System and method for identifying the source of a denial-of-service attack

US 20050278779A1
Filed: 05/25/2004
Published: 12/15/2005
Est. Priority Date: 05/25/2004
Status: Abandoned Application

First Claim

Patent Images

1. A method for identifying a source of a Denial-of-Service (DoS) attack, comprising:

retrieving flow information about packets collected at different points in a network; and

analyzing the flow information to reconstruct a path taken by a packet associated with the DoS attack to identify the source of the DoS attack.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for identifying the source of a denial-of-service attack is described. In one implementation, flow information about packets transmitted through a network is collected at different points in the network. The flow level information is analyzed to reconstruct a path taken by a packet associated with a DoS attack to identify the source of such an attack.

50 Citations

View as Search Results

22 Claims

1. A method for identifying a source of a Denial-of-Service (DoS) attack, comprising:
- retrieving flow information about packets collected at different points in a network; and
  
  analyzing the flow information to reconstruct a path taken by a packet associated with the DoS attack to identify the source of the DoS attack.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method as recited in claim 1, wherein the flow information includes traffic flow statistics about packets passing through the network.
  - 3. The method as recited in claim 1, wherein the flow information includes traffic flow statistics about packets passing through the network and wherein the traffic flow statistics comprises flow identifiers associated with packets, each flow identifier comprising at least one of a source Internet Protocol (IP) address, a destination IP address, IP port and IP prototype.
  - 4. The method as recited in claim 1, further comprising recording traffic flow statistics about packets traversing one or more autonomous systems when collecting the flow information at different nodes in the network.
  - 5. The method as recited in claim 1, wherein at least one of the different nodes is an ingress router for an autonomous system.
  - 6. The method as recited in claim 1, wherein a traceback server analyzes the flow information on behalf of a victim.
  - 7. The method as recited in claim 1, wherein analyzing the flow information to reconstruct a path taken by a packet associated with the DoS attack comprises iteratively querying one or more of the different points in the network where flow information is collected starting with a victim node and ending at a point in the network where flow information associated the DoS attack is not observed.

8. A method, comprising:
- maintaining logs comprising flow information about packets flowing through a network at various monitoring points in the network; and
  
  querying one or more of the logs using flow identifiers associated with attack packets of a Denial-of-Service (DoS) attack to identify specific flow-information maintained in one or more of the logs associated with the DoS attack to reconstruct a path taken by the attack packets to identify where the DoS attack emanates.
- View Dependent Claims (9, 10)
- - 9. The method as recited in claim 8, wherein the flow information comprises statistical information about the packets flowing through the network.
  - 10. The method as recited in claim 8, wherein the monitoring points are ingress routers of each Autonomous System (AS).

11. A computer, comprising:
- a memory comprising a set of computer-executable instructions; and
  
  a processor coupled to the memory, wherein the computer-executable instructions when executed by the processor, direct the computer to identify the source of a Denial-of-Service attack in a network, by;
  
  retrieving flow information about packets collected at different points in a network; and
  
  analyzing the flow information to reconstruct a path taken by a packet associated with the DoS attack to identify the source of the DoS attack.
- View Dependent Claims (12, 13)
- - 12. The computer as recited in claim 11, wherein the flow information includes traffic flow statistics about packets passing through the network.
  - 13. The computer as recited in claim 11, wherein the flow information includes traffic flow statistics about packets passing through the network and wherein the traffic flow statistics comprises flow identifiers associated with packets, each flow identifier comprising at least one of a source Internet Protocol (IP) address, a destination IP address, IP port and IP prototype.

14. One or more computer-readable media having stored thereon computer executable instructions that, when executed by a computer, causes the computer to:
- retrieve flow information about packets collected at different points in a network; and
  
  analyze the flow information to reconstruct a path taken by a packet associated with the DoS attack to identify the source of the DoS attack.

15. A system, comprising:
- a victim node;
  
  a traceback server; and
  
  a victim module comprising computer-executable instructions that when executed by the victim node and the traceback server, enable the victim node to notify the traceback sever to initiate the trace back of flows associated with a DoS attack, and enables the traceback server to analyze flow information collected from various points in the network to identify the source of a DoS attack.
- View Dependent Claims (16, 17, 18)
- - 16. The system as recited in claim 15, further comprising a traceback server module comprising computer-executable instructions that when executed by the traceback server enables the traceback server to communicate with other traceback servers, and to search flow tables for flow information associated with DoS attacks.
  - 17. The system as recited in claim 15, further comprising a traceback server module comprising computer-executable instructions that when executed by the traceback server enables the traceback server to communicate with other traceback servers, and to search flow tables for flow information associated with DoS attacks, and each time flow information relevant to a DoS attack is located from a particular flow table, the traceback server module facilitates the transfer of the flow information back to the traceback server.
  - 18. The system as recited in claim 15, further comprising a flow table module comprising computer-executable instructions that when executed by a router enables the router to collect flow information in a network observed by the router, and store the flow information in a flow table, the flow information comprising header information from packets associated with flows.

19. A method for identifying a source of a Denial-of-Service (DoS) attack, comprising:
- constructing a query from an attack packet;
  
  using the query to retrieve flow information about packets collected at different points in a network; and
  
  analyzing the flow information to reconstruct a path taken by the attack packet to identify the source of the DoS attack.
- View Dependent Claims (20, 21, 22)
- - 20. The method as recited in claim 19, further comprising determining whether the attack packet received by the victim is part of a reflector DoS attack.
  - 21. The method as recited in claim 19, wherein constructing a query from an attack packet comprises:
    - determining whether the attack packet received by the victim is part of a reflector DoS attack; and
      
      reversing a flow identifier from the attack packet received by a reflector, wherein the flow identifier comprises a source and destination IP address, if the determination is made that the attack packet received by the victim are part of a reflector DoS attack.
  - 22. The method as recited in claim 19, wherein constructing a query from an attack packet comprises:
    - determining whether the attack packet received by the victim is part of a reflector DoS attack; and
      
      creating the query directly from the attack packet received by a victim by selecting flow identifiers from a header of the attack packet, if the determination is made that the attack packet received by the victim are not part of a reflector DoS attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Original Assignee
Lucent Technologies, Inc. (Nokia Corporation)
Inventors
Koppol, Pramod N. V., Nandagopal, Thyagarajan

Application Number

US10/853,591
Publication Number

US 20050278779A1
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

System and method for identifying the source of a denial-of-service attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

50 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for identifying the source of a denial-of-service attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

50 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links