Thwarting denial of service attacks originating in a DOCSIS-compliant cable network

US 20050259645A1
Filed: 05/18/2004
Published: 11/24/2005
Est. Priority Date: 05/18/2004
Status: Active Grant

First Claim

Patent Images

1. A method for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:

detecting the occurrence of a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS;

capturing a source IP address of the CPE and a domain name of the target; and

directing a DNS cache server to ignore a domain name request from the CPE source IP address that is directed to the target domain name thereby thwarting the denial of service attack.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for thwarting denial of service attacks originating in a DOCSIS-compliant cable network (DCN) are described. A DCN comprises one or more sub-networks each comprising an access network, one or more cable modem termination systems (CMTSs) and one or more cable modems (CMs). The DCN also accesses an edge server and a local DNS cache server. The DCN interfaces with the Internet and accesses a remote DNS server according to well-known protocols. The CMTS is adapted to compare the source IP address included in IP packet headers to the IP address of the customer premises equipment (CPE) from which the IP packet originates as assigned by the DNS. Data packets that have spoofed addresses are either deleted or quarantined. Packets reaching the edge server are evaluated by an attack detection system. A packet determined to be part of a denial of service attack is inspected and the source IP address and the destination IP address extracted. A cache controller is instructed to prevent a DNS cache server from responding to a domain name request containing both the extracted source IP address and destination IP address.

Citations

13 Claims

1. A method for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:
- detecting the occurrence of a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS;
  
  capturing a source IP address of the CPE and a domain name of the target; and
  
  directing a DNS cache server to ignore a domain name request from the CPE source IP address that is directed to the target domain name thereby thwarting the denial of service attack.
- View Dependent Claims (2)
- - 2. The method for thwarting a denial of service attack originating from a DCN of claim 1, wherein detecting the occurrence of a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS comprises evaluating network statistical data to identify anomalies in IP traffic at the edge server that are indicative of a denial of service attack.

3. A method for thwarting a denial of service attack originating from within a DOCSIS-compliant cable network (DCN) comprising:
- determining whether a source IP address of a packet originating from a customer premises equipment (CPE) connected to the DCN is authorized;
  
  in the event the packet source IP address is authorized, detecting the occurrence of a denial of service attack against a target originating from the CPE;
  
  capturing the packet source IP address and a domain name of the target; and
  
  directing a DNS cache server to ignore a domain name request from the packet source IP address that is directed to the target domain name thereby thwarting the denial of service attack.
- View Dependent Claims (4, 5, 6)
- - 4. The method for thwarting a denial of service attack originating from within a DCN of claim 3, wherein determining whether a source IP address of a packet originating from a CPE connected to the DCN is authorized comprises:
    - identifying a cable modem to which the CPE is connected;
      
      associating an assigned CPE IP address with the cable modem to which the CPE is connected;
      
      determining whether the packet source IP address matches the assigned CPE IP address;
      
      and in the event the packet source IP address matches the assigned CPE IP address, determining that the packet source IP is authorized.
  - 5. The method for thwarting a denial of service attack originating from a DCN of claim 3, wherein detecting the occurrence of a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS comprises evaluating network statistical data to identify anomalies in IP traffic at the edge server that are indicative of a denial of service attack.
  - 6. The method for thwarting a denial of service attack originating from within a DCN of claim 3, wherein the method further comprises:
    - in the event the packet source IP address does not match the assigned CPE IP address, determining that the packet source IP address is unauthorized; and
      
      discarding all packets having the unauthorized packet source IP address.

