Protecting against distributed denial of service attacks

US 20030110274A1
Filed: 08/29/2002
Published: 06/12/2003
Est. Priority Date: 08/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating packet communication traffic, comprising:

receiving a data packet sent over a network from a source address to a destination address;

reading from the packet a value of a field that is indicative of a number of hops traversed by the packet since having been sent from the source address; and

assessing authenticity of the source address responsive to the value.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating packet communication traffic includes receiving a data packet sent over a network from a source address to a destination address and reading from the packet a value of a field that is indicative of a number of hops traversed by the packet since having been sent from the source address. The authenticity of the source address is assessed responsive to the value.

114 Citations

60 Claims

1. A method for authenticating packet communication traffic, comprising:
- receiving a data packet sent over a network from a source address to a destination address;
  
  reading from the packet a value of a field that is indicative of a number of hops traversed by the packet since having been sent from the source address; and
  
  assessing authenticity of the source address responsive to the value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. A method according to claim 1, wherein assessing the authenticity comprises comparing the value of the field to a reference value associated with the source address.
  - 3. A method according to claim 2, wherein comparing the value of the field comprises determining whether the value matches the reference value to within a predefined tolerance.
  - 4. A method according to claim 2, wherein comparing the value of the field comprises comparing the value to an aggregate reference value associated with a subnet to which the source address belongs.
  - 5. A method according to claim 2, wherein assessing the authenticity comprises, if there is no reference value associated with the source address that matches the value of the field, validating the value of the field for use as the reference value.
  - 6. A method according to claim 5, wherein reading the value of the field comprises reading a first value of the field, and wherein validating the value of the field comprises:
    - sending a message packet over the network to the source address;
      
      receiving a response packet over the network from the source address in response to the message packet;
      
      reading a second value of the field from the response packet; and
      
      comparing the first and second values of the field.
  - 7. A method according to claim 6, wherein sending the message packet comprises encoding the first value of the field in the message packet, so that the encoded first value is returned in the response packet, and wherein comparing the first and second values comprises reading the first value from the response packet.
  - 8. A method according to claim 7, wherein encoding the first value comprises inserting a cookie in the message packet, and wherein receiving the response packet comprises authenticating the response packet based on the cookie.
  - 9. A method according to claim 6, wherein sending the message packet comprises sending a Transport Control Protocol (TCP) SYN packet.
  - 10. A method according to claim 6, wherein sending the message packet comprises sending a Domain Name System (DNS) request packet.
  - 11. A method according to claim 6, wherein sending the message packet comprises sending a PING request.
  - 12. A method according to claim 5, wherein receiving the data packet comprises receiving a sequence of data packets having respective values of the field, and wherein validating the value comprises proceeding to validate the value only if a rate of validating the values for the sequence of data packets is no more than a predetermined maximum.
  - 13. A method according to claim 2, wherein comparing the value of the field comprises comparing the value to a plurality of reference values, which are determined by decrementing a plurality of respective initial values of the field by the same number of hops.
  - 14. A method according to claim 2, wherein comparing the value of the field comprises determining the reference value based on the value of the field in a protocol handshake exchanged between the source and destination addresses.
  - 15. A method according to claim 14, wherein the protocol handshake comprises a Transport Control Protocol (TCP) three-way handshake.
  - 16. A method according to claim 1, wherein receiving the data packet comprises receiving an Internet Protocol (IP) packet, and wherein reading the value of the field comprises reading a Time-To-Live (TTL) of the IP packet.
  - 17. A method according to claim 1, wherein receiving the data packet comprises intercepting the data packet prior to the packet'"'"'s reaching the destination address, and comprising delivering the packet to the destination address depending on the assessed authenticity of the packet.
  - 18. A method according to claim 17, wherein delivering the packet comprises discarding the packet if the packet is assessed as inauthentic.
  - 19. A method according to claim 17, wherein delivering the packet comprises delivering the packet to the destination address with a reduced level of priority if the packet is assessed as inauthentic.
  - 20. A method according to claim 17, wherein delivering the packet comprises performing a further check to verify the authenticity after assessing the authenticity of the source address responsive to the value and before conveying the packet to the destination address.

