Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks
4 Assignments
0 Petitions
Accused Products
Abstract
An approach for tracking denial-of-service (DoS) flood attacks using an overlay IP (Internet Protocol) network is disclosed. One or more tracking routers form an overlay tracking network over the network of an Internet Service Provider (ISP). The ISP network includes numerous transit routers and edge routers. The tracking routers communicate directly with all the edge routers using IP tunnels. The edge routers within the ISP network perform security diagnostic functions, in part, to identify a DoS flood attack that has been launched by one or more attackers. To track down an attacker, an egress edge router identifies the DoS flood attack datagrams, rerouting these datagrams to the overlay tracking network. The tracking routers perform hop-by-hop input debugging to identify the ingress edge router associated with the source of the DoS flood attack.
-
Citations
59 Claims
-
1-29. -29. (canceled)
-
30. A method for tracking malicious packets, the method comprising:
-
establishing a tunnel to each of a plurality of routers to form an overlay network, each of the routers being configured to detect a malicious packet;
receiving the detected malicious packet from one of the routers; and
determining a source of the malicious packet in response to the received detected malicious packet. - View Dependent Claims (31, 32, 33, 34, 35, 36, 37)
-
-
38. An apparatus for tracking malicious packets, the apparatus comprising:
-
one or more interfaces configured to establish a tunnel to each of a plurality of routers to form an overlay network, each of the routers being configured to detect a malicious packet, wherein a detected malicious packet is received from one of the routers; and
a processor configured to determine a source of the malicious packet in response to the received detected malicious packet. - View Dependent Claims (39, 40, 41, 42, 43, 44, 45)
-
-
46. A method for tracking malicious packets, the method comprising:
-
establishing a tunnel with a tracking router configured to form an overlay network with a plurality of routers;
receiving a packet that originated externally from the overlay network;
determining that the received packet is a malicious packet; and
transmitting the detected malicious packet to the tracking router, wherein the tracking router is further configured to determine a source of the malicious packet in response to the received detected malicious packet. - View Dependent Claims (47, 48, 49, 50, 51)
-
-
52. An apparatus for tracking malicious packets, the apparatus comprising:
-
a first communication interface configured to establish a tunnel with a tracking router configured to form an overlay network with a plurality of routers;
a second communication interface configured to receive a packet that originated externally from the overlay network; and
a processor configured to determine that the received packet is a malicious packet, wherein the detected malicious packet is transmitted over the first communication interface to the tracking router, wherein the tracking router is further configured to determine a source of the malicious packet in response to the received detected malicious packet. - View Dependent Claims (53, 54, 55, 56, 57)
-
-
58. A system for tracking malicious packets, the system comprising:
-
a first tracking router configured to establish a tunnel to each of a first set of routers; and
a second tracking router configured to establish a tunnel to each of a second set of routers, wherein each of the routers in the first set and the second set is configured to detect a malicious packet, wherein the first tracking router and the second tracking router form an overlay network with the routers to determine one or more sources of the malicious packets. - View Dependent Claims (59)
-
Specification