Network and application attack protection based on application layer message inspection

US 20060123479A1
Filed: 12/07/2004
Published: 06/08/2006
Est. Priority Date: 12/07/2004
Status: Active Grant

First Claim

Patent Images

1. A method of preventing a network and application denial-of-service attack, the method comprising the computer-implemented steps of:

receiving, at a network element, one or more data packets that collectively contain an application layer message;

determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;

determining whether the application layer message satisfies one or more specified criteria; and

if the application layer message satisfies the one or more specified criteria, then preventing the one or more data packets from being received by an application for which the application layer message was intended.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for protecting a network against a denial-of-service attack by inspecting application layer messages at a network element. According to one aspect, when a network element intercepts data packets that contain an application layer message, the network element constructs the message from the payload portions of the packets. The network element determines whether the message satisfies specified criteria. The criteria may indicate characteristics of messages that are suspected to be involved in a denial-of-service attack, for example. If the message satisfies the specified criteria, then the network element prevents the data packets that contain the message from being received by the application for which the message was intended. The network element may accomplish this by dropping the packets, for example. As a result, the application'"'"'s host does not waste processing resources on messages whose only purpose might be to deluge and overwhelm the application.

265 Citations

38 Claims

1. A method of preventing a network and application denial-of-service attack, the method comprising the computer-implemented steps of:
- receiving, at a network element, one or more data packets that collectively contain an application layer message;
  
  determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;
  
  determining whether the application layer message satisfies one or more specified criteria; and
  
  if the application layer message satisfies the one or more specified criteria, then preventing the one or more data packets from being received by an application for which the application layer message was intended.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 2. A method as recited in claim 1, wherein receiving the one or more data packets at the network element comprises intercepting the one or more data packets at the network element, and wherein a destination address of the one or more data packets identifies an application that is hosted on a device that is separate from the network element.
  - 3. A method as recited in claim 1, wherein the network element is a network router or switch.
  - 4. A method as recited in claim 1, wherein determining the application layer message from the one or more payload portions of the one or more data packets comprises assembling, at the network element, contents of two or more of the payload portions to determine the application layer message.
  - 5. A method as recited in claim 1, wherein the application layer message is an Extensible Markup Language (XML) document or a non-XML document.
  - 6. A method as recited in claim 1, further comprising the step of:
    - if the application layer message does not satisfy the one or more specified criteria, then sending the one or more data packets to the application.
  - 7. A method as recited in claim 1, further comprising the step of:
    - receiving the one or more specified criteria at the network element after receiving one or more data packets at the network element; and
      
      applying the one or more specified criteria to subsequent data packets that are received at the network element.
  - 8. A method as recited in claim 1, wherein determining the application layer message from the one or more payload portions of the one or more data packets comprises decrypting encrypted contents of the one or more payload portions at the network element.
  - 9. A method as recited in claim 1, wherein determining whether the application layer message satisfies the one or more specified criteria comprises determining whether at least a part of the application layer message is larger than a specified size.
  - 10. A method as recited in claim 1, wherein determining whether the application layer message satisfies the one or more specified criteria comprises determining whether the application layer message fails to conform syntactically and semantically to a specified schema as expected by an application.
  - 11. A method as recited in claim 10, wherein the specified schema is stored at the network element, and wherein the specified schema was obtained from a trusted source.
  - 12. A method as recited in claim 1, wherein determining whether the application layer message satisfies the one or more specified criteria comprises:
    - determining one or more particular criteria that are associated with an Internet Protocol (IP) address that is indicated in one or more IP headers of the one or more data packets; and
      
      determining whether the application layer message satisfies the one or more particular criteria.
  - 13. A method as recited in claim 12, further comprising the steps of:
    - receiving user specified content-matching constraints or criteria at the network element after receiving one or more data packets at the network element, wherein the specified content-matching constraints or criteria specify the IP address and the one or more particular criteria; and
      
