Method and apparatus for defending against denial on service attacks which employ IP source spoofing
First Claim
1. A method of authenticating indicated IP source addresses comprised in IP data packets to be transmitted through an IP network, the method comprising the steps of:
- receiving an IP data packet at an incoming edge of an IP network, the IP data packet comprising an indicated IP source address;
determining whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address;
ensuring that a predetermined data field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address.
1 Assignment
0 Petitions
Accused Products
Abstract
A method and apparatus for defending against denial of service (DoS) attacks which employ IP (Internet Protocol) address spoofing. In accordance with an illustrative embodiment of the invention, a carrier offers a “premium” service which comprises marking IP data packets based on whether it has in fact been able to verify the accuracy of the specified IP source address. This marking flag may be implemented with use of a zero/non-zero Type-of-Service (TOS) field value in the IP header, and verification of the source address may be performed with use of a Reverse Path Forwarding (RPF) or other similar such test. The “premium” service is referred to herein as “IP CallerID.”
-
Citations
30 Claims
-
1. A method of authenticating indicated IP source addresses comprised in IP data packets to be transmitted through an IP network, the method comprising the steps of:
-
receiving an IP data packet at an incoming edge of an IP network, the IP data packet comprising an indicated IP source address;
determining whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address;
ensuring that a predetermined data field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method of processing IP data packets received from an IP network, the IP data packets comprising indicated IP source addresses and one or more of the IP data packets having been marked with indicia of whether the indicated IP source address comprised therein has been authenticated by the IP network, the method comprising the steps of:
-
determining whether the indicated IP source address comprised in each one of said one or more of the IP data packets has been authenticated by the IP network; and
processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
-
-
16. A network edge router located at an incoming edge of an IP network, the router adapted to authenticate indicated IP source addresses comprised in IP data packets to be transmitted through the IP network, the router comprising:
-
an input port which receives an IP data packet at the incoming edge of the IP network, the IP data packet comprising an indicated IP source address;
means for determining whether said IP data packet having been received at said incoming edge of the ]P network is consistent with it having originated at said indicated IP source address;
means for ensuring that a predetermined data field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. A server adapted to process IP data packets received from an IP network, the IP data packets comprising indicated IP source addresses and one or more of the IP data packets having been marked with indicia of whether the indicated IP source address comprised therein has been authenticated by the IP network, the server comprising:
-
means for determining whether the indicated IP source address comprised in each one of said one or more of the IP data packets has been authenticated by the IP network; and
means for processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
-
Specification