System for finding potential origins of spoofed internet protocol attack traffic

US 20060224886A1
Filed: 04/05/2005
Published: 10/05/2006
Est. Priority Date: 04/05/2005
Status: Abandoned Application

First Claim

Patent Images

1. A system for identifying a set of potential origins of Internet Protocol data packets on a network, said system comprising:

a plurality of cooperating network locations, said cooperating locations providing information as to whether an identified data packet did or did not pass through said location at an identified point in time;

a link signature for each of said identified data packets, said link signature developed from information provided by said cooperating locations comprising a series of first predetermined values for each cooperating location through which said packet did pass and a series of second predetermined values for each cooperating location through which said packet did not pass;

a table of origins, said table comprising identified destination locations, unions of all link signatures matching partial data packet information available for said identified data packet and origin locations consistent with said link signatures; and

whereby, when a system user supplies a destination location and partial data packet information regarding an identified data packet, said system will identify the set of possible origins for said data packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention computes approximate origins of data packets transmitted over the Internet. Law enforcement agencies and network operators can use it to assign responsibility for observed Internet activities. The invention uses a small number of cooperative locations (incoming links on routers or switches) to provide link identification data: whether a packet or did or did not traverse that location. The system uses these cooperative places to generate the link signature of a data packet—which places observed and did not observe the packet. Potential origin locations are divided into blocks that have the same link signatures to given destination locations. The blocks are used to generate reverse routing data, potential source addresses for different link signatures. Variations of the invention store relevant link identification and reverse routing data to find the origins of past packets or to compute the origins of packets from partial information about packets of interest.

38 Citations

View as Search Results

20 Claims

1. A system for identifying a set of potential origins of Internet Protocol data packets on a network, said system comprising:
- a plurality of cooperating network locations, said cooperating locations providing information as to whether an identified data packet did or did not pass through said location at an identified point in time;
  
  a link signature for each of said identified data packets, said link signature developed from information provided by said cooperating locations comprising a series of first predetermined values for each cooperating location through which said packet did pass and a series of second predetermined values for each cooperating location through which said packet did not pass;
  
  a table of origins, said table comprising identified destination locations, unions of all link signatures matching partial data packet information available for said identified data packet and origin locations consistent with said link signatures; and
  
  whereby, when a system user supplies a destination location and partial data packet information regarding an identified data packet, said system will identify the set of possible origins for said data packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 1, further comprising:
    - a system for dividing locations into blocks, where such blocks comprise locations that have identical link signatures for routing a packet to any location from another identified block at said identified point in time;
      
      a reverse routing table, said table comprising link signatures identifying at least one valid routing between selected locations in each destination/source pair of blocks in said network for said identified point in time; and
      
      whereby, when said locations in said network are divided into said blocks, the set of possible origins of identified packets may be more easily determined for very large networks.
  - 3. The system for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 2, wherein said table of origins comprises blocks having identified destination locations within them, unions of all link signatures matching partial data packet information available for said identified data packet and origin locations consistent with said link signatures in said reverse routing table.
  - 4. The system for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 1, wherein said cooperating network locations comprise incoming links to routers or switches on said network.
  - 5. The system for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 1, wherein said first predetermined values are either of “
    - 1” and
      
      “
      
      true” and
      
      said second predetermined values are either of “
      
      0” and
      
      “
      
      false.”
  - 6. The system for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 1, wherein said link signature for each identified data packet is gathered and maintained over a period of time, thereby permitting historical inquiries of said system.
  - 7. The system for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 2, wherein said link signatures identifying all possible valid routings between a selected cooperating location in each destination/source pair of blocks in said network for said reverse routing table are gathered using a system comprising:
    - an identified destination location in each block;
      
      an identified responding source location in each block;
      
      a probe packet sent to responding locations in each of said source blocks causing said source blocks to send an identifiable response packet to each of said destination locations in said destination blocks;
      
      a link signature for each destination/source pair of locations derived from information returned by said identifiable response to said probe packet;
      
      an assignment of each of said derived link signatures as link signatures indicating valid routing to all destination locations within said block from all potential source locations within any other block; and
      
      whereby, the link signature derived from said identifiable response to said probe packet is recognized as being one of those that could be observed for packets forwarded from said given source block to said given destination block at a given point in time.
  - 8. The system for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 2, wherein said link signatures in said reverse routing table are gathered and maintained over a period of time, thereby permitting historical inquiries of said table.
  - 9. The system for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 2, wherein definitions of said blocks are updated as new link signature information related to locations within said blocks is received, thereby maintaining said blocks as groups of locations having identical link signatures for routing a packet to an identified location at said identified point in time.
  - 10. The system for identifying a set of potential origins of Internet Protocol attack traffic data packets on a network, as described in claim 1, further comprising tools for collecting and storing information at cooperating locations related to data packets passing through said cooperating locations over identified periods of time, said information comprising at least link signature and routing information related to said packets, thereby providing further means for identifying potential origins for data packets based upon partial packet information.

