Device for protection against illegal communications and network system thereof

US 20070201474A1
Filed: 01/25/2007
Published: 08/30/2007
Est. Priority Date: 02/28/2006
Status: Active Grant

First Claim

Patent Images

1. A communication device connected to a network, for receiving packets sent over network, and transmitting packets based on the packet destination, comprising:

a control unit; and

a storage unit containing at least one routing table for storing information concerning the packet destination;

wherein, when the received packet is a request for connecting to the packet destination, the control unit stores in the routing table a transmit source address of the packet associated with an identified line where the packet was received, andwhen the received packet is not a connection request, the control unit checks the routing table, acquires a line associated with a destination address matching the destination address of the packet, and sends the packet via the acquired line.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A communication device, an illegal communication protection device, and network system for providing protection from illegal communications. A communication device is connected to a network, for receiving packets sent and received over networks, and transmitting packets based on the packet destination, includes a control unit, and a storage unit for storing a routing table that stores the destination information. When there is a connection request from a packet that was received, the control unit stores the transmit source address of that packet and the line number where that packet was received, into a routing table, and where there is no connection request from the received packet, the control unit refers to the routing table, acquires the line number linked to an address matching the destination address of that packet, and sends the applicable packet via the acquired line number.

144 Citations

10 Claims

1. A communication device connected to a network, for receiving packets sent over network, and transmitting packets based on the packet destination, comprising:
- a control unit; and
  
  a storage unit containing at least one routing table for storing information concerning the packet destination;
  
  wherein, when the received packet is a request for connecting to the packet destination, the control unit stores in the routing table a transmit source address of the packet associated with an identified line where the packet was received, andwhen the received packet is not a connection request, the control unit checks the routing table, acquires a line associated with a destination address matching the destination address of the packet, and sends the packet via the acquired line.
- View Dependent Claims (2, 3)
- - 2. A communication device according to claim 1, wherein the control unit includes:
    - a type detector unit for identifying a type of protocol of the packet, andan attachment information detector unit for identifying a type of flag attached to the packet, and whereinwhen the type detector unit identifies the protocol of the received packet as a TCP protocol, and the attachment information detector unit identifies the flag attached to the packet as SYN, then the control unit stores in the routing table the transmit source address of the packet associated with the line where the packet was received, andwhen the type detector unit identifies the protocol of the received packet as a TCP protocol, and the attachment information detector unit identifies the flag attached to the packet as other than SYN, the control unit checks the routing table, acquires a line associated with a destination address matching the destination address of the packet, and sends the packet via the acquired line.
  - 3. A communication device according to claim 2, wherein the storage unit includes:
    - a first routing table for TCP protocol, anda second routing table for protocols other than TCP, and whereinwhen the packet is sent, the storage unit stores routing type register information that contains information for setting whether to use either the first routing table or the second routing table; and
      
      whereinthe control unit contains a routing discriminator unit for checking the routing type register information, and deciding the routing table used to transfer the received packet, and whereinwhen the routing discriminator unit decides that the routing table used in transferring the received packet is the first routing table, and the attachment information detector unit identifies the flag attached to the packet as SYN, then the control unit stores in the routing table the transmit source address of the packet associated with the line where the packet was received, andwhen the routing discriminator unit identifies the routing table used for transferring the received packet as the first routing table, and the attachment information detector unit identifies the flag attached to the packet as not SYN, then the control unit acquires the line associated with the destination address matching the destination address of the packet from the first routing table, and sends the packet via the acquired line, andwhen the routing discriminator unit identifies the routing table used for the received packet as the second routing table, or the protocol of the received packet is not TCP protocol, then the control unit acquires the line linking the destination address of the packet with the matching packet address from the second routing table, and sends the packet via the acquired line.

4. An illegal communication protection device connected to a network for receiving packets exchanged over the networks, transmitting ones of the packets based on the packet destination, and restricting the transmission of the packet when the packet is illegal, including:
- a control unit; and
  
  a storage unit, whereinthe storage unit contains;
  
