Method and apparatus for preventing DOS attacks on trunk interfaces

US 20060282892A1
Filed: 06/14/2005
Published: 12/14/2006
Est. Priority Date: 06/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method of protecting a data network, the method comprising:

identifying a virtual LAN (VLAN) carrying suspect data on a data trunk; and

selectively blocking a VLAN port coupled to the data trunk.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.

Citations

30 Claims

1. A method of protecting a data network, the method comprising:
- identifying a virtual LAN (VLAN) carrying suspect data on a data trunk; and
  
  selectively blocking a VLAN port coupled to the data trunk.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, where said selectively blocking the VLAN port comprises leaving unblocked at least one non-compromised VLAN port coupled to the data trunk.
  - 3. The method of claim 1, where said selectively blocking the VLAN port comprises setting a parameter usable for avoiding spanning-tree loops in a data network.
  - 4. The method of claim 1, where said selectively blocking the VLAN port comprises setting a block/unblock parameter for a spanning tree state for the VLAN to a block value for the VLAN carrying the suspect data.
  - 5. The method of claim 1, where said selectively blocking the VLAN port comprises setting a parameter for a spanning tree state for the VLAN to a disable value for the VLAN carrying the suspect data.
  - 6. The method of claim 1, where said selectively blocking the VLAN port comprises imposing a block at an ingress port of the suspect data using hardware localized to the ingress port.
  - 7. The method of claim 1, where said selectively blocking the VLAN port comprises disabling transmission of control packets at an ingress port of the suspect data using hardware localized to the ingress port.
  - 8. The method of claim 1, where said selectively blocking the VLAN port comprises setting an STP state for the VLAN at an ingress port of the suspect data to a block value using hardware localized to the ingress port.
  - 9. The method of claim 1, where said selectively blocking the VLAN port comprises setting an STP state for the VLAN at an ingress port of the suspect data to a disable value using hardware localized to the ingress port.
  - 10. The method of claim 1, where said selectively blocking the VLAN port comprises:
    - examining the suspect data, and if said examining indicates that the suspect data is subject to STP blocking, setting an STP state for the VLAN at an ingress port of the suspect data to a BLOCK value using hardware localized to the ingress port VLAN.
  - 11. The method of claim 1, where said selectively blocking the VLAN port comprises:
    - examining the suspect data, and if said examining indicates that the suspect data is not subject to STP blocking, setting an STP state for the VLAN at an ingress port of the suspect data to a DISABLE value using hardware localized to the ingress port VLAN.
  - 12. The method of claim 1, where the identifying the VLAN carrying the suspect data on the data trunk comprises identifying a denial-of-service attack in the VLAN.
  - 13. The method of claim 1, where said selectively blocking the VLAN port comprises adjusting a per-port and VLAN access control list (PVACL).
  - 14. The method of claim 1, where said selectively blocking the VLAN port comprises using a network policing tool in response to the suspect data.

15. A method comprising:
- constructing a set of virtual local area networks (VLANs) that share a common trunk;
  
  selecting a spanning tree for the set of VLANs;
  
  monitoring the VLANs for suspect data;
  
  identifying a compromised VLAN among the set of VLANs, in response to the monitoring detecting suspect data;
  
  blocking a port on the compromised VLAN; and
  
  leaving unblocked all ports on at least one non-compromised VLAN among the set of VLANs.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, where said blocking the port comprises setting a network-tree parameter for the compromised VLAN to a blocking value.
  - 17. The method of claim 15, where said blocking the port comprises:
    - setting a block STP state on a port of the compromised VLAN if the suspect data is subject to STP blocking; and
      
      setting a disable STP state on a port of the compromised VLAN if the suspect data is not subject to STP blocking.
  - 18. The method of claim 15, further comprising:
    - archiving the suspect data.
  - 19. The method of claim 15, where said monitoring the VLANs for suspect data comprises monitoring the VLANs for a denial-of-service attack.
  - 20. The method of claim 19, where said blocking the port comprises setting a hardware state of an ingress port of the VLAN to block the denial-of-service attack.

21. A data network comprising:
- a network device, where the network device comprises;
  
  a processor, a memory coupled to the processor, and a port coupled to the processor;
  
  a data trunk coupled to the port; and
  
  software residing in the memory and executable on the processor;
  
  where the software is configured to;
  
  support a plurality of virtual local area networks (VLANs) on the data trunk;
  
  identify a VLAN carrying suspect data;
  
  place the port into a blocking state for the VLAN carrying the suspect data; and
  
  maintain the port in a forwarding state for a VLAN not carrying the suspect data.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The data network of claim 21, where the software is configured to set a network-tree parameter for the VLAN to a blocking value to place the port into the blocking state.
  - 23. The data network of claim 21, where the software is configured to set a network-tree parameter for the VLAN to a blocking value to place the port into the blocking state, and where the network-tree parameter is a parameter usable for avoiding spanning-tree loops in the data network.
  - 24. The data network of claim 21, where the port is configured to impose the blocking state such that processor is shielded from the suspect data.
  - 25. The data network of claim 21, where the port is configured to impose the blocking state using hardware local to the port.
  - 26. The data network of claim 21, where the port is configured to impose the blocking state using hardware local to the port such that processor is shielded from the suspect data.
  - 27. The data network of claim 21, where the software is configured to assign a spanning tree protocol value of BLOCK for the VLAN carrying the suspect data to place the port into the blocking state.
  - 28. The data network of claim 21, where the software is configured to assign a spanning tree protocol value of DISABLE for the VLAN carrying the suspect data to place the port into the blocking state.
  - 29. The data network of claim 21, where the software is configured to assign a spanning tree protocol value of BLOCK for the VLAN carrying the suspect data to place the port into the blocking state, if the suspect data comprises data that is not forwarded through a spanning-tree block;
    - and where the software is configured to assign a spanning tree protocol value of DISABLE for the VLAN carrying the suspect data to place the port into the blocking state, if the suspect data comprises data that is forwarded through a spanning-tree block.
  - 30. The data network of claim 21, where the software is configured to recognize a denial-of-service attack as suspect data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Sweeney, Adam J., Shah, Neha M., Narayanan, Sivakumar, Jonnala, Premkumar, Dobrota, Silviu

Granted Patent

US 8,181,240 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 63/0272   Virtual private networks

H04L 63/1458   Denial of Service

Method and apparatus for preventing DOS attacks on trunk interfaces

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for preventing DOS attacks on trunk interfaces

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links