11. A method for identifying a set of potential origins of Internet Protocol data packets on a network, said method comprising the steps of:
- identifying a plurality of cooperating network locations, said cooperating locations providing information as to whether an identified data packet did or did not pass through said cooperating location at an identified point in time;
  
  creating a link signature for each of said identified data packets, said link signature developed from information provided by said cooperating locations comprising a series of first predetermined values for each cooperating location through which said packet did pass and a series of second predetermined values for each cooperating location through which said packet did not pass;
  
  developing a table of origins, said table comprising identified destination locations, unions of all link signatures matching partial data packet information available for said identified data packets and origin locations consistent with said link signatures; and
  
  whereby, when a system user supplies a destination location and partial data packet information regarding an identified data packet, said system will identify the set of possible origins for said data packet.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 11, comprising the further steps of:
    - dividing locations into blocks, where such blocks comprise locations that have identical link signatures for routing a packet to any location from another identified block at said identified point in time;
      
      creating a reverse routing table, said table comprising link signatures identifying at least one valid routing between selected locations in each destination/source pair of blocks in said network for said identified point in time; and
      
      whereby, when said locations in said network are divided into said blocks, the set of possible origins of identified packets may be more easily determined for very large networks.
  - 13. The method for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 12, comprising the further step of:
    - developing a table of origins wherein said table of origins comprises blocks having identified destination locations within them, unions of all link signatures matching partial data packet information available for said identified data packet and origin locations consistent with said link signatures in said reverse routing table.
  - 14. The method for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 11, wherein said cooperating network locations comprise incoming links to routers or switches on said network.
  - 15. The method for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 11, wherein said first predetermined values are either of “
    - 1” and
      
      “
      
      true” and
      
      said second predetermined values are either of “
      
      0” and
      
      “
      
      false.”
  - 16. The method for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 11, comprising the further step of gathering and maintaining said link signature for each identified data packet over a period of time, thereby permitting historical inquiries of said system.
  - 17. The method for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 12, wherein said method of developing link signatures identifying all possible valid routings between a selected cooperating location in each destination/source pair of blocks in said network for said reverse routing table comprises the further steps of:
    - identifying a destination location in each block;
      
      identifying a responding source location in each block;
      
      sending a probe packet to responding locations in each of said source blocks causing said source blocks to send an identifiable response packet to each of said destination locations in said destination blocks;
      
      creating a link signature for each for each destination/source pair of locations derived from information returned by said identifiable response to said probe packet;
      
      making an assignment of each said derived link signatures as link signatures indicating valid routing for all destination locations within said block to all potential source locations within any other block; and
      
      whereby, the link signature derived from said identifiable response to said probe packet is recognized as being one of those that could be observed for packets forwarded from said given source block to said given destination block at a given point in time.
  - 18. The method for identifying a set of potential origins of Internet data packets on a network, as described in claim 12, comprising the further steps of gathering and maintaining said link signatures in said reverse routing table over a period of time, thereby permitting historical inquiries of said table.
  - 19. The method for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 12, comprising the further step of updating definitions of said blocks as new link signature information related to cooperating locations within said blocks is received, thereby maintaining said blocks as groups of locations having identical link signatures for routing a packet to an identified location at said identified point in time.
  - 20. The method for identifying a set of potential origins of Internet Protocol data packets on a network, as described in claim 11, comprising the further step of collecting and storing information at cooperating locations related to data packets passing through said cooperating locations over identified periods of time, said information comprising at least link signature and routing information related to said packets, thereby providing further means for identifying potential origins for data packets based upon partial packet information.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Computing Services Support Solutions, INC
Original Assignee
Computing Services Support Solutions, INC
Inventors
Narayanaswamy, Krishnamurthy, Cohen, Donald N.

Application Number

US11/099,181
Publication Number

US 20060224886A1
Time in Patent Office

Days
Field of Search
US Class Current

713/154
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/1408   by monitoring network traff...

H04L 63/1441   Countermeasures against mal...

System for finding potential origins of spoofed internet protocol attack traffic

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

38 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System for finding potential origins of spoofed internet protocol attack traffic

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

38 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others