Method for blocking denial of service and address spoofing attacks on a private network

US 20040181694A1
Filed: 03/24/2004
Published: 09/16/2004
Est. Priority Date: 03/18/1998
Status: Active Grant

First Claim

Patent Images

1. A method for blocking an attack on a private network implemented by a routing device interconnecting the private network to a public network, comprising:

receiving a request for connection from an initiator, over the public network;

requesting an acknowledgment from the initiator of the request;

determining whether the acknowledgment has been received within a predetermined amount of time; and

denying the request if the acknowledgment is not received within the predetermined amount of time.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is provided for blocking attacks on a private network (12). The method is implemented by a routing device (10) interconnecting the private network (12) to a public network (14). The method includes analyzing an incoming data packet from the public network (14). The incoming data packet is then matched against known patterns where the known patterns are associated with known forms of attack on the private network (12). A source of the data packet is then identified as malicious or non-malicious based upon the matching. In one embodiment, one of the known forms of attack is a denial of service attack and an associated known pattern is unacknowledged data packets. In another embodiment, one of the known forms of attack is an address spoofing attack and an associated known pattern is a data packet having a source address matching an internal address of the private network (12).

129 Citations

View as Search Results

33 Claims

1. A method for blocking an attack on a private network implemented by a routing device interconnecting the private network to a public network, comprising:
- receiving a request for connection from an initiator, over the public network;
  
  requesting an acknowledgment from the initiator of the request;
  
  determining whether the acknowledgment has been received within a predetermined amount of time; and
  
  denying the request if the acknowledgment is not received within the predetermined amount of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein the public network is the Internet.
  - 3. The method of claim 2, wherein the routing device is a firewall providing access to the Internet.
  - 4. The method of claim 1, further comprising processing the request if the acknowledgement is received.
  - 5. The method of claim 1, further comprising adding an IP address of the initiator to a cache of IP addresses if the acknowledgement is not received.
  - 6. The method of claim 5, further comprising denying access through the routing device to any IP address on the cache of IP addresses.
  - 7. The method of claim 1, further comprising storing information about the initiator on a system log for analysis by the system administrator.
  - 8. The method of claim 1, further comprising storing information about the request for connection on a system log for analysis by the system administrator.
  - 9. The method of claim 1, further comprising determining if a prior request for an acknowledgement has been sent to an IP address associated with the initiator and been unacknowledged within a predetermined amount of time, if the acknowledgement is not received.
  - 10. The method of claim 1, further comprising using diagnostic tools to determine additional information about a source of the request for connection.
  - 11. The method of claim 10, wherein using diagnostic tools to determine additional information about a source of the request for connection comprises using trace root diagnostic tools to determine information about the source of the request for connection.
  - 12. The method of claim 10, wherein using diagnostic tools to determine additional information about a source of the request for connection comprises using ping diagnostic tools to determine information about the source of the request for connection.
  - 13. The method of claim 10, wherein using diagnostic tools to determine additional information about a source of the request for connection comprises using NS lookup diagnostic tools to determine information about the source of the request for connection.
  - 14. The method of claim 10, further comprising forwarding the additional information to a system administrator via electronic mail.

15. A method for blocking an attack on a private network implemented by a routing device interconnecting the private network to a public network, comprising:
- receiving an incoming data packet from the public network;
  
  comparing a source address of the data packet against known internal addresses of the private network;
  
  determining if the source address matches a known internal address; and
  
  if there is a match;
  
  dropping the data packet;
  
  analyzing a header of the data packet;
  
  determining information regarding a history of the packet;
  
  determining a real source of the data packet using the information regarding the history of the packet; and
  
  refusing to process any additional data packets received from the real source of the data packet.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 16. The method of claim 15, further comprising storing data about the data packet on a system log, for use and analysis by a system administrator.
  - 17. The method of claim 15, wherein the public network is the Internet.
  - 18. The method of claim 17, wherein the routing device is a firewall providing access to the Internet.
  - 19. The method of claim 15, further comprising forwarding the data packet to the private network if there is not a match.
  - 20. The method of claim 15, further comprising adding an IP address of the data packet to a cache of IP addresses if there is a match.
  - 21. The method of claim 20, further comprising denying access through the routing device to any IP address on the cache of IP addresses.
  - 22. The method of claim 15, further comprising using diagnostic tools to determine additional information about a source of the data packet.
  - 23. The method of claim 22, wherein using diagnostic tools to determine additional information about a source of the data packet comprises using trace root diagnostic tools to determine additional information about the source of the data packet.
  - 24. The method of claim 22, wherein using diagnostic tools to determine additional information about a source of the data packet comprises using ping diagnostic tools to determine additional information about the source of the data packet.
  - 25. The method of claim 22, wherein using diagnostic tools to determine additional information about a source of the data packet comprises using NS lookup diagnostic tools to determine additional information about the source of the data packet.
  - 26. The method of claim 22, further comprising forwarding the additional information to a system administrator via electronic mail.

27. A method for blocking an attack on a private network implemented by a routing device interconnecting the private network to a public network, comprising:
- receiving a request for connection from an initiator, over the public network;
  
  requesting an acknowledgment from the initiator of the request;
  
  determining whether the acknowledgment has been received within a predetermined amount of time;
  
  denying the request if the acknowledgment is not received within the predetermined amount of time;
  
  comparing a source address of the request for connection with known internal addresses of the private network;
  
  determining if the source address matches a known internal address; and
  
  refusing to process the request for connection if there is a match.

28. A system for blocking an attack on a private network, comprising:
- a routing device being operable to interconnect a private network to a public network, the routing device being further operable to;
  
  receive a request for connection from an initiator, over the public network;
  
  request an acknowledgment from the initiator of the request;
  
  determine whether the acknowledgment has been received within a predetermined amount of time; and
  
  deny the request if the acknowledgment is not received within the predetermined amount of time.

29. A system for blocking an attack on a private network, comprising:
- a routing device being operable to interconnect the private network and a public network, the routing device being further operable to;
  
  receive an incoming data packet from the public network;
  
  compare a source address of the data packet against known internal addresses of the private network;
  
  determine if the source address matches a known internal address; and
  
  if there is a match;
  
  drop the data packet;
  
  analyze a header of the data packet;
  
  determine information regarding a history of the packet;
  
  determine a real source of the data packet using the information regarding the history of the packet; and
  
  refuse to process any additional data packets received from the real source of the data packet.

30. A system for blocking an attack on a private network, comprising:
- means for interconnecting a private network to a public network;
  
  means for receiving a request for connection from an initiator, over the public network;
  
  means for requesting an acknowledgment from the initiator of the request;
  
  means for determining whether the acknowledgment has been received within a predetermined amount of time; and
  
  means for denying the request if the acknowledgment is not received within the predetermined amount of time.

31. A system for blocking an attack on a private network, comprising:
- means for interconnecting the private network and a public network;
  
  means for receiving an incoming data packet from the public network;
  
  means for comparing a source address of the data packet against known internal addresses of the private network;
  
  means for determining if the source address matches a known internal address; and
  
  if there is a match, means for;
  
  dropping the data packet;
  
  analyzing a header of the data packet;
  
  determining information regarding a history of the packet;
  
  determining a real source of the data packet using the information regarding the history of the packet; and
  
  refusing to process any additional data packets received from the real source of the data packet.

32. Software embodied in a computer-readable medium, the computer-readable medium comprising code operable to:
- interconnect a private network to a public network;
  
  receive a request for connection from an initiator, over the public network;
  
  request an acknowledgment from the initiator of the request;
  
  determine whether the acknowledgment has been received within a predetermined amount of time; and
  
  deny the request if the acknowledgment is not received within the predetermined amount of time.

33. Software embodied in a computer-readable medium, the computer-readable medium comprising code operable to:
- receive an incoming data packet from the public network;
  
  compare a source address of the data packet against known internal addresses of the private network;
  
  determine if the source address matches a known internal address; and
  
  if there is a match;
  
  drop the data packet;
  
  analyze a header of the data packet;
  
  determine information regarding a history of the packet;
  
  determine a real source of the data packet using the information regarding the history of the packet; and
  
  refuse to process any additional data packets received from the real source of the data packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
McClanahan, Kip, Cox, Dennis

Granted Patent

US 7,836,296 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04Q 2213/13097   Numbering, addressing

H04Q 2213/13141   Hunting for free outlet, ci...

H04Q 2213/13164   Traffic (registration, meas...

H04Q 2213/13166   Fault prevention

H04Q 2213/13196   Connection circuit/link/tru...

H04Q 2213/13204   Protocols

H04Q 2213/13339   Ciphering, encryption, secu...

H04Q 2213/13372   Intercepting operator

H04Q 2213/13384   Inter-PBX traffic, PBX netw...

H04Q 2213/13389   LAN, internet

H04Q 3/62   for connecting to private b...

Method for blocking denial of service and address spoofing attacks on a private network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

129 Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Method for blocking denial of service and address spoofing attacks on a private network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

129 Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links