Real-time packet traceback and associated packet marking strategies
First Claim
1. A method for enabling identification of at least one address associated with ingress of a packet stream, comprising:
- identifying a portion of a packet data communication network as a trusted region;
identifying all border devices at entry points on an outer boundary of the trusted region of the network;
configuring each respective one of the border devices to mark at least predetermined packets transmitted into the trusted region of the network, each marking of a packet by a respective border device comprising providing a fragment of a network address of the respective border device with the packet;
receiving a plurality of marked packets from one of the border devices; and
processing address fragments from the received marked packets to reconstruct the network address of the one border device.
1 Assignment
0 Petitions
Accused Products
Abstract
To facilitate effective and efficient tracing of packet flows back to a trusted point as near as possible to the source of the flow in question, devices on the border of the trusted region are configured to mark packets with partial address information. Typically, the markings comprise fragments of IP addresses of the border devices in combination with fragment identifiers. By combining a small number of marked packets, victims or other interested parties are able to reconstruct the IP address of each border device that forwarded a particular packet flow into the trusted region, and thereby approximately locate the source(s) of traffic without requiring the assistance of outside network operators. Moreover, traceback can be done in real-time, e.g. while a DDoS attack is on-going, so that the attack can be stopped before the victim suffers serious damage.
249 Citations
41 Claims
-
1. A method for enabling identification of at least one address associated with ingress of a packet stream, comprising:
-
identifying a portion of a packet data communication network as a trusted region;
identifying all border devices at entry points on an outer boundary of the trusted region of the network;
configuring each respective one of the border devices to mark at least predetermined packets transmitted into the trusted region of the network, each marking of a packet by a respective border device comprising providing a fragment of a network address of the respective border device with the packet;
receiving a plurality of marked packets from one of the border devices; and
processing address fragments from the received marked packets to reconstruct the network address of the one border device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
-
-
18. A method of marking communication packets forwarded by a router through a packet data communication network with router identifying information, comprising:
-
fragmenting a network address of the router into a first plurality of overlapping address fragments of a first format;
assigning fragment identifiers of a first range to the first fragments;
fragmenting the network address of the router into a second plurality of overlapping address fragments of a second format;
assigning fragment identifiers of a second range to the second fragments; and
adding the fragments and corresponding assigned identifiers to a plurality of packets forwarded by the router. - View Dependent Claims (19, 20)
-
-
21. A method of reconstructing an address of a marking device connected at a point on a packet data communication network at or near a source of a flow of packets through the network, comprising:
-
receiving data packets of the flow containing marks comprising fragments of a network address of the marking device, via the packet data communication network;
for each respective fragment from a newly received packet, comparing predetermined bits of the respective fragment to predetermined bits of one or more fragments from previously received packets, to determine if there is a match; and
for each match between a respective fragment from a newly received packet and a fragment from a previously received packet, concatenating one of the matching fragments with non-matched bits of the other one of the matching fragments, wherein the matching and concatenation is performed one or more times until a combination of fragments produces a complete address of the device that marked a plurality of the received packets of the flow. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A border device for communication through a packet data communication network, comprising:
-
a communication interface for enabling transmission of packets through the packet data communication network; and
means for marking at least predetermined ones of the packets transmitted through the packet data communication network, wherein marking operations performed by said means comprise;
a) fragmenting a network address of the border device into a first plurality of overlapping fragments of a first format;
b) assigning fragment identifiers of a first range to the first fragments;
c) fragmenting the network address of the border device into a second plurality of overlapping fragments of a second format;
d) assigning fragment identifiers of a second range to the second fragments;
e) adding the fragments and corresponding assigned identifiers to at least the predetermined ones of the packets transmitted through packet data communication network. - View Dependent Claims (32, 33)
-
-
34. A computer system configured to implement a sequence of steps, to identify a device at or near a point of origin of a particular flow of packets through a packet data communication network, the sequence of steps comprising:
-
receiving data packets containing marks comprising fragments of a network address of the device, via the packet data communication network;
for each respective fragment from a newly received packet, comparing predetermined bits of the respective fragment to predetermined bits of one or more fragments from previously received packets to determine if there is a match; and
for each match between a respective fragment from a newly received packet and a fragment from a previously received packet, concatenating one of the matching fragments with non-matched bits of the other one of the matching fragments, wherein the matching and concatenation is performed one or more times until a combination of fragments produces a complete address of a device that marked a plurality of the received packets.
-
-
35. A computer program product comprising executable code embodied in a machine-readable medium, execution of the code causing a computer to perform a sequence of steps to identify a device at or near a point of origin of a particular flow of packets through the network, the sequence of steps comprising:
-
receiving data packets containing marks comprising fragments of a network address, via the packet data communication network;
for each respective fragment from a newly received packet, comparing predetermined bits of the respective fragment to predetermined bits of one or more fragments from previously received packets to determine if there is a match; and
for each match between a respective fragment from a newly received packet and a fragment from a previously received packet, concatenating one of the matching fragments with non-matched bits of the other one of the matching fragments, wherein the matching and concatenation is performed one or more times until a combination of fragments produces a complete address of a device that marked a plurality of the received packets.
-
-
36. A method of marking communication packets forwarded by a router through a packet data communication network with router identifying information, comprising:
-
forming one or more first fragments from a first network address associated with the router;
forming one or more second fragments from a second network address associated with the router; and
marking a plurality of packets by adding the fragments to the plurality of packets; and
forwarding the plurality of marked packets from the router through the packet data communication network. - View Dependent Claims (37, 38, 39, 40, 41)
-
Specification