Filtering and Policing for Defending Against Denial of Service Attacks on a Network

US 20080134327A1
Filed: 12/01/2006
Published: 06/05/2008
Est. Priority Date: 12/01/2006
Status: Active Grant

First Claim

Patent Images

1. A method of defending attacks on a network, the method comprising:

receiving data packets at a no access list module;

analyzing the data packets using a no access list;

generating a first set of data packets that do not match the no access list;

receiving the first set of data packets at a first access list module;

analyzing the first set of data packets using a first access list;

generating a second set of data packets that do not match the first access list;

receiving the second set of data packets at a second access list module;

analyzing the second set of data packets using a second access list; and

generating a third set of data packets that do not match the second access list.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described are computer-based methods and apparatuses, including computer program products, for filtering and policing for defending against denial of service attacks on a network. A data packet is filtered by a multi-tiered filtering and transmission system. Data packets matching the first tier filter are discarded. Data packets matching the second tier filter are transmitted to an output module based on a criterion. Data packets in the third tier filter are hashed into bins and data packets matching an entry in the bin are transmitted to the output module based on a criterion for the bin. Data packets in the fourth tier transmission system are transmitted to the output module based on a criterion. Data packets that do not meet the criterion for transmission to the output module are transmitted to an attack identification module which analyzes the data packets to identify attacks.

84 Citations

View as Search Results

27 Claims

1. A method of defending attacks on a network, the method comprising:
- receiving data packets at a no access list module;
  
  analyzing the data packets using a no access list;
  
  generating a first set of data packets that do not match the no access list;
  
  receiving the first set of data packets at a first access list module;
  
  analyzing the first set of data packets using a first access list;
  
  generating a second set of data packets that do not match the first access list;
  
  receiving the second set of data packets at a second access list module;
  
  analyzing the second set of data packets using a second access list; and
  
  generating a third set of data packets that do not match the second access list.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the no access list comprises a list of identifiers indicating which data packets are not allowed to be transmitted to an output module.
  - 3. The method of claim 2, wherein the list of identifiers comprises identifying information associated with an attacker user, a field associated with the data packet, meta-data associated with the data packet, or combinations thereof.
  - 4. The method of claim 1, wherein the first access list comprises a list of identifiers indicating which data packets are allowed to be transmitted to an output module.
  - 5. The method of claim 4, wherein the list of identifiers comprises identifying information associated with a high bandwidth user, identifying information associated with an important user, a field associated with the data packet, meta-data associated with the data packet, or combinations thereof.
  - 6. The method of claim 5, further comprising:
    - receiving, at an admission control module, a request for service;
      
      authenticating the request for service; and
      
      processing the request for service to add, subtract, edit, or combinations thereof the list of identifiers associated with the first access list.
  - 7. The method of claim 1, wherein the second list comprises a list of identifiers indicating which data packets are allowed to be transmitted to an output module.
  - 8. The method of claim 7, wherein the list of identifiers comprises identifying information associated with a low bandwidth user, identifying information associated with a standard user, a field associated with the data packet, meta-data associated with the data packet, or combinations thereof.
  - 9. The method of claim 1 further comprising:
    - generating at the first access list module a fourth set of data packets that match the first access list; and
      
      transmitting the fourth set of data packets to an output module based on a criterion.
  - 10. The method of claim 9, wherein the criterion is rate control.
  - 11. The method of claim 10, wherein the rate control is a rate limit.
  - 12. The method of claim 11, wherein the rate limit is an amount of data over a set time.
  - 13. The method of claim 11, wherein the rate limit is a packet rate limit, a byte rate limit, a steady-state rate limit, a burst limit, or combinations thereof.
  - 14. The method of claim 9 further comprising:
    - generating at the first access list module a sixth set of data packets that comprises data packets from the fourth set of data packets that are not transmitted to the output module;
      
      receiving at an attack identification module the sixth set of data packets; and
      
      analyzing at the attack identification module the sixth set of data packets to identify network attackers.
  - 15. The method of claim 14, wherein the analysis at the attack identification module comprises:
    - calculating number of data packets associated together using identifying information associated with the data packets;
      
      adding the number of data packets to an attack number list; and
      
      sorting the attack number list by number of data packets.
  - 16. The method of claim 14 further comprising:
    - generating at the attack identification module a no access list entry;
      
      receiving at the no access list module the no access list entry; and
      
      adding the no access list entry to the no access list.
  - 17. The method of claim 1 further comprising:
    - generating at the second access list module a fifth set of data packets that match the second access list;
      
      transmitting to an output module the fifth set of data packets based on a criterion;
      
      generating at the second access list module a seventh set of data packets that comprises data packets from the fifth set of data packets that are not transmitted to the output module;
      
      receiving at an attack identification module the seventh set of data packets; and
      
      analyzing at the attack identification module the seventh set of data packets.
  - 18. The method of claim 1 further comprising:
    - receiving the third set of data packets at a transmission module;
      
      generating an eighth set of data packets;
      
      transmitting to an output module the eighth set of data packets based on a criterion;
      
      generating at the transmission module a ninth set of data packets that comprises data packets from the eighth set of data packets that are not transmitted to the output module;
      
      receiving at an attack identification module the ninth set of data packets; and
      
      analyzing at the attack identification module the ninth set of data packets.
  - 19. The method of claim 1 further comprising:
    - generating at the no access list module a tenth set of data packets that match the no access list;
      
      receiving the tenth set of data packets at a discard module; and
      
      discarding the tenth set of data packets at the discard module.
  - 20. The method of claim 1 further comprising:
    - indexing second access list using a field associated with the data packet, meta-data associated with the data packet, a hash thereof, or combinations thereof.
  - 21. The method of claim 1, wherein the second access list comprises an indexed plurality of lists.

22. A computer program product, tangibly embodied in an information carrier, the computer program product including instructions being operable to cause a data processing apparatus to:
- receive data packets at a no access list module;
  
  analyze the data packets using a no access list;
  
  generate a first set of data packets that do not match the no access list;
  
  receive the first set of data packets at a first access list module;
  
  analyze the first set of data packets using a first access list;
  
  generate a second set of data packets that do not match the first access list;
  
  receive the second set of data packets at a second access list module;
  
  analyze the second set of data packets using a second access list; and
  
  generate a third set of data packets that do not match the second access list.

23. A system for defending attacks on a network, the system comprising,a no access list module configured and adapted to receive data packets from an input module and generate a first set of data packets that do not match a no access list;
- a first access list module configured and adapted to receive the first set of data packets from the no access list module and generate a second set of data packets that do not match a first access list; and
  
  a second access list module configured and adapted to receive the second set of data packets from the first access list module and generate a third set of data packets that do not match a second access list.
- View Dependent Claims (24, 25, 26)
- - 24. The system of claim 23 wherein the first access list module generates a fourth set of data packets that match the first access list, transmits the fourth set of data packets to an output module based on a criterion, and generates a sixth set of data packets that comprises data packets from the fourth set of data packets that are not transmitted to the output module;
    - andwherein the second access list module generates a fifth set of data packets that match the second access list, transmits the fifth set of data packets to an output module based on a criterion, and generates a seventh set of data packets that comprises data packets from the fifth set of data packets that are not transmitted to the output module.
  - 25. The system of claim 24, further comprising:
    - an attack identification module configured and adapted to receive the sixth set of data packets from the first access list module, analyze the sixth set of data packets to identify network attackers, receive the seventh set of data packets from the second access list module, and analyze the seventh set of data packets to identify network attackers.
  - 26. The system of claim 23, further comprising:
    - a transmission module configured and adapted to receive the third set of data packets from the second access list module, transmit the third set of data packets to an output module based on a criterion, and transmit a ninth set of data packets that comprises data packets from the third set of data packets that are not transmitted to the output module; and
      
      an attack identification module configured and adapted to receive the ninth set of data packets and analyze the ninth set of data packets to identify network attackers.

27. A system for defending attacks on a network, the system comprising:
- a means for receiving data packets from an input module and generating a first set of data packets that do not match a no access list;
  
  a means for receiving the first set of data packets and generating a second set of data packets that do not match a first access list; and
  
  a means for receiving the second set of data packets and generating a third set of data packets that do not match a second access list.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ribbon Communications Operating Company, Inc. (Ribbon Communications, Inc.)
Original Assignee
Sonus Network
Inventors
Yang, Jian, Bharrat, Shaun Jaikarran, Perreault, John A., Duffy, Mark, Li, Shiping, Grippo, Ronald V.

Granted Patent

US 7,672,336 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

H04L 2463/141 Denial of service attacks a...

H04L 63/1458 Denial of Service

Filtering and Policing for Defending Against Denial of Service Attacks on a Network

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

84 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering and Policing for Defending Against Denial of Service Attacks on a Network

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

84 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links