7. A system for thwarting a denial of service attack originating from within a DOCSIS-compliant cable network (DCN) comprising:
- a DNS cache server adapted to respond to a domain name request from a customer premises equipment (CPE) connected to the DCN;
  
  means for identifying a packet used to perpetrate a detecting a denial of service attack originating from within the DCN and capturing a packet source IP address and a target site IP address in the attack packet; and
  
  a cache controller connected to the DNS cache server and responsive to the attack detection system and adapted to instruct the DNS cache server to ignore a domain name request packet having the packet source IP address and the target site IP address.
- View Dependent Claims (8)
- - 8. The system of claim 7 further comprising:
    - means to identify a cable modem to which the CPE is connected;
      
      means for associating an assigned CPE IP address with the cable modem to which the CPE is connected;
      
      means to determine whether the source IP address of a packet originating from the CPE matches the assigned CPE IP address; and
      
      means to discard a packet in the event the packet source IP address does not match the assigned CPE IP address.

9. A method for limiting domain name service (DNS) request messages originating from a DOCSIS-compliant cable network (DCN) comprising:
- receiving a DNS request message directed to a domain name from a customer premises equipment (CPE);
  
  obtaining the source IP address of the CPE from the DNS request message;
  
  calculating a DNS request message transmission rate for DNS request messages directed to the domain name from the source IP address;
  
  comparing the DNS request message transmission rate to a threshold message transmission rate; and
  
  in the event the DNS request message transmission rate exceeds a threshold message transmission rate, taking remedial action.
- View Dependent Claims (10, 11)
- - 10. The method for limiting DNS request messages originating from a DCN as in claim 9, wherein calculating a message transmission rate for the source IP address comprises:
    - time-stamping a first DNS request message and a last DNS request message directed to the domain name from the source IP address;
      
      counting the DNS request messages received from the source IP inclusive of the first DNS request message directed to the domain name and the last DNS request message directed to the domain name;
      
      determining an elapsed time segment between the first and last DNS request messages by computing the difference between the time-stamp of the last DNS request message and the first DNS request message; and
      
      calculating a message transmission rate for the source IP address by dividing the DNS request message count by the elapsed time segment.
  - 11. The method for limiting DNS request messages originating from a DCN as in claim 9, wherein calculating a DNS request message transmission rate for the source IP address comprises:
    - counting the DNS request messages directed to the domain name received from the source IP address during a clock interval; and
      
      setting the message transmission rate to the message count.

12. A system for thwarting a denial of service attack originating from within a DOCSIS-compliant cable network (DCN) comprising:
- a DNS cache server adapted to respond to domain name requests from a customer premises equipment (CPE) connected to the DCN;
  
  an edge server for receiving an IP packet from the CPE that is destined for delivery to a site connected to the Internet, wherein the site is identified by a domain name associated with a unique IP address;
  
  an attack detection system connected to the edge server and adapted to;
  
  detect the occurrence of a denial of service attack against a target originating from the CPE; and
  
  capture the source IP address of the CPE and a domain name of the target of the denial of service attack;
  
  a cache controller connected to the attack detection system and to the DNS cache server and adapted to;
  
  receive from the attack detection system the source IP address of the CPE and the target domain name; and
  
  direct a DNS cache to ignore a domain name request from the CPE that is directed to the target domain name.
- View Dependent Claims (13)
- - 13. The system of claim 12, wherein the customer premises equipment is a general-purpose computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Time Warner Cable Enterprises LLC (Charter Communications Incorporated)
Original Assignee
Time Warner Cable Inc. (Charter Communications Incorporated)
Inventors
Gould, Kenneth, Chen, John Anthony

Granted Patent

US 7,372,809 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 61/35   involving non-standard use ...

H04L 61/4511   using domain name system [DNS]

H04L 61/58   Caching of addresses or names

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 67/63   Routing a service request d...

H04N 21/25816   involving client authentica...

H04N 21/42676   for modulating an analogue ...

H04N 21/42684   Client identification by a ...

H04N 21/6118   involving cable transmissio...

H04N 21/64322   IP

H04N 7/173   with two-way working, e.g. ...

Thwarting denial of service attacks originating in a DOCSIS-compliant cable network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Thwarting denial of service attacks originating in a DOCSIS-compliant cable network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links