Patent Application
20080144523
This application is based upon and claims the benefit of priority from the prior Japanese Patent Application No. 2006-337072, filed on Dec. 14, 2006, the entire contents of which are incorporated herein by reference.
1. Field of the Invention
The present invention relates to a traffic monitoring apparatus, an entry managing apparatus, and a network system for detecting a failure in a network.
2. Description of the Related Art
In a communication network (internet protocol network) based on internet protocol (IP), abnormally heavy traffic caused by a network worm (hereinafter, “worm”) can interrupt a service. To avoid such a consequence, it is necessary to identify the closest terminal causing the failure such as a source of the worm quickly and accurately.
Therefore, conventionally, an IP address of the source of the worm is identified by capturing a packet passing a router, and by using the IP address to search a routing table, a route to the source is identified. Furthermore, for a packet transferred through a default route, a traceroute is issued to identify a route to the source.
A communication monitoring system that detects abnormalities in traffic from temporal changes in traffic volume is also conventionally known. This communication monitoring system has a traffic measuring unit, a statistic calculating unit, a feature-information retaining unit, a database unit, and an abnormality detecting unit. The traffic measuring unit measures the traffic of communication packets that pass through a network device in a predetermined measuring cycle. The statistic calculating unit performs statistical processing on one or more kinds of header information that is read from the communication packets. The feature-information retaining unit creates and retains feature information that has a plurality of feature items including a measurement result obtained by the traffic measuring unit and a calculation result obtained by the statistic calculating unit, for each measuring cycle. The database unit reads and stores, every time the feature-information retaining unit creates a new piece of the feature information, an old piece of the feature information from the feature-information retaining unit. The abnormality detecting unit detects an abnormality by reading, every time the feature-information retaining unit creates a new piece of the feature information, feature information that has one or more of the feature items determined to be consistent with that of the new piece of the feature information from the feature-information retaining unit, by statistically calculating a normal range for another feature item of the read feature information, and by comparing the other feature item and the normal range (for example, Japanese Patent Laid-Open Publication No. 2006-148686).
However, in the conventional method in which the routing table is referred, it takes time to identify a route to the source of the worm if there are a number of routers because each router must capture a packet to search the routing table. Moreover, even if a traceroute is issued, after the worm has already spread in a network or in the case where the IP address of the source of the worm is a false address, the source cannot be traced. Furthermore, with the communication monitoring system disclosed in Japanese Patent Laid-Open Publication No. 2006-148686, an abnormal state can be detected, however, the terminal causing the state or a route to the terminal cannot be identified.
It is an object of the present invention to at least solve the problems in the conventional technologies.
A traffic monitoring apparatus according to one aspect of the present invention includes an extracting unit that extracts a source address, a destination address, and a time-to-live (TTL) count from a packet; an entry registering unit that registers the source address, the destination address, and the TTL count as an entry; a destination-address counting unit that counts number of entries having a same first combination and a different destination address, for each first combination, the first combination being a combination of a source address and a TTL count; and an entry reporting unit that reports, when the number of entries of the first combination exceeds a threshold, a source address and a TTL count of the first combination, the number of entries of which exceeds the threshold to a communication counterpart.
An entry managing apparatus according to another aspect of the present invention includes an entry collecting unit that collects entries each of which is formed with a combination of a source address and a TTL count by receiving the entries from a plurality of communication counterparts; and an entry comparing unit that compares TTL counts in the entries received from the communication counterparts for each source address, and that identifies a source that has sent an entry having a largest TTL count as an origin of an abnormality in a network.
A network system according to still another aspect of the present invention includes a plurality of traffic monitoring apparatuses that are provided in a network; and an entry managing apparatus that is common to the traffic monitoring apparatuses. Each of the traffic monitoring apparatus includes an extracting unit that extracts a source address, a destination address, and a TTL count; an entry registering unit that registers the source address, the destination address, and the TTL count as an entry; a destination-address counting unit that counts number of entries having a same first combination and a different destination address, for each first combination, the first combination being a combination of a source address and a TTL count; and an entry reporting unit that reports, when the number of entries of the first combination exceeds a threshold, a source address and a TTL count of the first combination, the number of entries of which exceeds the threshold to the entry managing apparatus. The entry managing apparatus includes an entry collecting unit that collects entries each of which is formed with a combination of a source address and a TTL count by receiving the entries from the traffic managing apparatuses; and an entry comparing unit that compares TTL counts in the entries received from the traffic monitoring apparatuses for each source address, and that identifies a traffic monitoring apparatus that has sent an entry having a largest TTL count as an origin of an abnormality in the network.
Exemplary embodiments according to the present invention are explained in detail below with reference to the accompanying drawings.
The router 2c in the first network and the router 2j in the third network are connected to each other through a communication path 1d. In the communication path 1d, a first traffic monitoring apparatus 4a that monitors packets passing through the communication path 1d is provided. Similarly, the router 2h in the second network and the router 2k in the third network are connected through a communication path 1e. Packets passing through the communication path 1e are monitored by a second traffic monitoring apparatus 4b.
An entry managing apparatus 5 is connected to the router 2m in the third network through a communication path 1f. The entry managing apparatus 5 identifies a point at which abnormal traffic has occurred, based on results of monitoring packets of the first and the second traffic monitoring apparatuses 4a and 4b.
As shown in
The entry registering unit 42 checks whether an entry having the same combination of source IP address, destination IP address, and TTL count as that sent from the packet receiving unit 41 has already been registered. If an entry having the same combination has not been registered, the entry registering unit 42 registers the combination as a new entry. On the other hand, if an entry having the same combination has been registered, the entry registering unit 42 increases the value in the destination-address counting unit 43 or the TTL counting unit 44.
The destination-address counting unit 43 has a counter to count, for each of the combinations, the number of entries having the same combination of source IP address and TTL count. The destination-address counting unit 43 increases the counter of an entry specified by the entry registering unit 42. When there is a combination of the source IP address and the TTL count whose counter value exceeds a threshold, the destination-address counting unit 43 notifies the entry reporting unit 45 of the source IP address and the TTL count of such combination.
The threshold of the counter is set in advance. Such configuration enables to grasp the TTL count of abnormal traffic, such as a packet being sent to various destination IP addresses.
The TTL counting unit 44 has a counter to count, for each of the combinations, the number of entries having the same combination of the source IP address and the destination IP address. Moreover, for each of the combinations of the source IP address and the destination IP address, the TTL counting unit 44 stores the largest TTL count among the TTL counts of all entries included in the respective combinations. When there is a combination of the source IP address and the destination IP address whose counter value exceeds a threshold, the TTL counting unit 44 notifies the entry reporting unit 45 of the source IP address and the largest TTL count of such combination.
The threshold of the counter of the TTL counting unit 44 is also set in advance. Such configuration enables to grasp the TTL count of abnormal traffic, such as a packet being sent many times with a different TTL count even though the combination of the source IP address and the destination IP address is the same.
The entry reporting unit 45 reports, to the entry managing apparatus 5, the source IP address and the TTL count that are reported by the destination-address counting unit 43. Furthermore, the entry reporting unit 45 reports, to the entry managing apparatus 5, the source IP address and the largest TTL count that are reported by the TTL counting unit 44. The entry reporting unit 45 can be configured to report, to the entry managing apparatus 5, every receipt of reporting from the destination-address counting unit 43 or the TTL counting unit 44. Alternatively, the entry reporting unit 45 can be configured to include a timer function and to report to the entry managing apparatus 5 regularly, for example, at the end of each monitoring cycle.
As shown in
The entry comparing unit 52 compares TTL counts of a plurality of entries that are sent from the entry collecting unit 51, for each source IP address. The entry comparing unit 52 identifies a traffic monitoring apparatus that reports the largest TTL count as an origin of the abnormality.
Subsequently, it is determined whether an entry having the same combination of source IP address and TTL count as that extracted is present in the entry registering unit 42 (step S2). When an entry having the same combination is not present (step S2: NO), the combination of the source IP address and the TTL count is registered as a new entry in the entry registering unit 42 (step S3), and then, the process proceeds to step S4.
On the other hand, when an entry having the same combination is present (step S2: YES), a reception DA count (counter value) of the entry having the same combination in the destination-address counting unit 43 is increased (step S4). When the process of step S4 is performed following the process of step S3, the reception DA count in the destination-address counting unit 43 of the entry that is newly registered in the entry registering unit 42 at step S3 is set to 1.
Subsequently, it is determined whether the reception DA count of the destination-address counting unit 43 exceeds a threshold (step S5). When the reception DA count exceeds the threshold (step S5: YES), the source IP address and the TTL count of the entry whose reception DA count exceeds the threshold are reported to the entry managing apparatus 5 (step S6). When the reception DA count does not exceed the threshold (step S5: NO), reporting to the entry managing apparatus 5 is not performed.
It is then determined whether a predetermined monitoring cycle has passed (step S7). When the predetermined monitoring cycle has passed (step S7: YES), the entry in the entry registering unit 42 and the counter value of the destination-address counting unit 43 are both initialized (step S8), and the process returns to step S1. When the predetermined monitoring cycle has not passed (step S7: NO), the entry in the entry registering unit 42 and the counter value of the destination-address counting unit 43 are not changed, and the process returns to step S1. Hereafter, the sequence of the worm monitoring process described above is repeated.
When the predetermined monitoring cycle has passed (step S12: YES), TTL counts of entries are compared for each source IP address (step S13). The traffic monitoring apparatus that reports the largest TTL count is identified as the origin of the abnormality (step S14), and the process returns to step S11. Hereafter, the sequence in the worm-origin identifying process described above is repeated.
It is then determined whether an entry having the same combination of source IP address and destination IP address as that extracted is present in the entry registering unit 42 (step S22). When an entry having the same combination is not present (step S22: NO), the combination of the source IP address and the destination IP address is registered as a new entry in the entry registering unit 42 (step S23), and then, the process proceeds to step S24.
On the other hand, when an entry having the same combination is present (step S22: YES), a reception TTL count (counter value) of the entry having the same combination in the TTL counting unit 44 is increased. Furthermore, when the TTL count extracted at step S21 is larger than the largest TTL count of the entry having the same combination of source IP address and the destination IP address, the largest TTL count is overwritten with the extracted TTL count (step S24). Thus, the largest TTL count is updated.
When the process of step S24 is performed following the process of step S23, the reception TTL count in the TTL counting unit 44 of the entry that is newly registered in the entry registering unit 42 at step S23 is set to 1. Further, the TTL count extracted at step S21 is determined as the largest TTL count.
Subsequently, it is determined whether the reception TTL count of in the TTL counting unit 44 exceeds a threshold (step S25). When the reception TTL count exceeds the threshold (step S25: YES), the source IP address, the destination IP address, and the largest TTL count of the entry whose reception TTL count exceeds the threshold are reported to the entry managing apparatus 5 (step S26). When the reception TTL count does not exceed the threshold (step S25: NO), the reporting to the entry managing apparatus 5 is not performed.
It is then determined whether a predetermined monitoring cycle has passed (step S27). When the predetermined monitoring cycle has passed (step S27: YES), the entry in the entry registering unit 42 and the counter value of the TTL counting unit 44 are both initialized (step S28), and the process returns to step S21. When the predetermined monitoring cycle has not passed (step S27: NO), the entry in the entry registering unit 42 and the counter value of the TTL counting unit 44 are not changed, and the process returns to step S21. Hereafter, the sequence in the L3-loop monitoring process described above is repeated.
When the predetermined monitoring cycle has passed (step S32: YES), the largest TTL count for each entry having the same source IP address and destination IP address combination are compared (step S33). The traffic monitoring apparatus that reports the largest TTL count having the greatest value is identified as the origin of the abnormality of the source IP address, in other words, a point at which the L3 loop has occurred (step S34), and the process returns to step S31. Hereafter, the sequence in the L3-loop-point identifying process described above is repeated.
For example, when the affected terminal 3b sends a packet with the TTL value set to 64, the TTL value of the packet is decreased by 1 each time the packet passes each of the routers 2b, 2c, 2j, 2k, 2h, 2e, and 2f. Therefore, the TTL value of the packet having the same source IP address (A) and different destination IP addresses (B, C, D) is to be 62 in the first traffic monitoring apparatus 4a, and to be 60 in the second traffic monitoring apparatus 4b subsequent.
Both the traffic monitoring apparatuses 4a and 4b report the detected source IP addresses and TTL counts to the entry managing apparatus 5. The entry managing apparatus 5 compares the TTL counts reported by the traffic monitoring apparatuses 4a and 4b. As a result of comparison, it is determined that the TTL count reported by the first traffic monitoring apparatus 4a is larger. Accordingly, the entry managing apparatus 5 identifies the origin of the abnormality to exist on a side of the first traffic monitoring apparatus 4a.
For example, when the terminal 3b (IP address: A) sends a packet with the TTL value set to 64, the TTL value of the packet is decreased by 1 each time the packet passes each of the routers 2b, 2c, 2j, 2k, 2h, 2k, 2j, 2c, . . . . Therefore, the TTL count of the packet having the same source IP address (A) and the same destination IP addresses (B) takes 21 patterns of values, 62, 57, 56, 51, . . . , in total in the first traffic monitoring apparatus 4a. In this case, the largest TTL count is to be 62.
Similarly, the TTL count of the packet in the second traffic monitoring apparatus 4b takes 20 patterns of values, 60, 59, 54, 53, . . . , in total. In this case, the largest TTL count is to be 60. The traffic monitoring apparatuses 4a and 4b report the source IP addresses, the destination IP addresses, and the largest TTL counts detected by the traffic monitoring apparatuses 4a and 4b, respectively to the entry managing apparatus 5. The entry managing apparatus 5 compares the largest TTL counts reported by the traffic monitoring apparatuses 4a and 4b. As a result of comparison, it is found that the largest TTL count reported by the first traffic monitoring apparatus 4a is larger. Therefore, the entry managing apparatus 5 identifies that the origin of the abnormality exists on the side of the first traffic monitoring apparatus 4a.
As described above, according to the present embodiment, by collecting TTL counts or largest TTL counts of packets received by the traffic monitoring apparatuses 4a and 4b, and by comparing the collected TTL counts and the largest TTL counts, an origin of an abnormal traffic can be quickly identified without precisely checking information of each router. Therefore, even if the number of routers increases, the origin of abnormal traffic can be quickly identified. For example, even if the number of routers is large, the source causing the abnormal traffic can be identified in a few minutes.
In addition, even for traffic in which a false IP address is used, the source can be identified by comparing TTL counts. Furthermore, by monitoring a network at all times with the traffic monitoring apparatuses 4a and 4b and the entry managing apparatus 5, a point at which failure occurs in the network can be quickly identified. Therefore, spread of an abnormal traffic can be prevented. Moreover, even when a failure occurs in a network not under control, the network in which the failure is caused can be quickly detected.
The present invention is not limited to the embodiment described above, and various modifications can be applied thereto. For example, as shown in
Moreover, a traffic monitoring apparatus can be provided between respective routers. Alternatively, a traffic monitoring apparatus can be equipped in a router. The present invention is not limited to identification of a point at which an abnormal traffic occurs due to a worm or an L3 loop, and can be applied to a case of identifying a source of such an abnormal traffic that a great number of packets are sent to various destination IP addresses, and a case of identifying a point at which such an abnormal traffic occurs that a packet whose source IP address is the same and the destination IP address is also the same is sent many times with different TTL counts.
According to the embodiment of the present invention described above, a point at which a failure is caused can be quickly identified.
Although the invention has been described with respect to a specific embodiment for a complete and clear disclosure, the appended claims are not to be thus limited but are to be construed as embodying all modifications and alternative constructions that may occur to one skilled in the art which fairly fall within the basic teaching herein set forth.
| Number | Date | Country | Kind |
|---|---|---|---|
| 2006-337072 | Dec 2006 | JP | national |
