Protecting networks from access link flooding attacks
First Claim
1. A method comprising:
- establishing a packet tunnel having a source network address and a destination network address;
detecting a network attack;
selecting a new network address for at least one of the source network address and the destination network address upon detecting the network attack; and
establishing a new packet tunnel using the new network address.
2 Assignments
0 Petitions
Accused Products
Abstract
Automated techniques are described that provide continuous, uninterrupted operation of the secure packet tunnels in spite of access link flooding attacks. A system is described that includes a source device and a destination device coupled to a network. The source and destination devices may comprise, for example, edge routers that couple local area networks to the network via access links. The source device and the destination device establish a packet tunnel that has a source network address and a destination network address. Upon detecting a network attack, the destination device selects a new network address for at least one of the source network address and the destination network address and establishes a new packet tunnel with the source device. The source network address and the destination network address may comprise port numbers, Internet Protocol (IP) addresses, or other information describing the source and destination devices.
-
Citations
56 Claims
-
1. A method comprising:
-
establishing a packet tunnel having a source network address and a destination network address;
detecting a network attack;
selecting a new network address for at least one of the source network address and the destination network address upon detecting the network attack; and
establishing a new packet tunnel using the new network address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method comprising:
-
establishing a packet tunnel having a source network address and a destination network address; and
establishing for the packet tunnel a truncated reservation path within an access link coupled to a destination network device that terminates the packet tunnel. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method comprising:
-
establishing virtual private network service including a packet tunnel having a source network address and a destination network address;
detecting a network attack; and
establishing new virtual private network service upon detecting the network attack, wherein the new virtual private network service comprises two or more concatenated packet tunnels. - View Dependent Claims (28, 29, 30)
-
-
31. A method comprising:
-
maintaining a set of alternate multicast network addresses and a set of alternate unicast network addresses;
assigning one of the multicast network addresses to a packet tunnel terminating on a network device; and
assigning one of the unicast network addresses to a packet tunnel originating from the network device. - View Dependent Claims (32, 33, 34)
-
-
35. A system comprising
a source device coupled to a network; - and
a destination device coupled to the network, wherein the source device and the destination device establish a packet tunnel having a source network address and a destination network address and, upon detecting a network attack, select a new network address for at least one of the source network address and the destination network address and establish a new packet tunnel. - View Dependent Claims (36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46)
- and
-
47. A system comprising
a source device coupled to a network by a first access link, wherein the source device originates a packet tunnel; - and
a destination device coupled to the network by a second access link, wherein the destination device terminates the packet tunnel, and further wherein the destination device establishes for the packet tunnel a truncated reservation path within the second access link. - View Dependent Claims (48, 49, 50)
- and
-
51. A system comprising:
-
a source network device that originates a first packet tunnel;
an intermediate network device that terminates the first packet tunnel and originates a second packet tunnel; and
a destination network device that terminates the second packet tunnel, wherein the intermediate network device de-encapsulates packets received from the first packet tunnel and re-encapsulates the packets for communication to the destination device via the second packet tunnel. - View Dependent Claims (52)
-
-
53. A computer-readable medium comprising instructions to cause a processor to:
-
establish a packet tunnel having a source network address and a destination network address;
detect a network attack;
select a new network address for at least one of the source network address and the destination network address upon detecting the network attack; and
establish a new packet tunnel using the new network address. - View Dependent Claims (54, 55, 56)
-
Specification