VoIP denial-of-service protection mechanisms from attack

US 10,116,691 B2
Filed: 05/01/2014
Issued: 10/30/2018
Est. Priority Date: 11/23/2004
Status: Active Grant

First Claim

Patent Images

1. A system for providing communications services in a communications network comprising:

servers providing the communications services to mobile units in the communications network, the communications services including an instant two-way half-duplex voice call within a group of the mobile units comprising a Push-to-Talk-over-Cellular (PoC) call session;

wherein at least one of the servers interfaces to an Internet Protocol (IP) network to perform the communications services for the mobile units in the IP network and is configured to;

set up a pre-established session with a mobile unit of the mobile units by reserving a media port for receiving media traffic for the PoC call session from the mobile unit, the pre-established session being established for a media path between the mobile unit and the at least one of the servers prior to setup of a call for the PoC session;

authorize the mobile unit to temporarily communicate authentication messages with the at least one of the servers over the reserved media port in response to setting up the pre-established session, wherein the at least one of the servers is further configured to compare an incoming message to a black-list that identifies known bad addresses;

authenticate with the mobile unit in response to receiving the authentication messages from the mobile unit;

add the mobile unit to a white list in response to authenticating with the mobile unit; and

after adding the mobile unit to the white list, receiving the media traffic from the mobile unit over the reserved media port when the mobile unit is participating in the call for the PoC call session;

wherein the at least one of the servers responsible for handing the media traffic transmitted by the mobile unit reserves the reserved media port for the media traffic and authorizes the media traffic to flow through the reserved media port for a configured duration;

before the configured duration elapses, the at least one of the servers receives authentication credentials from the mobile unit via the reserved media port;

upon successful authentication of the mobile unit the IP address of the mobile unit is associated with the reserved media port, so that only the mobile unit is authorized to transmit media traffic to the at least one of the servers through the reserved media port; and

the IP address of the mobile unit is dis-associated with the reserved media port when a dialog between the at least one of the servers and the mobile unit is terminated by the at least one of the servers or the mobile unit.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing advanced voice services in a wireless communications network. The system also interfaces to an Internet Protocol (IP) network to perform the advanced voice services for mobile units in the IP network and includes a protection mechanism against Voice-over-IP (VoiP) Denial-of-Service (DoS) attacks utilizing Advanced Group Services (AGS).

212 Citations

19 Claims

1. A system for providing communications services in a communications network comprising:
- servers providing the communications services to mobile units in the communications network, the communications services including an instant two-way half-duplex voice call within a group of the mobile units comprising a Push-to-Talk-over-Cellular (PoC) call session;
  
  wherein at least one of the servers interfaces to an Internet Protocol (IP) network to perform the communications services for the mobile units in the IP network and is configured to;
  
  set up a pre-established session with a mobile unit of the mobile units by reserving a media port for receiving media traffic for the PoC call session from the mobile unit, the pre-established session being established for a media path between the mobile unit and the at least one of the servers prior to setup of a call for the PoC session;
  
  authorize the mobile unit to temporarily communicate authentication messages with the at least one of the servers over the reserved media port in response to setting up the pre-established session, wherein the at least one of the servers is further configured to compare an incoming message to a black-list that identifies known bad addresses;
  
  authenticate with the mobile unit in response to receiving the authentication messages from the mobile unit;
  
  add the mobile unit to a white list in response to authenticating with the mobile unit; and
  
  after adding the mobile unit to the white list, receiving the media traffic from the mobile unit over the reserved media port when the mobile unit is participating in the call for the PoC call session;
  
  wherein the at least one of the servers responsible for handing the media traffic transmitted by the mobile unit reserves the reserved media port for the media traffic and authorizes the media traffic to flow through the reserved media port for a configured duration;
  
  before the configured duration elapses, the at least one of the servers receives authentication credentials from the mobile unit via the reserved media port;
  
  upon successful authentication of the mobile unit the IP address of the mobile unit is associated with the reserved media port, so that only the mobile unit is authorized to transmit media traffic to the at least one of the servers through the reserved media port; and
  
  the IP address of the mobile unit is dis-associated with the reserved media port when a dialog between the at least one of the servers and the mobile unit is terminated by the at least one of the servers or the mobile unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The system of claim 1, wherein the servers interface to a Deep Packet Inspection/Access List Controller (DPI/ACL) function that restricts traffic to trusted and valid sources in the IP network.
  - 3. The system of claim 1, wherein the at least one of the servers is further configured to:
    - identify the mobile units in the IP network that are known to be valid users of the system; and
      
      add the mobile units that are known to be valid users to a white-list.
  - 4. The system of claim 1, wherein any or all of the servers having knowledge of traffic patterns resulting from their functions detect suspect traffic patterns and make updates to the black-list with a source in the IP network of the suspect traffic patterns.
  - 5. The system of claim 4, wherein the source of the suspect traffic patterns is added to the black-list in response to at least one of the servers sending the source of the suspect traffic patterns a configured number of authentication challenges within a configured time period.
  - 6. The system of claim 1, wherein a source in the IP network receiving a configured number of authentication challenges within a configured time period from at least one of the servers is added to the black-list.
  - 7. The system of claim 6, wherein the source resides on the black-list for a configured time period.
  - 8. The system of claim 1, wherein the at least one of the servers is further configured to, on receiving a User Datagram Protocol (UDP) packet from a source in the IP network:
    - check whether the source'"'"'s address is present in the black-list;
      