      in response to receiving the specified content-matching constraints or criteria, establishing, at the network element, an association between the IP address and the one or more particular criteria.
  - 14. A method as recited in claim 1, wherein determining whether the application layer message satisfies the one or more specified criteria comprises:
    - determining an application layer protocol according to which the application layer message was communicated;
      
      selecting, from among a plurality of firewall mechanisms, a particular firewall mechanism that is mapped to the application layer protocol; and
      
      applying the particular firewall mechanism to the application layer message.
  - 15. A method as recited in claim 1, wherein determining whether the application layer message satisfies the one or more specified criteria comprises:
    - determining a message format to which the application layer message conforms;
      
      selecting, from among a plurality of firewall mechanisms, a particular firewall mechanism that is mapped to the message format; and
      
      applying the particular firewall mechanism to the application layer message.
  - 16. A method as recited in claim 1, wherein the application layer message conforms to an application layer protocol in the one or more payload portions of the one or more data packets.
  - 17. A method as recited in claim 1, wherein determining whether the application layer message satisfies one or more specified criteria comprises determining whether the application layer message contains one or more specified keywords.
  - 18. A method as recited in claim 1, wherein the application layer message comprises a multi-part MIME message, and further comprising handling each part of the multi-part MIME message separately and independently from each other part of the multi-part MIME message.
  - 19. A method as recited in claim 18, further comprising:
    - determining a type of a first part of the multi-part MIME message;
      
      determining a type of a second part of the multi-part MIME message;
      
      inspecting the first part using a first inspection mechanism that is associated with the type of the first part; and
      
      inspecting the second part using a second inspection mechanism that is associated with the type of the second part;
      
      wherein the first inspection mechanism differs from the second inspection mechanism.
  - 20. A method as recited in claim 18, further comprising:
    - decrypting the first part using a first key; and
      
      decrypting the second part using a second key that differs from the first key.
  - 21. A method as recited in claim 18, further comprising allowing the first part to be forwarded out of the network element, and preventing the second part from being forwarded out of the network element.
  - 22. A method as recited in claim 18, wherein the specified criteria are more restrictive than criteria specified at another network element.
  - 23. A method as recited in claim 18, further comprising:
    - configuring a firewall mechanism to prevent data packets that satisfy specified criteria from reaching a mechanism of the network element that configured the firewall mechanism.
  - 24. A method as recited in claim 1, further comprising:
    - re-routing one or more data packets to a different network element if data packets are being received at greater than a specified threshold rate.
  - 25. A method as recited in claim 1, further comprising:
    - performing, at the network element, an operation on a message that is a request message, a response message, an exception processing message, or a message that was not sent between a client application and a server application.
  - 26. A method as recited in claim 1, wherein determining whether the application layer message satisfies the one or more specified criteria comprises determining whether the application layer message is smaller than a specified size.
  - 27. A method as recited in claim 1, further comprising:
    - if the application layer message satisfies the one or more specified criteria, then modifying the format of the content of the application layer message and then sending the application layer message.
  - 28. A method as recited in claim 1, further comprising:
    - if the application layer message satisfies the one or more specified criteria, then performing one or more actions from a set of actions comprising quarantining the application layer message, discarding the application layer message, repairing the application layer message, alerting an entity about the application layer message, and logging the application layer message or one or more parts thereof.
  - 29. A method as recited in claim 1, further comprising:
    - determining whether the application layer message contains embedded processing instructions; and
      
      in response to a determination that the application layer message contains embedded processing instructions, removing the embedded processing instructions from the application layer message prior to sending the application layer message.
  - 30. A method as recited in claim 1, further comprising:
    - determining whether a Universal Resource Identifier (URI) contained in the application layer message is contained in a list of allowed URIs; and
      
      in response to a determination that the URI is not contained in the list of allowed URIs, performing one or more specified actions.
  - 31. A method as recited in claim 1, further comprising:
    - determining whether the application layer message has been tampered with; and
      
      in response to a determination that the application layer message has been tampered with, performing one or more specified actions.

