Filtering and Policing for Defending Against Denial of Service Attacks on a Network
First Claim
1. A method of defending attacks on a network, the method comprising:
- receiving data packets at a no access list module;
analyzing the data packets using a no access list;
generating a first set of data packets that do not match the no access list;
receiving the first set of data packets at a first access list module;
analyzing the first set of data packets using a first access list;
generating a second set of data packets that do not match the first access list;
receiving the second set of data packets at a second access list module;
analyzing the second set of data packets using a second access list; and
generating a third set of data packets that do not match the second access list.
9 Assignments
0 Petitions
Accused Products
Abstract
Described are computer-based methods and apparatuses, including computer program products, for filtering and policing for defending against denial of service attacks on a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.
84 Citations
27 Claims
-
1. A method of defending attacks on a network, the method comprising:
-
receiving data packets at a no access list module; analyzing the data packets using a no access list; generating a first set of data packets that do not match the no access list; receiving the first set of data packets at a first access list module; analyzing the first set of data packets using a first access list; generating a second set of data packets that do not match the first access list; receiving the second set of data packets at a second access list module; analyzing the second set of data packets using a second access list; and generating a third set of data packets that do not match the second access list. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A computer program product, tangibly embodied in an information carrier, the computer program product including instructions being operable to cause a data processing apparatus to:
-
receive data packets at a no access list module; analyze the data packets using a no access list; generate a first set of data packets that do not match the no access list; receive the first set of data packets at a first access list module; analyze the first set of data packets using a first access list; generate a second set of data packets that do not match the first access list; receive the second set of data packets at a second access list module; analyze the second set of data packets using a second access list; and generate a third set of data packets that do not match the second access list.
-
-
23. A system for defending attacks on a network, the system comprising,
a no access list module configured and adapted to receive data packets from an input module and generate a first set of data packets that do not match a no access list; -
a first access list module configured and adapted to receive the first set of data packets from the no access list module and generate a second set of data packets that do not match a first access list; and a second access list module configured and adapted to receive the second set of data packets from the first access list module and generate a third set of data packets that do not match a second access list. - View Dependent Claims (24, 25, 26)
-
-
27. A system for defending attacks on a network, the system comprising:
-
a means for receiving data packets from an input module and generating a first set of data packets that do not match a no access list; a means for receiving the first set of data packets and generating a second set of data packets that do not match a first access list; and a means for receiving the second set of data packets and generating a third set of data packets that do not match a second access list.
-
Specification