Communication scheme for preventing attack by pretending in service using anycast

US 20040146045A1
Filed: 11/13/2003
Published: 07/29/2004
Est. Priority Date: 11/13/2002
Status: Abandoned Application

First Claim

Patent Images

1. A communication device, comprising:

a transmission unit configured to transmit a packet to a prescribed destination address;

a reception unit configured to receive a response packet for responding to the packet transmitted by the transmission unit;

a first detection unit configured to detect a source address contained in the response packet received by the reception unit;

a second detection unit configured to detect an identifier indicating that an anycast address is assigned to another communication device that has the prescribed destination address, which is contained in the response packet, when the source address detected by the first detection unit and the prescribed destination address are different; and

a verification unit configured to verify the response packet, according to the identifier detected by the second detection unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In the communication system, the filtering is realized at times of transmission and reception, by a server which attaches an identifier indicating an anycast address to a source address of a response packet, a communication device which detects the identifier indicating an anycast address in the response packet and verifies the response packet, when the source address is different from the destination address, and a boundary router which detects the identifier in the packet and verifies that the response packet is a response transmitted from the server, according to information regarding servers that is stored in advance.

Citations

8 Claims

1. A communication device, comprising:
- a transmission unit configured to transmit a packet to a prescribed destination address;
  
  a reception unit configured to receive a response packet for responding to the packet transmitted by the transmission unit;
  
  a first detection unit configured to detect a source address contained in the response packet received by the reception unit;
  
  a second detection unit configured to detect an identifier indicating that an anycast address is assigned to another communication device that has the prescribed destination address, which is contained in the response packet, when the source address detected by the first detection unit and the prescribed destination address are different; and
  
  a verification unit configured to verify the response packet, according to the identifier detected by the second detection unit.
- View Dependent Claims (2)
- - 2. The communication device of claim 1, wherein the communication device functions as a boundary router device located at a boundary between a first network to which a server device having an anycast address belongs and a second network, and the communication device further comprises:
    - a second reception unit configured to receive one packet destined to the server device, from another communication device on the second network;
      
      a first transfer unit configured to transfer the one packet to the server device;
      
      a third reception unit configured to receive one response packet for responding to the one packet, from the server device;
      
      a third detection unit configured to detect another identifier indicating that a source address different from the anycast address is attached, which is contained in the one response packet;
      
      a second verification unit configured to verify that the one response packet is a response transmitted from the server device, according to information regarding server devices having the anycast address in the second network which are provided in advance, when the another identifier is detected by the third detection unit;
      
      a transfer control unit configured to control whether or not to transfer the one response packet to the another communication device, according to a verification result of the second verification unit; and
      
      a second transfer unit configured to transfer the one response packet to the another communication device, when the transfer control unit judges that the response packet should be transferred.

3. A server device connected to a first network and having an anycast address, comprising:
- a reception unit configured to receive a packet transmitted to the anycast address, from a communication device connected to a second network;
  
  an identifier attaching unit configured to attach to a response packet for responding to the packet an identifier indicating that a source of the response packet has the anycast address; and
  
  a transmission unit configured to transmit the response packet to the communication device.

4. A communication system, comprising:
- a server device connected to a first network and having an anycast address;
  
  a communication device connected to a second network; and
  
  a boundary router device located at a boundary between the first network and the second network;
  
  wherein the communication device has;
  
  a first transmission unit configured to transmit a packet to the anycast address; and
  
  a first reception unit configured to receive a response packet for responding to the packet from the server device;
  
  the server device has;
  
  a second reception unit configured to receive the packet transmitted to the anycast address from the communication device;
  
  an identifier attaching unit configured to attach to the response packet for responding to the packet a first identifier indicating that the server device has the anycast address; and
  
  a second transmission unit configured to transmit the communication device to the response packet; and
  
  the boundary router device has;
  
  a third reception unit configured to receive the packet destined to the server device from the communication device;
  
  a first transfer unit configured to transfer the packet to the server device;
  
  a fourth reception unit configured to receive the response packet for responding to the packet from the server device;
  
  a detection unit configured to detect a second identifier indicating that a source address different from the anycast address is attached, which is contained in the response packet;
  
  a verification unit configured to verify that the response packet is a response transmitted from the server device, according to information regarding server devices having the anycast address in the first network which is provided in advance, when the second identifier is detected by the detection unit;
  
  a transfer control unit configured to control whether or not to transfer the response packet to the communication device, according to a verification result of the verification unit; and
  
  a second transfer unit configured to transfer the response packet to the communication device, when the transfer control unit judges that the response packet should be transferred.

