Method and apparatus for defending against denial on service attacks which employ IP source spoofing

US 20050177717A1
Filed: 02/11/2004
Published: 08/11/2005
Est. Priority Date: 02/11/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method of authenticating indicated IP source addresses comprised in IP data packets to be transmitted through an IP network, the method comprising the steps of:

receiving an IP data packet at an incoming edge of an IP network, the IP data packet comprising an indicated IP source address;

determining whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address;

ensuring that a predetermined data field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for defending against denial of service (DoS) attacks which employ IP (Internet Protocol) address spoofing. In accordance with an illustrative embodiment of the invention, a carrier offers a “premium” service which comprises marking IP data packets based on whether it has in fact been able to verify the accuracy of the specified IP source address. This marking flag may be implemented with use of a zero/non-zero Type-of-Service (TOS) field value in the IP header, and verification of the source address may be performed with use of a Reverse Path Forwarding (RPF) or other similar such test. The “premium” service is referred to herein as “IP CallerID.”

60 Citations

View as Search Results

30 Claims

1. A method of authenticating indicated IP source addresses comprised in IP data packets to be transmitted through an IP network, the method comprising the steps of:
- receiving an IP data packet at an incoming edge of an IP network, the IP data packet comprising an indicated IP source address;
  
  determining whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address;
  
  ensuring that a predetermined data field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein the step of determining whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address comprises performing a Reverse Path Forwarding test on said IP data packet.
  - 3. The method of claim 1 wherein said predetermined data field of said IP data packet comprises an otherwise unused data field of said IP data packet.
  - 4. The method of claim 1 wherein said predetermined data field of said IP data packet comprises a Type of Service data field.
  - 5. The method of claim 4 wherein said step of ensuring that said predetermined field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address comprises ensuring that the Type of Service data field contains a zero value if said IP data packet having been received at said incoming edge of the IP network is not consistent with it having originated at said indicated IP source address, and ensuring that the Type of Service data field contains a non-zero value if said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address.
  - 6. The method of claim 5 wherein said ensuring that the Type of Service field contains a non-zero value if said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address comprises the steps of determining if the Type of Service field already has a non-zero value, and modifying the Type of Service field to have a non-zero value only if it does not already have a non-zero value.
  - 7. The method of claim 1 wherein the step of determining whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address comprises determining whether said IP data packet having been received at said incoming edge of the IP network has been received from a peer carrier which has already determined whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address, and ensuring that the predetermined data field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network was determined by said peer carrier to be consistent with it having originated at said indicated IP source address.

8. A method of processing IP data packets received from an IP network, the IP data packets comprising indicated IP source addresses and one or more of the IP data packets having been marked with indicia of whether the indicated IP source address comprised therein has been authenticated by the IP network, the method comprising the steps of:
- determining whether the indicated IP source address comprised in each one of said one or more of the IP data packets has been authenticated by the IP network; and
  
  processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15)
- - 9. The method of claim 8 wherein said indicia of whether the indicated IP source address comprised in said one or more of the IP data packets has been authenticated by the IP network comprises a value contained in a predetermined data field of each of said IP data packets.
  - 10. The method of claim 9 wherein said predetermined data field of each of said IP data packets comprises an otherwise unused data field of said IP data packets.
  - 11. The method of claim 9 wherein said predetermined data field of each of said IP data packets comprises a Type of Service data field.
  - 12. The method of claim 11 wherein said Type of Service data field comprised in each of said one or more IP data packets contains a zero value for each of said one or more IP data packets for which the indicated IP source address comprised therein has not been authenticated by the IP network, and contains a non-zero value for each of said one or more IP data packets for which the indicated IP source address comprised therein has been authenticated by the IP network.
  - 13. The method of claim 8 wherein the step of processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network comprises discarding each of said one or more IP data packets for which the indicated IP source address comprised therein has not been authenticated by the IP network.
  - 14. The method of claim 13 further comprising the step of performing a look up of one or more indicated IP source addresses comprised in one or more corresponding IP data packets which have been authenticated by the IP network, and wherein the step of processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network further comprises discarding one or more of said IP data packets for which the indicated IP source address comprised therein has been authenticated by the IP network based on said look up of said one or more indicated IP source addresses comprised in one or more corresponding IP data packets which have been authenticated by the IP network.
  - 15. The method of claim 8 wherein the step of processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network comprises prioritizing the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network, said IP data packets for which the indicated IP source address comprised therein has been authenticated by the IP network having a higher priority than said IP data packets for which the indicated IP source address comprised therein has not been authenticated by the IP network.

