System for finding potential origins of spoofed internet protocol attack traffic
First Claim
1. A system for identifying a set of potential origins of Internet Protocol data packets on a network, said system comprising:
- a plurality of cooperating network locations, said cooperating locations providing information as to whether an identified data packet did or did not pass through said location at an identified point in time;
a link signature for each of said identified data packets, said link signature developed from information provided by said cooperating locations comprising a series of first predetermined values for each cooperating location through which said packet did pass and a series of second predetermined values for each cooperating location through which said packet did not pass;
a table of origins, said table comprising identified destination locations, unions of all link signatures matching partial data packet information available for said identified data packet and origin locations consistent with said link signatures; and
whereby, when a system user supplies a destination location and partial data packet information regarding an identified data packet, said system will identify the set of possible origins for said data packet.
1 Assignment
0 Petitions
Accused Products
Abstract
The invention computes approximate origins of data packets transmitted over the Internet. Law enforcement agencies and network operators can use it to assign responsibility for observed Internet activities. The invention uses a small number of cooperative locations (incoming links on routers or switches) to provide link identification data: whether a packet or did or did not traverse that location. The system uses these cooperative places to generate the link signature of a data packet—which places observed and did not observe the packet. Potential origin locations are divided into blocks that have the same link signatures to given destination locations. The blocks are used to generate reverse routing data, potential source addresses for different link signatures. Variations of the invention store relevant link identification and reverse routing data to find the origins of past packets or to compute the origins of packets from partial information about packets of interest.
38 Citations
20 Claims
-
1. A system for identifying a set of potential origins of Internet Protocol data packets on a network, said system comprising:
-
a plurality of cooperating network locations, said cooperating locations providing information as to whether an identified data packet did or did not pass through said location at an identified point in time;
a link signature for each of said identified data packets, said link signature developed from information provided by said cooperating locations comprising a series of first predetermined values for each cooperating location through which said packet did pass and a series of second predetermined values for each cooperating location through which said packet did not pass;
a table of origins, said table comprising identified destination locations, unions of all link signatures matching partial data packet information available for said identified data packet and origin locations consistent with said link signatures; and
whereby, when a system user supplies a destination location and partial data packet information regarding an identified data packet, said system will identify the set of possible origins for said data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for identifying a set of potential origins of Internet Protocol data packets on a network, said method comprising the steps of:
-
identifying a plurality of cooperating network locations, said cooperating locations providing information as to whether an identified data packet did or did not pass through said cooperating location at an identified point in time;
creating a link signature for each of said identified data packets, said link signature developed from information provided by said cooperating locations comprising a series of first predetermined values for each cooperating location through which said packet did pass and a series of second predetermined values for each cooperating location through which said packet did not pass;
developing a table of origins, said table comprising identified destination locations, unions of all link signatures matching partial data packet information available for said identified data packets and origin locations consistent with said link signatures; and
whereby, when a system user supplies a destination location and partial data packet information regarding an identified data packet, said system will identify the set of possible origins for said data packet. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification