IP time to live (TTL) field used as a covert channel
First Claim
1. A method of determining, in a communications network, an upstream station, among several other candidates, traversed by a packet arriving at a downstream station, comprising the steps of:
- a) marking the TTL field of the packet flow arriving at the upstream station, in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations;
b) receiving and identifying at the downstream station a marked packet flow;
c) determining, depending upon the TTL field of the marked packet flow received, that said packet flow traversed the upstream station.
12 Assignments
0 Petitions
Accused Products
Abstract
The Time to Live (TTL) field in an IP header is used as a covert channel in a communication system. More particularly the TTL field can be used to selectively mark packets with unique identifiers as they pass through an upstream station on their way to a downstream station. In this way the source of a traffic flow at least within a particular domain can be absolutely identified. This method of performing a traceback operation doesn'"'"'t utilize additional resources as it relies on functionality which already exists in the system.
26 Citations
18 Claims
-
1. A method of determining, in a communications network, an upstream station, among several other candidates, traversed by a packet arriving at a downstream station, comprising the steps of:
-
a) marking the TTL field of the packet flow arriving at the upstream station, in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations;
b) receiving and identifying at the downstream station a marked packet flow;
c) determining, depending upon the TTL field of the marked packet flow received, that said packet flow traversed the upstream station. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for determining, in a communications network, an upstream station, among several other candidates, traversed by a packet arriving at a downstream station, comprising:
-
a) means for marking the TTL field of the packet flow arriving at the upstream station, in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations;
b) means for receiving and identifying at the downstream station a marked packet flow;
c) means for determining depending upon the TTL field of the marked packet flow received that said packet flow traversed the upstream station. - View Dependent Claims (13, 14, 15, 16, 17, 18)
-
Specification