DNS based enforcement for confinement and detection of network malicious activities

US 20070033645A1
Filed: 07/22/2005
Published: 02/08/2007
Est. Priority Date: 07/22/2005
Status: Active Grant

First Claim

Patent Images

1. A system for detection and confinement of network malicious activities originating from a local host on a local network to a remote host outside of said local network, comprising:

a local domain name server (DNS) server for receiving from said local host a request for an outbound connection to said remote host, completing a DNS lookup to obtain the IP address of said remote host, and generating a conformity indication; and

a local enforcement unit connected between said local network and the remote host, for blocking establishment of said outbound connection by default, until it receives said conformity indication.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Malicious network activities do not make use of the Domain Name System (DNS) protocol to reach remote targets outside a local network. This DNS-based enforcement system for confinement and detection of network malicious activities requires that every connection toward a resource located outside the local network is blocked by default by the local enforcement box, e.g. a firewall or a proxy. Outbound connections are allowed to leave the local network only when authorized directly by an entity called the DNS Gatekeeper.

Citations

19 Claims

1. A system for detection and confinement of network malicious activities originating from a local host on a local network to a remote host outside of said local network, comprising:
- a local domain name server (DNS) server for receiving from said local host a request for an outbound connection to said remote host, completing a DNS lookup to obtain the IP address of said remote host, and generating a conformity indication; and
  
  a local enforcement unit connected between said local network and the remote host, for blocking establishment of said outbound connection by default, until it receives said conformity indication.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 12)
- - 2. The system of claim 1, further comprising a DNS policy repository with a list with specified exceptions including local hosts that are allowed to access specified remote resources without a DNS lookup.
  - 3. The system of claim 2, wherein said specified exceptions include at least connections carrying peer-to-peer traffic, connections from a local host with an embedded IP address and remote administration tools.
  - 4. The system of claim 2, wherein said local enforcement unit comprises:
    - a controlling unit for blocking said connection until receipt of a connection authorization indication, and for finally rejecting said request in the absence of said connection authorization indication;
      
      a connection monitoring unit for determining if said outbound connection is a legitimate connection, and instructing said control unit to enable said outbound connection in the absence of said connection authorization indication whenever said outbound connection is a legitimate connection; and
      
      a DNS gatekeeper for generating said connection authorization indication based on said conformity indication, and said list of specified exceptions.
  - 5. The system of claim 4, wherein said outbound connection is a legitimate connection if said local host hosts legitimately uses a numeric IP address.
  - 6. The system of claim 4, wherein said outbound connection is a legitimate connection if said local host transmits a web page to a remote server.
  - 7. The system of claim 1, wherein said local enforcement unit comprises:
    - a proxy server for blocking said outbound connection, and unblocking said outbound connection if said outbound connection carries a valid domain name request based on said conformity indication; and
      
      an alarm reporting unit for rising an alarm whenever said request is finally blocked by said controlling unit, wherein said proxy server allows said outbound connection if said domain name is valid.
  - 8. The system of claim 4, wherein said controlling unit controls a standard firewall for protection against non-authorized users, to allow or block said outbound connection.
  - 9. The system of claim 1 further comprising means for logging blocked outbound connections and reporting all local hosts that requested the respective blocked connections.
  - 12. The method of claim 1, further comprising dividing said local network into cells and equipping each cell with a respective local DNS server and an enforcement unit for confining spreading of a malicious activity within a cell.

10. A method for detection and confinement of network malicious activities originating from a local host on a local network to a remote host outside of said local network, comprising the steps of:
- a) generating a conformity indication in response to a DNS lookup performed by said local host into a local domain name system (DNS) server on said local network, with a view to obtain the IP address of said remote host;
  
  b) generating a connection authorization indication using an enforcement unit, based on said conformity indication and a list with specified exceptions including local hosts that are allowed to access specified remote resources without a DNS lookup; and
  
  c) blocking establishment of said outbound connection by default, until receipt of said connection authorization indication.
- View Dependent Claims (11, 13, 14, 15, 16, 17, 18, 19)
- - 11. The method of claim 10, further comprising d) monitoring the connection establishment process for said outbound connection for determining if said outbound connection is a legitimate connection;
    - and e) establishing said outbound connection in the absence of said connection authorization indication whenever said outbound connection is a legitimate connection.
  - 13. The method of claim 10, further comprising finally blocking establishment of said outbound connection in the absence of said connection authorization indication and rising an alarm whenever said request is finally blocked.
  - 14. The method of claim 13 further comprising logging all finally blocked outbound connections and reporting all local hosts that requested the respective blocked connections
  - 15. The system of claim 10, wherein said specified exceptions include at least connections carrying peer-to-peer traffic, remote administration tools and connections form a local host with an embedded IP address.
  - 16. The method of claim 11, wherein said outbound connection is a legitimate connection if said local host transmits a web page to a remote server.
  - 17. The method of claim 16, wherein step d) comprises:
    - d1) identifying an acknowledgement message received by said local host from said remote host after an exchange of SYN messages;
      
      d2) accessing the message in a first payload packet transmitted by said local host after receipt of said acknowledgement message; and
      
      d3) if the message in said first payload packet is a HTTP GET command, flag said connection as a legitimate connection.
  - 18. The method of claim 17, further comprising, sending a TCP RESET message to said remote host for terminating said connection establishment process, if the message in said first payload packet is not a HTTP GET command.
  - 19. The method of claim 17, further comprising d4) monitoring said outbound connection once established to determine if the response to said HTTP GET command indicates that said remote host is web server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel SA (Nokia Corporation)
Inventors
Jones, Emanuele

Granted Patent

US 7,984,493 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/12
CPC Class Codes

G06F 16/122   using management policies b...

H04L 61/00   Network arrangements, proto...

H04L 63/145   the attack involving the pr...

DNS based enforcement for confinement and detection of network malicious activities

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

DNS based enforcement for confinement and detection of network malicious activities

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links