      discard the UDP packet when the source'"'"'s address is present in the black list;
      
      access an entry for the source'"'"'s address in a table with a value and setting a watch period when the source'"'"'s address is not present in the black-list, wherein the value for the entry is incremented when the entry for the source'"'"'s address already exists in the table; and
      
      add the source'"'"'s address to the black-list for the entry when the value exceeds a configured threshold within the watch period.
  - 9. The system of claim 1, wherein the at least one of the servers is further configured to, prior to transmitting a response to a source in the IP network:
    - check whether the response is an authentication challenge;
      
      access an entry for the source'"'"'s address in a table with a value and setting a watch period when the response is an authentication challenge, wherein the value for the entry is incremented when the entry for the source'"'"'s address already exists in the table;
      
      add the source'"'"'s address to the black-list when the value exceeds a configured threshold within the watch period; and
      
      reset the value for the entry when the response is not an authentication challenge and the entry for the source'"'"'s address already exists in the table.
  - 10. The system of claim 1, wherein the at least one of the servers responsible for handing the media traffic transmitted by the mobile unit opens the reserved media port to let the media traffic pass through to the at least one of the servers, only when the mobile unit is engaged in the call for the PoC call session.
  - 11. The system of claim 1, wherein the at least one of the servers opens the reserved media port when the at least one of the servers initiates the PoC call session towards the mobile unit.
  - 12. The system of claim 1, wherein the at least one of the servers is further configured to:
    - determine whether an IP address of the mobile unit is on a white-list that identifies known good addresses;
      
      verify the incoming message is a valid message in response to the IP address of the mobile unit being on the white-list; and
      
      update the white-list according to whether authentication with the mobile unit succeeded.
  - 13. The system of claim 12, wherein updating the white-list comprises updating the white-list to include the IP address of the mobile unit.
  - 14. The system of claim 12, wherein the updating the white-list is performed by any or all of the servers having knowledge of traffic patterns resulting from their functions.
  - 15. The system of claim 1, wherein the mobile unit uses a unique signature token in its messages, and the at least one of the servers is further configured to discard any messages purportedly from the mobile unit without the unique signature token.

16. A method, for providing communications services in a communications network, the method comprising:
- by at least one server of a plurality of servers, wherein the at least one of the plurality of servers is configured to compare an incoming message to a black-list that identifies known bad addresses;
  
  setting up a pre-established session with a mobile unit by reserving a media port for receiving media traffic for a Push-to-Talk-over-Cellular (PoC) call session from the mobile unit, the pre-established session being established for a media path between the mobile unit and the at least one of the plurality of servers prior to setup of a call for the PoC call session;
  
  authorizing the mobile unit to temporarily communicate authentication messages with the at least one of the plurality of servers over the reserved media port in response to setting up the pre-established session;
  
  authenticating with the mobile unit in response to receiving the authentication messages from the mobile unit;
  
  adding the mobile unit to a white list in response to authenticating with the mobile unit; and
  
  after adding the mobile unit to the white list, receiving the media traffic from the mobile unit over the reserved media port when the mobile unit is participating in the call for the PoC call session;
  
  wherein the at least one of the plurality of servers responsible for handing the media traffic transmitted by the mobile unit reserves the reserved media port for the media traffic and authorizes the media traffic to flow through the reserved media port for a configured duration;
  
  before the configured duration elapses, the at least one of the plurality of servers receives authentication credentials from the mobile unit via the reserved media port;
  
  upon successful authentication of the mobile unit the IP address of the mobile unit is associated with the reserved media port, so that only the mobile unit is authorized to transmit media traffic to the at least one of the plurality of servers through the reserved media port; and
  
  the IP address of the mobile unit is dis-associated with the reserved media port when a dialog between the at least one of the plurality of servers and the mobile unit is terminated by the at least one of the plurality of servers or the mobile unit.
- View Dependent Claims (17, 18, 19)
- - 17. The method of claim 16, further comprising:
    - receiving a request from the mobile unit to participate in the call for the PoC call session; and
      
      opening the reserved media port such that the mobile unit is permitted to transmit the media traffic to at least one of the servers.
  - 18. The method of claim 16, further comprising:
    - receiving keep-alive messages from the mobile unit over the reserved media port when the mobile unit is not participating in the call for the PoC call session.
  - 19. The method of claim 18, further comprising:
    - closing the reserved media port for all traffic in response to one of receiving an instruction from the mobile unit to release the reserved media port, or failing to receive the keep-alive messages within a predetermined time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kodiak Networks (Motorola Solutions, Inc.)
Original Assignee
Kodiak Networks (Motorola Solutions, Inc.)
Inventors
Patel, Krishnakant M., Negalaguli, Harisha M., Velayudhan, Arun, Kandula, Ramu, Khadar, Syed N., Cheedella, Shiva, Prashanth, Subramanyam N.
Primary Examiner(s)
Gee, Jason K
Assistant Examiner(s)
Bucknor, Olanrewaju J

Application Number

US14/782,494
Publication Number

US 20160050229A1
Time in Patent Office

1,643 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1458   Denial of Service

H04L 65/1079   of unsolicited session atte...

H04L 65/4061   Push-to services, e.g. push...

H04L 9/40   Network security protocols

H04W 4/10   Push-to-Talk [PTT] or Push-...

VoIP denial-of-service protection mechanisms from attack

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

212 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

VoIP denial-of-service protection mechanisms from attack

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

212 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links