IP time to live (TTL) field used as a covert channel

US 20050058129A1
Filed: 09/17/2003
Published: 03/17/2005
Est. Priority Date: 09/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method of determining, in a communications network, an upstream station, among several other candidates, traversed by a packet arriving at a downstream station, comprising the steps of:

a) marking the TTL field of the packet flow arriving at the upstream station, in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations;

b) receiving and identifying at the downstream station a marked packet flow;

c) determining, depending upon the TTL field of the marked packet flow received, that said packet flow traversed the upstream station.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The Time to Live (TTL) field in an IP header is used as a covert channel in a communication system. More particularly the TTL field can be used to selectively mark packets with unique identifiers as they pass through an upstream station on their way to a downstream station. In this way the source of a traffic flow at least within a particular domain can be absolutely identified. This method of performing a traceback operation doesn'"'"'t utilize additional resources as it relies on functionality which already exists in the system.

26 Citations

View as Search Results

18 Claims

1. A method of determining, in a communications network, an upstream station, among several other candidates, traversed by a packet arriving at a downstream station, comprising the steps of:
- a) marking the TTL field of the packet flow arriving at the upstream station, in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations;
  
  b) receiving and identifying at the downstream station a marked packet flow;
  
  c) determining, depending upon the TTL field of the marked packet flow received, that said packet flow traversed the upstream station.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as defined in claim 1 wherein step c) involves comparing the value of the TTL field of packets in a flow to which said packets belong with and without marking being performed, thereby enabling the manner of marking, which identifies the upstream station, to be determined
  - 3. The method as defined in claim 2 wherein packets are marked at each selected station by a single static value assigned by an external entity.
  - 4. The method as defined in claim 2 wherein packets are marked at each selected station by a single dynamic value assigned by an external entity.
  - 5. The method as defined in claim 2 wherein packets are marked at each selected station by plural dynamic values and associated marking scheme assigned by an external entity.
  - 6. The method as defined in claim 5 wherein the application of a value to the TTL field is one of add, subtract and replace.
  - 7. The method as defined in claim 1 wherein the TTL field of the marked packet is identified by looking for a constant shifts in statistical parameters and in the distributed TTL value with marking turned on and turned off.
  - 8. The method as defined in claim 7 wherein step c) involves comparing the value of the TTL field of packets in a flow to which said packets belong with and without marking being performed, thereby enabling the manner of marking, which identifies the upstream station, to be determined.
  - 9. The method as defined in claim 2 wherein for flows with randomized TTL values the marked packet is identified by looking for constant shifts in parameters of statistical distribution of TTL values with marking turned on and turned off.
  - 10. The method as defined in claim 2 wherein each upstream marking station is assigned k values V_i{V₁, V₂, . . . V_k} and k associated ratios R_i{R₁, R₂, . . . R_k}, where the sum of all k ratios R_iis 100%;
    - the marking station marks R_ipercent of the packet flow with a V_ivalue;
      
      thus uniquely identifying its marking.
  - 11. The method as defined in claim 2 wherein the marking station uses N different marking schema independently for N consecutive time windows;
    - thus uniquely identifying its marking.

12. A system for determining, in a communications network, an upstream station, among several other candidates, traversed by a packet arriving at a downstream station, comprising:
- a) means for marking the TTL field of the packet flow arriving at the upstream station, in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations;
  
  b) means for receiving and identifying at the downstream station a marked packet flow;
  
  c) means for determining depending upon the TTL field of the marked packet flow received that said packet flow traversed the upstream station.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The system as defined in claim 12 wherein the value of the marked packet is assigned dynamically by an external entity.
  - 14. The system as defined in claim 12 wherein the upstream station to mark packets is selected by the external entity.
  - 15. The system as defined in claim 12 wherein the upstream station to mark packets is selected by a group of network edge stations marking concurrently.
  - 16. The system as defined in claim 12 wherein the upstream station to mark packets is selected by a group of network edge stations marking concurrently with a common primary mark and one selected station of the group using a secondary unique mark, the selection of the station using the secondary mark rotating among stations of the group.
  - 17. The system as defined in claim 12 wherein the downstream station is one of an edge router;
    - a last mile router;
      
      receiving device and a network management system.
  - 18. The system as defined in claim 12 wherein the upstream station, also referred to as marking station, is one of a generic router;
    - a core router;
      
      an edge router;
      
      a single network interface;
      
      a last mile router;
      
      a network appliance such as a proxy, a firewall, a NAT box, a VPN device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel SA (Nokia Corporation)
Inventors
Robert, Jean-Marc, Le Moigne, Olivier, Jones, Emanuele

Granted Patent

US 7,415,018 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 2463/146   Tracing the source of attacks

H04L 63/1458   Denial of Service

IP time to live (TTL) field used as a covert channel

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

IP time to live (TTL) field used as a covert channel

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others