  a connection request source IP address of the packet, a connection request destination IP address of the packet, and a session information for recording an arrival time that the packet arrived associated with a limit time showing a period to limit rewriting of information relating to the packet, andwhen the difference between current time and the arrival time recorded in the session information has exceeded the limit time recorded in the session table, the control unit permits the rewriting of information relating to the packet.
- View Dependent Claims (5, 6, 7, 8)
- - 5. An illegal communication protection device according to claim 4, wherein the limit time is changed based on at least one selected from the group consisting of the connection request source IP address of the packet, the connection request destination IP address of the packet, and the difference between the current time and the arrival time recorded in the session information.
  - 6. An illegal communication protection device according to claim 4, wherein,when a first packet sent from the connection request source IP address to the connection request destination IP address is received whose protocol is a TCP protocol, and whose flag attached to the first packet is SYN, the control unit respectively changes the connection request source IP address of the first packet to the connection request destination IP address, and changes the connection request destination IP address of the first packet to the connection request source IP address;
    - and changes the flag to SYN-ACK, and generates a second packet attached with a transmit sequence number generated from a random value, and sends the second packet to the connection request source IP address, andwhen a third packet sent from the connection request source IP address to the connection request destination IP address is received whose protocol is a TCP protocol, and whose attached flag is ACK, and whose attached receive sequence number is a value where a 1 is added to the transmit sequence number, then the control unit decides that communication between the connection request destination IP address and the connection request source IP address is legal, and changes the third packet flag to SYN, and subtracts a 1 from the transmit sequence number, and generates a fourth packet with a 0 in the receive sequence number, and sends the fourth packet to the connection request destination IP address, andwhen a fifth packet sent from the connection request destination IP address to the connection request source IP address is received whose protocol is a TCP protocol, and whose attached flag is SYN-ACK, then the control unit respectively changes the connection request source IP address of the fifth packet to the connection request destination IP address, and changes the connection request destination IP address of the fifth packet to the connection request source IP address;
      
      changes the flag to ACK, respectively changes the transmit sequence number to the receive sequence number, and the receive sequence number to the transmit sequence number, and also generates a sixth packet with a 1 added to the receive sequence number, and by sending the sixth packet to the connection request destination IP address, allows communication between the connection request destination IP address and the connection request source IP address.
  - 7. An illegal communication protection device according to claim 6, wherein the limit time recorded in the session table is changed when the third packet or the fifth packet is received.
  - 8. An illegal communication protection device according to claim 6, wherein,the control unit allows sending and receiving packets between the connection request source IP address and the connection request destination IP address after deciding to pass the packet, andwhen a seventh packet sent from the connection request source IP address to the connection request destination IP address is received, a TCP checksum is recalculated after subtracting a difference between the transmit sequence numbers attached to the fifth packet and the transmit sequence number attached to the second packet, from the receive sequence number attached to the seventh packet, andwhen an eighth packet sent from the connection request destination IP address to the connection request source IP address is received, the TCP checksum is recalculated after adding a difference between the transmit sequence number of the second packet and the transmit sequence number of the fifth packet, to the transmit sequence number of the eighth packet, andbefore making a packet pass decision, the packets sent and received between the connection request source IP address and the connection request destination IP address are discarded, or are accumulated in a buffer.

9. A network system connected to one or multiple communication devices for receiving packets sent and received along a network, and for sending packets based on the destination address of the packet, and which isconnected to a single or multiple illegal communication protection devices for receiving packets sent and received along a network, sending packets based on the destination address of the packet, and restricting transmission of a packet when that packet is illegal, comprising:
- a first control unit;
  
  a first storage unit for storing a routing table containing information on the destination of the packet;
  
  whereinwhen the received packet is a connection request, the first control unit associates a packet transmit source address with a received line for the packet and stores it in the routing table, andwhen the received packet is not a connection request, the first control unit checks the routing table, acquires a line associating the destination address of the packet with the matching destination address, and sends the packet via the acquired line;
  
  the illegal communication protection device including a second control unit, and a second storage unit;
  
  whereinthe second storage unit includes a connection request source IP address of the packet, a connection request destination IP address of the packet, session information for recording an arrival time that the packet arrived associated with a limit time showing a period to limit rewriting of information relating to the packet, andthe second control unit permits rewriting of the packet when the difference between the arrival time recorded in the session table and current time has exceeded the limit time.

10. A secure router, comprising:
- at least two input lines;
  
  at least two output lines;
  
  a sequence generator; and
  
  at least one state table;
  
  wherein the secure router routes legal communications, via the two input lines and the two output lines, between at least one user, and at least one of a host and a second router;
  
  wherein legal communications comprise those communications that are properly incremented and sent or received on a proper one of the two output or two input lines without ever having bypassed the secure router, starting from a random initialization by the sequence generator, and that are in a legal state for no more than an allowable time limit in accordance with the at least one state table.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Isobe, Takashi

Granted Patent

US 8,175,096 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 63/1458   Denial of Service

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

Device for protection against illegal communications and network system thereof

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

144 Citations

10 Claims

Specification

Use Cases

Quick Links

Others

Device for protection against illegal communications and network system thereof

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

144 Citations

10 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others