5. A communication method at a communication device, comprising:
- transmitting a packet to a prescribed destination address;
  
  receiving a response packet for responding to the packet;
  
  detecting a source address contained in the response packet;
  
  detecting an identifier indicating that an anycast address is assigned to another communication device that has transmitted the response packet, which is contained in the response packet, when the source address and the prescribed destination address are different; and
  
  verifying the response packet, according to the identifier.
- View Dependent Claims (6)
- - 6. The communication method of claim 5, wherein the communication device functions as a boundary router device located at a boundary between a first network to which a server device having an anycast address belongs and a second network, and the communication method further comprises:
    - receiving one packet destined to the server device, from another communication device on the second network;
      
      transferring the one packet to the server device;
      
      receiving one response packet for responding to the one packet, from the server device;
      
      detecting another identifier indicating that a source address different from the anycast address is attached, which is contained in the one response packet;
      
      verifying that the one response packet is a response transmitted from the server device, according to information regarding server devices having the anycast address in the second network which are provided in advance, when the another identifier is detected;
      
      controlling whether or not to transfer the one response packet to the another communication device, according to a verification result; and
      
      transferring the one response packet to the another communication device, when it is judged that the one response packet should be transferred.

7. A computer program product for causing a computer to function as a communication device, the computer program product comprising:
- a first computer program code for causing the computer to transmit a packet to a prescribed destination address;
  
  a second computer program code for causing the computer to receive a response packet for responding to the packet;
  
  a third computer program code for causing the computer to detect a source address contained in the response packet;
  
  a fourth computer program code for causing the computer to detect an identifier indicating that an anycast address is assigned to another communication device that has transmitted the response packet, which is contained in the response packet, when the source address and the prescribed destination address are different; and
  
  a fifth computer program code for causing the computer to verify the response packet, according to the identifier.
- View Dependent Claims (8)
- - 8. The computer program product of claim 7, wherein the computer is caused to function as a routing method at a boundary router device located at a boundary between a first network to which a server device having an anycast address belongs and a second network, and the computer program product further comprises:
    - a sixth computer program code for causing the computer to receive one packet destined to the server device, from another communication device on the second network;
      
      a seventh computer program code for causing the computer to transfer the one packet to the server device;
      
      an eighth computer program code for causing the computer to receive one response packet for responding to the one packet, from the server device;
      
      a ninth computer program code for causing the computer to detect another identifier indicating that a source address different from the anycast address is attached, which is contained in the one response packet;
      
      a tenth computer program code for causing the computer to verify that the one response packet is a response transmitted from the server device, according to information regarding server devices having the anycast address in the second network which are provided in advance, when the another identifier is detected;
      
      an eleventh computer program code for causing the computer to control whether or not to transfer the one response packet to the another communication device, according to a verification result; and
      
      a twelfth computer program code for causing the computer to transfer the one response packet to the another communication device, when it is judged that the one response packet should be transferred.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Original Assignee
Kabushiki Kaisha Toshiba (Toshiba Corporation)
Inventors
Jimmei, Tatsuya, Ishiyama, Masahiro, Tamada, Yuzo

Application Number

US10/705,976
Publication Number

US 20040146045A1
Time in Patent Office

Days
Field of Search
US Class Current

370/351
CPC Class Codes

H04L 63/14 for detecting or protecting...

H04L 63/1466 Active attacks involving in...

Communication scheme for preventing attack by pretending in service using anycast

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

8 Claims

Specification

Solutions

Use Cases

Quick Links

Communication scheme for preventing attack by pretending in service using anycast

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

8 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links