16. A network edge router located at an incoming edge of an IP network, the router adapted to authenticate indicated IP source addresses comprised in IP data packets to be transmitted through the IP network, the router comprising:
- an input port which receives an IP data packet at the incoming edge of the IP network, the IP data packet comprising an indicated IP source address;
  
  means for determining whether said IP data packet having been received at said incoming edge of the ]P network is consistent with it having originated at said indicated IP source address;
  
  means for ensuring that a predetermined data field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address.
- View Dependent Claims (17, 18, 19, 20, 21, 22)
- - 17. The router of claim 16 wherein the means for determining whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address comprises means for performing a Reverse Path Forwarding test on said IP data packet.
  - 18. The router of claim 16 wherein said predetermined data field of said IP data packet comprises an otherwise unused data field of said IP data packet.
  - 19. The router of claim 16 wherein said predetermined data field of said IP data packet comprises a Type of Service data field.
  - 20. The router of claim 19 wherein said means for ensuring that said predetermined field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address comprises means for ensuring that the Type of Service data field contains a zero value if said IP data packet having been received at said incoming edge of the IP network is not consistent with it having originated at said indicated IP source address, and means for ensuring that the Type of Service data field contains a non-zero value if said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address.
  - 21. The router of claim 20 wherein said means for ensuring that the Type of Service field contains a non-zero value if said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address comprises means for determining if the Type of Service field already has a non-zero value, and means for modifying the Type of Service field to have a non-zero value only if it does not already have a non-zero value.
  - 22. The router of claim 16 wherein the means for determining whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address comprises means for determining whether said IP data packet having been received at said incoming edge of the IP network has been received from a peer carrier which has already determined whether said IP data packet having been received at said incoming edge of the IP network is consistent with it having originated at said indicated IP source address, and means for ensuring that the predetermined data field of said IP data packet contains a value representative of whether said IP data packet having been received at said incoming edge of the IP network was determined by said peer carrier to be consistent with it having originated at said indicated IP source address.

23. A server adapted to process IP data packets received from an IP network, the IP data packets comprising indicated IP source addresses and one or more of the IP data packets having been marked with indicia of whether the indicated IP source address comprised therein has been authenticated by the IP network, the server comprising:
- means for determining whether the indicated IP source address comprised in each one of said one or more of the IP data packets has been authenticated by the IP network; and
  
  means for processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30)
- - 24. The server of claim 23 wherein said indicia of whether the indicated IP source address comprised in said one or more of the IP data packets has been authenticated by the IP network comprises a value contained in a predetermined data field of each of said IP data packets.
  - 25. The server of claim 24 wherein said predetermined data field of each of said IP data packets comprises an otherwise unused data field of said IP data packets.
  - 26. The server of claim 24 wherein said predetermined data field of each of said IP data packets comprises a Type of Service data field.
  - 27. The server of claim 26 wherein said Type of Service data field comprised in each of said one or more IP data packets contains a zero value for each of said one or more IP data packets for which the indicated IP source address comprised therein has not been authenticated by the IP network, and contains a non-zero value for each of said one or more IP data packets for which the indicated IP source address comprised therein has been authenticated by the IP network.
  - 28. The server of claim 23 wherein the means for processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network comprises means for discarding each of said one or more IP data packets for which the indicated IP source address comprised therein has not been authenticated by the IP network.
  - 29. The server of claim 28 further comprising means for performing a look up of one or more indicated IP source addresses comprised in one or more corresponding IP data packets which have been authenticated by the IP network, and wherein the means for processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network further comprises means for discarding one or more of said IP data packets for which the indicated IP source address comprised therein has been authenticated by the IP network based on said look up of said one or more indicated IP source addresses comprised in one or more corresponding IP data packets which have been authenticated by the IP network.
  - 30. The server of claim 23 wherein the means for processing each one of the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network comprises means for prioritizing the one or more of the IP data packets based on whether the indicated IP source address comprised therein has been authenticated by the IP network, said IP data packets for which the indicated IP source address comprised therein has been authenticated by the IP network having a higher priority than said IP data packets for which the indicated IP source address comprised therein has not been authenticated by the IP network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Grosse, Eric Henry

Application Number

US10/776,719
Publication Number

US 20050177717A1
Time in Patent Office

Days
Field of Search
US Class Current

713/160
CPC Class Codes

H04L 63/126   the source of the received ...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Method and apparatus for defending against denial on service attacks which employ IP source spoofing

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

60 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for defending against denial on service attacks which employ IP source spoofing

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

60 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links