the same segment, the worm blocking device 8 sets the IP address “192.168.” Of the communication terminal 1B. Processing for sending an ARP request notifying that the MAC address corresponding to “10.1” is its own MAC address “AA: AA: AA: AA: AA: AA” to the infected terminal 1A, or ARP from the infected terminal 1A In response to the request, an ARP reply notifying that the MAC address corresponding to the IP address of the communication terminal 1B is its own MAC address “AA: AA: AA: AA: AA: AA” is transmitted to the infected terminal 1A.

  Normally, a communication device that supports ARP has a correspondence table between IP addresses and MAC addresses, but whether the correspondence table is rewritten when an ARP request or an ARP reply is received by the OS is a communication. Although it varies depending on the device, due to the nature of the ARP protocol, when a forged ARP reply is received immediately after sending an ARP request, the correspondence table is rewritten, so the correspondence table of the infected terminal 1A is changed with a fake ARP packet. be able to.

  As shown in FIG. 9, the worm blocking device 8 includes a forged ARP packet generation unit 41 that generates a forged ARP packet. The camouflaged ARP packet generation unit 41 determines whether the IP address included in the communication cutoff command S4 from the management device 7 is added to the infected terminal information list 24 at a preset time interval, and determines a new IP address. Is added, a spoofed ARP packet including the own MAC address or the MAC address of another communication device is generated. Thereby, for example, an ARP table including the MAC address disguised as the infected terminal 1A can be created, and communication data from the infected terminal 1A can be guided to itself or another communication device.

  Further, the worm blocking device 8 may use a fake MAC address as a MAC address for only a specific IP address in order to reduce the number of ARP packets to be transmitted in consideration of the network load. For example, by setting the MAC address of the gateway router to be false, the infected terminal 1A can block or limit the transmission of unauthorized communication data outside the subnet, and the infection activity by the infected terminal 1A extends outside the subnetwork. Can be prevented.

  The above-described embodiment is an example of the present invention. For this reason, the present invention is not limited to the above-described embodiment, and various modifications can be made depending on the design and the like as long as the technical idea according to the present invention is not deviated from this embodiment. Of course, it is possible to change.

  In other words, the above-described worm blocking device 8 is shown connected to the switch 2, but is not limited to this, and as shown in FIG. 10, the switch 51, the bridge device 52, the router 53, and the horizontal device. Even if a communication control program for implementing the same function as that of the worm blocking device 8 is installed in 54, it is possible to exert the effect of blocking the infection activity by the communication terminal that has performed the unauthorized communication described above. In particular, a lateral device that is connected to a communication line that connects communication devices or a relay device such as a switch that relays communication data communicated between the communication devices, and monitors communication data that passes through the communication line or relay device. In the case where the worm blocking device 8 is configured, it is possible to reduce the cost of introducing a function for blocking communication of a communication terminal that has performed unauthorized communication into the system.

  The function for blocking unauthorized communication in the above-described embodiment can also be applied to a home network in which home appliance groups are connected to a network, an equipment network in which equipment groups are connected to a network, and the like. For example, even when a home appliance that is connected to a home network and has a web function or a mail function as an application is infected with a worm, unauthorized communication by the home appliance can be prevented.

  Here, as a technology for constructing a home network, in addition to the ECHO network, an embedded network technology called EMIT (Embedded Micro Internetworking Technology) can be used. This embedded network technology has a function of incorporating EMIT middleware into a network device and connecting it to a network, and is called EMIT technology.

  More specifically, EMIT software that realizes EMIT technology is installed in network devices such as the communication terminal, the management device 7, the worm blocking device 8, the switch 2, and the router 3 having the function of blocking unauthorized communication described above. A center server (FIG. 5) provided on the Internet with a communication terminal, management device 7, worm blocking device 8 equipped with the EMIT software, and user equipment for remotely controlling or monitoring the terminal, relay device, and side devices. (Not shown). This user device is, for example, an external terminal (not shown) such as a mobile phone, a PC (Personal Computer), a PDA (Personal Digital Assistant), or a PHS (Personal Handy phone System).

