Thwarting denial of service attacks originating in a DOCSIS-compliant cable network
First Claim
1. A method for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:
- detecting the occurrence of a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS;
capturing a source IP address of the CPE and a domain name of the target; and
directing a DNS cache server to ignore a domain name request from the CPE source IP address that is directed to the target domain name thereby thwarting the denial of service attack.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for thwarting denial of service attacks originating in a DOCSIS-compliant cable network (DCN) are described. A DCN comprises one or more sub-networks each comprising an access network, one or more cable modem termination systems (CMTSs) and one or more cable modems (CMs). The DCN also accesses an edge server and a local DNS cache server. The DCN interfaces with the Internet and accesses a remote DNS server according to well-known protocols. The CMTS is adapted to compare the source IP address included in IP packet headers to the IP address of the customer premises equipment (CPE) from which the IP packet originates as assigned by the DNS. Data packets that have spoofed addresses are either deleted or quarantined. Packets reaching the edge server are evaluated by an attack detection system. A packet determined to be part of a denial of service attack is inspected and the source IP address and the destination IP address extracted. A cache controller is instructed to prevent a DNS cache server from responding to a domain name request containing both the extracted source IP address and destination IP address.
-
Citations
13 Claims
-
1. A method for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:
-
detecting the occurrence of a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS;
capturing a source IP address of the CPE and a domain name of the target; and
directing a DNS cache server to ignore a domain name request from the CPE source IP address that is directed to the target domain name thereby thwarting the denial of service attack. - View Dependent Claims (2)
-
-
3. A method for thwarting a denial of service attack originating from within a DOCSIS-compliant cable network (DCN) comprising:
-
determining whether a source IP address of a packet originating from a customer premises equipment (CPE) connected to the DCN is authorized;
in the event the packet source IP address is authorized, detecting the occurrence of a denial of service attack against a target originating from the CPE;
capturing the packet source IP address and a domain name of the target; and
directing a DNS cache server to ignore a domain name request from the packet source IP address that is directed to the target domain name thereby thwarting the denial of service attack. - View Dependent Claims (4, 5, 6)
-
-
7. A system for thwarting a denial of service attack originating from within a DOCSIS-compliant cable network (DCN) comprising:
-
a DNS cache server adapted to respond to a domain name request from a customer premises equipment (CPE) connected to the DCN;
means for identifying a packet used to perpetrate a detecting a denial of service attack originating from within the DCN and capturing a packet source IP address and a target site IP address in the attack packet; and
a cache controller connected to the DNS cache server and responsive to the attack detection system and adapted to instruct the DNS cache server to ignore a domain name request packet having the packet source IP address and the target site IP address. - View Dependent Claims (8)
-
-
9. A method for limiting domain name service (DNS) request messages originating from a DOCSIS-compliant cable network (DCN) comprising:
-
receiving a DNS request message directed to a domain name from a customer premises equipment (CPE);
obtaining the source IP address of the CPE from the DNS request message;
calculating a DNS request message transmission rate for DNS request messages directed to the domain name from the source IP address;
comparing the DNS request message transmission rate to a threshold message transmission rate; and
in the event the DNS request message transmission rate exceeds a threshold message transmission rate, taking remedial action. - View Dependent Claims (10, 11)
-
-
12. A system for thwarting a denial of service attack originating from within a DOCSIS-compliant cable network (DCN) comprising:
-
a DNS cache server adapted to respond to domain name requests from a customer premises equipment (CPE) connected to the DCN;
an edge server for receiving an IP packet from the CPE that is destined for delivery to a site connected to the Internet, wherein the site is identified by a domain name associated with a unique IP address;
an attack detection system connected to the edge server and adapted to;
detect the occurrence of a denial of service attack against a target originating from the CPE; and
capture the source IP address of the CPE and a domain name of the target of the denial of service attack;
a cache controller connected to the attack detection system and to the DNS cache server and adapted to;
receive from the attack detection system the source IP address of the CPE and the target domain name; and
direct a DNS cache to ignore a domain name request from the CPE that is directed to the target domain name. - View Dependent Claims (13)
-
Specification