21. Apparatus for authenticating packet communication traffic, comprising a guard device, which is adapted to receive a data packet sent over a network from a source address to a destination address, to read from the packet a value of a field that is indicative of a number of hops traversed by the packet since having been sent from the source address, and to assess authenticity of the source address responsive to the value.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40)
- - 22. Apparatus according to claim 21, and comprising a memory, which is adapted to store a record containing a reference value associated with the source address, wherein the guard device is adapted to read the reference value from the memory and to assess the authenticity of the source address by comparing the value of the field to the reference value.
  - 23. Apparatus according to claim 22, wherein the guard device is adapted to determine whether the value matches the reference value to within a predefined tolerance.
  - 24. Apparatus according to claim 22, wherein the guard device is adapted to compare the value to an aggregate reference value associated with a subnet to which the source address belongs.
  - 25. Apparatus according to claim 22, wherein the guard device is adapted, if there is no reference value associated with the source address in the memory that matches the value of the field, to validate the value of the field for use as the reference value.
  - 26. Apparatus according to claim 25, wherein the value of the field that is read from the packet comprises a first value of the field, and wherein the guard device is adapted to validate the first value by sending a message packet over the network to the source address, receiving a response packet over the network from the source address in response to the message packet, reading a second value of the field from the response packet, and comparing the first and second values of the field.
  - 27. Apparatus according to claim 26, wherein the guard device is adapted to encode the first value of the field in the message packet, so that the encoded first value is returned in the response packet, and to read the first value from the response packet.
  - 28. Apparatus according to claim 27, wherein the guard device is adapted to insert a cookie encoding the first value in the message packet, and to authenticate the response packet based on the cookie.
  - 29. Apparatus according to claim 26, wherein the message packet comprises a Transport Control Protocol (TCP) SYN packet.
  - 30. Apparatus according to claim 26, wherein the message packet comprises a Domain Name System (DNS) request packet.
  - 31. Apparatus according to claim 26, wherein the message packet comprises a PING request.
  - 32. Apparatus according to claim 25, wherein the data packet is one of a sequence of data packets having respective values of the field, and wherein the guard device is adapted to determine a rate of validating the values for the sequence of data packets, and to validate the value if the rate is no more than a predetermined maximum.
  - 33. Apparatus according to claim 22, wherein the guard device is adapted to compare the value of the field to a plurality of reference values, which are determined by decrementing a plurality of respective initial values of the field by the same number of hops.
  - 34. Apparatus according to claim 22, wherein the guard device is adapted to determine the reference value based on the value of the field in a protocol handshake exchanged between the source and destination addresses.
  - 35. Apparatus according to claim 34, wherein the protocol handshake comprises a Transport Control Protocol (TCP) three-way handshake.
  - 36. Apparatus according to claim 21, wherein the data packet comprises an Internet Protocol (IP) packet, and wherein the value of the field comprises a Time-To-Live (TTL) of the IP packet.
  - 37. Apparatus according to claim 21, wherein the guard device is adapted to intercept the data packet prior to the packet'"'"'s reaching the destination address, and to deliver the packet to the destination address depending on the assessed authenticity of the packet.
  - 38. Apparatus according to claim 37, wherein the guard device is adapted to discard the packet if the packet is assessed as inauthentic.
  - 39. Apparatus according to claim 37, wherein the guard device is adapted to deliver the packet to the destination address with a reduced level of priority if the packet is assessed as inauthentic.
  - 40. Apparatus according to claim 37, wherein the guard device is adapted to perform a further check to verify the authenticity after assessing the authenticity of the source address responsive to the value and before conveying the packet to the destination address.