It is a block diagram which shows the example of 1 structure of the communication system provided with the worm | warm cutoff device to which this invention is applied. It is a system figure explaining the communication process of a communication terminal. It is a flowchart explaining the communication process of a communication terminal. It is a system figure explaining the operation | movement which behaves as a DNS server camouflaged by the worm blocking device to which the present invention is applied. It is a block diagram which shows the structure for the worm | warm cutoff device to which this invention is applied acting as a DNS server camouflaged. It is a system figure explaining the operation | movement which transmits the camouflaged ICMP Redirect message to an infected terminal by the worm | warm cutoff device to which this invention is applied. It is a block diagram which shows the structure for transmitting the ICMP Redirect message camouflaged by the worm blocking device to which the present invention is applied. It is a system figure explaining the operation | movement which transmits the camouflaged ARP packet to an infected terminal by the worm | warm cutoff device to which this invention is applied. It is a block diagram which shows the structure for transmitting the ARP packet which the worm interception apparatus to which this invention is applied camouflaged. It is a figure for demonstrating the other form by which the worm | warm cutoff device to which this invention is applied is mounted.

Explanation of symbols

1A infected terminal 1A, 1B communication terminal 2 switch 3 router 4 switch 5 server 6 worm detection device 7 management device 8 worm blocking device 11 basic software processing unit 12 communication control application processing unit 21 communication interface unit 22 TCP / IP communication control unit 23 Infected terminal information receiving unit 24 Infected terminal information list 25 Forged DNS message generating unit 31 Forged ICMP Redirect generating unit 41 Forged ARP packet generating unit

Claims (6)

A communication blocker that blocks communication with another communication terminal when the communication terminal connected to the network detects that the communication terminal has performed unauthorized communication by an unauthorized communication detection unit that detects unauthorized communication. A device,
From the unauthorized communication detection means, an address acquisition means for acquiring the communication address of the data link layer or network layer of the communication terminal that performed the unauthorized communication;
In response to detecting a request for notifying the communication address of the data link layer or the network layer of the other communication terminal that is necessary when communicating with the other communication terminal from the communication terminal that has performed the unauthorized communication. Or, in response to the detection of the unauthorized communication, the communication address acquired by the address acquisition unit is addressed to the communication address or the address of another communication device set in advance. An address notification means for notifying the communication terminal. The address notification means includes
Application detection means for detecting an identifier for designating the type of application from the information of the transport layer header included in the communication packet transmitted from the communication terminal that performed the unauthorized communication;
Application discriminating means for discriminating whether the type of application detected by the application detecting means is a type for converting the host name of another communication terminal into a communication address of a network layer;
When the application determination unit determines that the application type is a type that converts the host name of another communication terminal into a communication address of the network layer, the network layer communication address for the host name is The communication blocking device according to claim 1, wherein a communication address or a preset address of another communication device is notified to the communication terminal that has performed the unauthorized communication.   The address notifying unit responds to a route change request notification for requesting a communication terminal that has performed the unauthorized communication to communicate using an optimal communication route in the network, or for the detection of the unauthorized communication. The communication cutoff device according to claim 1, wherein the communication cutoff device notifies its own communication address or a preset address of another communication device. The address acquisition means acquires a communication address of the data link layer corresponding to a communication address of the network layer of the communication terminal that performed the unauthorized communication,
The address notifying means detects that a message requesting a communication address of the data link layer of the other communication terminal transmitted from the communication terminal that performed the unauthorized communication is detected, or the unauthorized communication is performed. 2. The communication cutoff device according to claim 1, wherein in response to the detection, the communication terminal notifies the communication terminal that has performed the unauthorized communication of its own communication address or an address of another communication device set in advance. .   The communication line connecting between the communication terminals or a relay device connected to a relay device that relays communication data communicated between the communication terminals and monitoring communication data passing through the communication line or relay device. The communication cutoff device according to any one of claims 1 to 4, wherein A function for blocking communication of a communication terminal connected to another communication terminal when the communication terminal connected to the network detects unauthorized communication by an unauthorized communication detection module that detects unauthorized communication; A communication blocking program to be implemented on a computer,
From the unauthorized communication detection module, an address acquisition function for acquiring the communication address of the data link layer or network layer of the communication terminal that performed the unauthorized communication;
In response to detecting a request for notifying a communication address of a data link layer or a network layer that is necessary when communicating with another communication terminal from a communication terminal that has performed the unauthorized communication, or In response to detection of communication, a computer is provided with an address notification function for notifying the communication address acquired by the address acquisition function of its own communication address or the address of another preset communication device. A communication blocking program characterized by

Images