Method and apparatus for denial of service attack preemption

US 20040128539A1
Filed: 12/30/2002
Published: 07/01/2004
Est. Priority Date: 12/30/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method comprising:

determining with a system'"'"'s operating system if a set of one or more protocol data units (PDUS) satisfy a set of one or more network security alert criteria, wherein the set of network security alert criteria define characteristics of PDUs typical for PDUs used for initiating or conducting a denial of service attack; and

adjusting the system'"'"'s transmission capability and transmitting an alert to a monitor if one or more of the set of network security alert criteria are satisfied.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Denial of service attack preemption determines with a system'"'"'s operating system if a set of one or more protocol data units (PDUs) satisfy a set of one or more network security alert criteria. The set of network security alert criteria define characteristics of PDUs typical for PDUs used for initiating or conducting a denial of service attack. If one or more of the set of network security alert criteria are satisfied, then the system'"'"'s transmission capability is adjusted and an alert is transmitted to a monitor.

82 Citations

View as Search Results

30 Claims

1. A method comprising:
- determining with a system'"'"'s operating system if a set of one or more protocol data units (PDUS) satisfy a set of one or more network security alert criteria, wherein the set of network security alert criteria define characteristics of PDUs typical for PDUs used for initiating or conducting a denial of service attack; and
  
  adjusting the system'"'"'s transmission capability and transmitting an alert to a monitor if one or more of the set of network security alert criteria are satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 wherein the kernel of the operating system performs the determining.
  - 3. The method of claim 1 wherein adjusting the system'"'"'s transmission capability comprises reducing the transmission rate of the system if the set of PDUs are determined to be suspicious according to the set of network security alert criteria and the transmission rate of the system exceeds a predefined threshold.
  - 4. The method of claim 3 further comprising preventing the system from transmitting if one or more of the set of PDUs indicates a spoofed address.
  - 5. The method of claim 1 wherein adjusting the system'"'"'s transmission capability comprises the operating system adjusting a set of one or more network interfaces of the system.
  - 6. The method of claim 1 wherein the set of network interfaces are physical and/or logical.
  - 7. The method of claim 1 wherein the alert is a simple network management protocol alert.
  - 8. The method of claim 1 wherein the PDUs are Internet Protocol packets and/or Ethernet frames.

9. A method comprising:
- determining, with a denial of service attack preemption module included within a systems'"'"' system software, if a protocol data unit (PDU) generated by communication software is possibly being used to initiate or orchestrate a denial of service attack and if a transmit rate of the system is greater than a predetermined threshold transmit rate; and
  
  transmitting an alert to a monitor and throttling the transmit rate if the PDU is suspicious and the transmit rate is greater than the predetermined threshold transmit rate.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The method of claim 9 wherein the communication software includes an Internet Protocol module and/or an Ethernet module.
  - 11. The method of claim 9 further comprising preventing the system from transmitting if the PDU is determined to be forbidden.
  - 12. The method of claim 11 wherein the PDU is determined to be forbidden because the PDU indicates a spoofed address.
  - 13. The method of claim 9 wherein the denial of service attack preemption module is part of the kernel of the system software.

14. A method comprising:
- at the kernel level of an operating system, analyzing a protocol data unit (PDU) generated by communication software to be transmitted via a network interface, reducing the transmit rate of the network interface if the analyzed PDU is determined to be suspicious for denial of service attacks and the transmit rate of the network interface exceeds a predetermined transmit rate threshold; and
  
  transmitting the PDU via the network interface if the PDU is not suspicious.
- View Dependent Claims (15, 16, 17)
- - 15. The method of claim 14 wherein the PDU is an Internet Protocol packet or an Ethernet frame.
  - 16. The method of claim 14 wherein the network interface is physical or logical.
  - 17. The method of claim 14 further comprising shutting down the network interface if the analysis of the PDU determines that the PDU is forbidden.

18. An apparatus comprising:
- a bus;
  
  a set of one or more processors coupled with the bus;
  
  an Ethernet network interface card coupled with the bus; and
  
  a machine-readable medium coupled with the bus, the machine-readable medium having stored therein a set of instructions to cause the set of processors to, determine if a protocol data unit satisfies a set of one or more network security alert criteria as a suspicious protocol data unit and if rate of transmission of a network interface to be used to transmit the suspicious protocol data unit exceeds a predetermined threshold, wherein the set of network security alert criteria define characteristics of protocol data units typical for protocol data units used for initiating or orchestrating denial of service attacks, adjust the rate of transmission of the network interface if the protocol data unit is a suspicious protocol data unit and if the transmission rate exceeds the predetermined threshold.
- View Dependent Claims (19)
- - 19. The apparatus of claim 18 wherein the machine-readable medium is an optical storage device.

20. The apparatus of claim 18 wherein the set of instructions stored on the machine-readable medium further cause the set of processors to shut down the interface if the protocol data unit is determined to be forbidden in accordance with the set of network security alert criteria.
- View Dependent Claims (21, 22, 23, 24, 25, 26)
- - 21. The machine-readable medium of claim 20 wherein the set of instructions included in the kernel of the operating system.
  - 22. The machine-readable medium of claim 20 wherein adjusting the system'"'"'s transmission capability comprises the operating system adjusting a set of one or more network interfaces of the system.
  - 23. The machine-readable medium of claim 20 further comprising preventing the system from transmitting if one or more of the set of PDUs indicates a spoofed address.
  - 24. The machine-readable medium of claim 20 wherein the set of network interfaces are physical and/or logical.
  - 25. The machine-readable medium of claim 20 wherein the alert is a simple network management protocol alert.
  - 26. The machine-readable medium of claim 20 wherein the PDUs are Internet Protocol packets and/or Ethernet frames.

20-1. A machine-readable medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
- determining with a system'"'"'s operating system if a set of one or more protocol data units (PDUs) satisfy a set of one or more network security alert criteria, wherein the set of network security alert criteria define characteristics of PDUs typical for PDUs used for initiating or conducting a denial of service attack; and
  
  adjusting the system'"'"'s transmission capability and transmitting an alert to a monitor if one or more of the set of network security alert criteria are satisfied.

27. A machine-readable medium that provides instructions, which when executed by a set of one or more processors, cause said set of processors to perform operations comprising:
- at the kernel level of an operating system, analyzing a protocol data unit (PDU) generated by communication software to be transmitted via a network interface, reducing the transmit rate of the network interface if the analyzed PDU is determined to be suspicious for denial of service attacks and the transmit rate of the network interface exceeds a predetermined transmit rate threshold; and
  
  transmitting the PDU via the network interface if the PDU is not suspicious.
- View Dependent Claims (28, 29, 30)
- - 28. The machine-readable medium of claim 27 wherein the PDU is an Internet Protocol packet or an Ethernet frame.
  - 29. The machine-readable medium of claim 27 wherein the network interface is physical or logical.
  - 30. The machine-readable medium of claim 27 further comprising shutting down the network interface if the analysis of the PDU determines that the PDU is forbidden.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Shureih, Tariq

Application Number

US10/331,857
Publication Number

US 20040128539A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/1408 by monitoring network traff...

H04L 63/1458 Denial of Service

Method and apparatus for denial of service attack preemption

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

82 Citations

30 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for denial of service attack preemption

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

82 Citations

30 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others