41. A computer software product for authenticating packet communication traffic, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive a data packet sent over a network from a source address to a destination address, to read from the packet a value of a field that is indicative of a number of hops traversed by the packet since having been sent from the source address, and to assess authenticity of the source address responsive to the value.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
- - 42. A product according to claim 41, wherein the instructions cause the computer to read from a memory a reference value associated with the source address, and to assess the authenticity of the source address by comparing the value of the field to the reference value.
  - 43. A product according to claim 42, wherein the instructions cause the computer to determine whether the value matches the reference value to within a predefined tolerance.
  - 44. A product according to claim 42, wherein the instructions cause the computer to compare the value to an aggregate reference value associated with a subnet to which the source address belongs.
  - 45. A product according to claim 42, wherein the instructions cause the computer, if there is no reference value associated with the source address in the memory that matches the value of the field, to validate the value of the field for use as the reference value.
  - 46. A product according to claim 45, wherein the value of the field that is read from the packet comprises a first value of the field, and wherein the instructions cause the computer to validate the first value by sending a message packet over the network to the source address, receiving a response packet over the network from the source address in response to the message packet, reading a second value of the field from the response packet, and comparing the first and second values of the field.
  - 47. A product according to claim 46, wherein the instructions cause the computer to encode the first value of the field in the message packet, so that the encoded first value is returned in the response packet, and to read the first value from the response packet.
  - 48. A product according to claim 47, wherein the instructions cause the computer to insert a cookie encoding the first value in the message packet, and to authenticate the response packet based on the cookie.
  - 49. A product according to claim 46, wherein the message packet comprises a Transport Control Protocol (TCP) SYN packet.
  - 50. A product according to claim 46, wherein the message packet comprises a Domain Name System (DNS) request packet.
  - 51. A product according to claim 46, wherein the message packet comprises a PING request.
  - 52. A product according to claim 45, wherein the data packet is one of a sequence of data packets having respective values of the field, and wherein the instructions cause the computer to determine a rate of validating the values for the sequence of data packets, and to validate the value if the rate is no more than a predetermined maximum.
  - 53. A product according to claim 42, wherein the instructions cause the computer to compare the value of the field to a plurality of reference values, which are determined by decrementing a plurality of respective initial values of the field by the same number of hops.
  - 54. A product according to claim 42, wherein the instructions cause the computer to determine the reference value based on the value of the field in a protocol handshake exchanged between the source and destination addresses.
  - 55. A product according to claim 54, wherein the protocol handshake comprises a Transport Control Protocol (TCP) three-way handshake.
  - 56. A product according to claim 51, wherein the data packet comprises an Internet Protocol (IP) packet, and wherein the value of the field comprises a Time-To-Live (TTL) of the IP packet.
  - 57. A product according to claim 51, wherein the instructions cause the computer to intercept the data packet prior to the packet'"'"'s reaching the destination address, and to deliver the packet to the destination address depending on the assessed authenticity of the packet.
  - 58. A product according to claim 57, wherein the instructions cause the computer to discard the packet if the packet is assessed as inauthentic.
  - 59. A product according to claim 57, wherein the instructions cause the computer to deliver the packet to the destination address with a reduced level of priority if the packet is assessed as inauthentic.
  - 60. A product according to claim 57, wherein the instructions cause the computer to perform a further check to verify the authenticity after assessing the authenticity of the source address responsive to the value and before conveying the packet to the destination address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Riverhead Networks, Inc.
Inventors
Pazi, Guy, Bremler-Bar, Anat, Touitou, Dan, Rivlin, Rami

Granted Patent

US 7,171,683 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/1458   Denial of Service

H04L 63/164   at the network layer

Protecting against distributed denial of service attacks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

114 Citations

60 Claims

Specification

Use Cases

Quick Links

Others

Protecting against distributed denial of service attacks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

114 Citations

60 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others