32. A method of preventing a denial-of-service attack at a network router, the method comprising the computer-implemented steps of:
- intercepting, at the network router, two or more data packets that collectively contain an Extensible Markup Language (XML) document, wherein the two or more data packets were originally addressed to an application that is hosted on a device that is separate from the network router;
  
  constructing the XML document, at the network router, from two or more payload portions of the two or more data packets;
  
  determining, at the network router, whether the XML document conforms to a specified schema; and
  
  if the XML document fails to conform to the specified schema, then dropping the two or more data packets such that the application does not receive the two or more data packets.

33. A computer-readable medium carrying one or more sequences of instructions for preventing a network or application denial-of-service attack, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- receiving, at a network element, one or more data packets that collectively contain an application layer message;
  
  determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;
  
  determining whether the application layer message satisfies one or more specified criteria; and
  
  if the application layer message satisfies the one or more specified criteria, then preventing the one or more data packets from being received by an application for which the application layer message was intended.

34. A computer-readable medium carrying one or more sequences of instructions for preventing a denial-of-service attack at a network router, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- intercepting, at the network router, two or more data packets that collectively contain an Extensible Markup Language (XML) document, wherein the two or more data packets were originally addressed to an application that is hosted on a device that is separate from the network router;
  
  constructing the XML document, at the network router, from two or more payload portions of the two or more data packets;
  
  determining, at the network router, whether the XML document conforms to a specified schema; and
  
  if the XML document fails to conform to the specified schema, then dropping the two or more data packets such that the application does not receive the two or more data packets.

35. An apparatus for preventing a denial-of-service attack at a network element, the apparatus comprising:
- means for receiving, at a network element, one or more data packets that collectively contain an application layer message;
  
  means for determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;
  
  means for determining whether the application layer message satisfies one or more specified criteria; and
  
  means for preventing the one or more data packets from being received by an application for which the application layer message was intended if the application layer message satisfies the one or more specified criteria.

36. An apparatus for preventing a denial-of-service attack at a network router, the apparatus comprising:
- means for intercepting, at the network router, two or more data packets that collectively contain an Extensible Markup Language (XML) document, wherein the two or more data packets were originally addressed to an application that is hosted on a device that is separate from the network router;
  
  means for constructing the XML document, at the network router, from two or more payload portions of the two or more data packets;
  
  means for determining, at the network router, whether the XML document conforms to a specified schema; and
  
  means for dropping the two or more data packets if the XML document fails to conform to the specified schema, such that the application does not receive the two or more data packets.

37. An apparatus for preventing a denial-of-service attack at a network element, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  receiving, at a network element, one or more data packets that collectively contain an application layer message;
  
  determining the application layer message, at the network element, from one or more payload portions of the one or more data packets;
  
  determining whether the application layer message satisfies one or more specified criteria; and
  
  if the application layer message satisfies the one or more specified criteria, then preventing the one or more data packets from being received by an application for which the application layer message was intended.

38. An apparatus for preventing a denial-of-service attack at a network router, the apparatus comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  intercepting, at the network router, two or more data packets that collectively contain an Extensible Markup Language (XML) document, wherein the two or more data packets were originally addressed to an application that is hosted on a device that is separate from the network router;
  
  constructing the XML document, at the network router, from two or more payload portions of the two or more data packets;
  
  determining, at the network router, whether the XML document conforms to a specified schema; and
  
  if the XML document fails to conform to the specified schema, then dropping the two or more data packets such that the application does not receive the two or more data packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Jin, Yi, Kumar, Sandeep, Potti, Sunil, Wiborg, Christopher R.

Granted Patent

US 7,725,934 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/0245   Filtering by information in...

H04L 63/123   received data contents, e.g...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Network and application attack protection based on application layer message inspection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

265 Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Network and application attack protection based on application layer message inspection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

265 Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links