Method and apparatus for preventing DOS attacks on trunk interfaces
First Claim
1. A method of protecting a data network, the method comprising:
- identifying a virtual LAN (VLAN) carrying suspect data on a data trunk; and
selectively blocking a VLAN port coupled to the data trunk.
1 Assignment
0 Petitions
Accused Products
Abstract
A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.
-
Citations
30 Claims
-
1. A method of protecting a data network, the method comprising:
-
identifying a virtual LAN (VLAN) carrying suspect data on a data trunk; and
selectively blocking a VLAN port coupled to the data trunk. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
constructing a set of virtual local area networks (VLANs) that share a common trunk;
selecting a spanning tree for the set of VLANs;
monitoring the VLANs for suspect data;
identifying a compromised VLAN among the set of VLANs, in response to the monitoring detecting suspect data;
blocking a port on the compromised VLAN; and
leaving unblocked all ports on at least one non-compromised VLAN among the set of VLANs. - View Dependent Claims (16, 17, 18, 19, 20)
-
-
21. A data network comprising:
-
a network device, where the network device comprises;
a processor, a memory coupled to the processor, and a port coupled to the processor;
a data trunk coupled to the port; and
software residing in the memory and executable on the processor;
where the software is configured to;
support a plurality of virtual local area networks (VLANs) on the data trunk;
identify a VLAN carrying suspect data;
place the port into a blocking state for the VLAN carrying the suspect data; and
maintain the port in a forwarding state for a VLAN not carrying the suspect data. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification