Protection against reflection distributed denial of service attacks

US 20080168559A1
Filed: 01/04/2007
Published: 07/10/2008
Est. Priority Date: 01/04/2007
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

monitoring outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network;

monitoring incoming response packets that originate in the external network and are destined for transmission to the node;

responsively to monitoring the outgoing request packets and the incoming response packets, identifying one or more of the incoming response packets that were not solicited by any of the outgoing request packets;

determining a characteristic that differentiates between the identified incoming response packets and the incoming response packets that were solicited by the outgoing request packets; and

instructing a guard device in the external network to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method includes monitoring outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network. Incoming response packets that originate in the external network and are destined for transmission to the node are also monitored. One or more of the incoming response packets that were not solicited by any of the outgoing request packets are identified responsively to monitoring the outgoing request packets and the incoming response packets.

A characteristic that differentiates between the identified incoming response packets and the incoming response packets that were solicited by the outgoing request packets is determined. A guard device in the external network is instructed to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic.

96 Citations

View as Search Results

20 Claims

1. A method comprising:
- monitoring outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network;
  
  monitoring incoming response packets that originate in the external network and are destined for transmission to the node;
  
  responsively to monitoring the outgoing request packets and the incoming response packets, identifying one or more of the incoming response packets that were not solicited by any of the outgoing request packets;
  
  determining a characteristic that differentiates between the identified incoming response packets and the incoming response packets that were solicited by the outgoing request packets; and
  
  instructing a guard device in the external network to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein monitoring the outgoing request packets and the incoming response packets comprises monitoring the packets using a detector device in the protected network, and wherein instructing the guard device comprises sending an alert message from the detector device in the protected network to the guard device in the external network.
  - 3. The method according to claim 2, wherein sending the alert message comprises sending the message via a dedicated communication channel.
  - 4. The method according to claim 1, wherein the outgoing request packets comprise Transmission Control Protocol (TCP) SYN request packets, and wherein the incoming response packets comprise TCP SYNACK packets.
  - 5. The method according to claim 1, wherein the outgoing request packets comprise Domain Name Service (DNS) request packets, and wherein the incoming response packets comprise DNS response packets.
  - 6. The method according to claim 1, wherein the outgoing request packets comprise Internet Control Message Protocol (ICMP) echo request packets, and wherein the incoming response packets comprise ICMP echo reply packets.
  - 7. The method according to claim 1, wherein determining the characteristic comprises determining at least one destination parameter selected from a group of parameters consisting of a destination address and a destination port of the identified response packets, and wherein instructing the guard device comprises causing the guard device to inhibit the transmission of subsequent packets comprising the determined at least one destination parameter.
  - 8. The method according to claim 1, wherein determining the characteristic comprises identifying the response packets that were solicited by the outgoing request packets, and wherein instructing the guard device comprises causing the guard device to allow the transmission of subsequent packets associated with the response packets that were solicited by the outgoing request packets, while inhibiting the transmission of the subsequent packets not associated with the response packets that were solicited by the outgoing request packets.
  - 9. The method according to claim 1, wherein determining the characteristic comprises identifying one or more network nodes in the external network sending the response packets that were solicited by the outgoing request packets, and wherein instructing the guard device comprises causing the guard device to allow the transmission of subsequent packets originating from the identified one or more network nodes for a limited time duration.
  - 10. The method according to claim 1, wherein determining the characteristic comprises generating a signature characterizing the response packets that were solicited by the outgoing request packets, and wherein instructing the guard device comprises causing the guard device to inhibit the transmission of subsequent packets that match the signature.

11. An apparatus comprising:
- a network interface, which is arranged to monitor outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network, and to monitor incoming response packets that originate in the external network and are destined for transmission to the node; and
  
  a processor, which is arranged to identify, responsively to monitoring the outgoing request packets and the incoming response packets, one or more of the incoming response packets that were not solicited by any of the outgoing request packets, to determine a characteristic that differentiates between the identified incoming response packets and incoming response packets that were solicited by the outgoing request packets, and to instruct a guard device in the external network to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus according to claim 11, wherein the network interface is connected to the protected network, and wherein the processor is arranged to instruct the guard device by sending an alert message from the protected network to the guard device in the external network.
  - 13. The apparatus according to claim 11, wherein the characteristic comprises at least one destination parameter selected from a group of parameters consisting of a destination address and a destination port of the identified response packets, and wherein the processor is arranged to cause the guard device to inhibit the transmission of subsequent packets comprising the at least one destination parameter.
  - 14. The apparatus according to claim 11, wherein the characteristic comprises an identification of the response packets that were solicited by the outgoing request packets, and wherein the processor is arranged to cause the guard device to allow the transmission of subsequent packets associated with the response packets that were solicited by the outgoing request packets, while inhibiting the transmission of the subsequent packets not associated with the response packets that were solicited by the outgoing request packets.
  - 15. The apparatus according to claim 11, wherein the characteristic comprises an identification of one or more network nodes in the external network sending the response packets that were solicited by the outgoing request packets, and wherein the processor is arranged to cause the guard device to allow the transmission of subsequent packets originating from the identified one or more network nodes for a limited time duration.
  - 16. The apparatus according to claim 11, wherein the processor is arranged to generate a signature characterizing the identified response packets and to provide the signature to the guard device, in order to cause the guard device to inhibit the transmission of subsequent packets that match the signature.

17. A system comprising:
- a detector device, which is arranged to monitor outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network, to monitor incoming response packets that originate in the external network and are destined for transmission to the node, to identify, responsively to monitoring the outgoing request packets and the incoming response packets, one or more of the incoming response packets that were not solicited by any of the outgoing request packets, to determine a characteristic that differentiates between the identified incoming response packets and incoming response packets that were solicited by the outgoing request packets, and to send an alert comprising the characteristic; and
  
  a guard device, which is located in the external network and is arranged to accept the alert from the detector device, and to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic.
- View Dependent Claims (18, 19, 20)
- - 18. The system according to claim 17, wherein the detector device is located in the protected network and is arranged to send the alert to the guard device in the external network.
  - 19. The system according to claim 17, wherein the characteristic comprises an identification of one or more network nodes in the external network sending the response packets that were solicited by the outgoing request packets, and wherein the guard device is arranged to allow the transmission of subsequent packets originating from the identified one or more network nodes for a limited time duration.
  - 20. The system according to claim 17, wherein the detector device is arranged to generate a signature characterizing the identified response packets and to provide the signature to the guard device, and wherein the guard device is arranged to inhibit the transmission of subsequent packets that match the signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Tzadikario, Rafi, Lewis, Darrel, Horowitz, Karen, Touitou, Dan

Granted Patent

US 8,156,557 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

H04L 63/0236   Filtering by address, proto...

H04L 63/1458   Denial of Service

H04L 69/16   Implementation or adaptatio...

H04L 69/163   In-band adaptation of TCP d...

Protection against reflection distributed denial of service attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

96 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protection against reflection distributed denial of service attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links