METHOD FOR MITIGATING DENIAL OF SERVICE ATTACKS AGAINST A HOME AGAINST

US 20090307485A1
Filed: 11/14/2007
Published: 12/10/2009
Est. Priority Date: 11/24/2006
Status: Abandoned Application

First Claim

Patent Images

1-40. -40. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention relates to a method for mitigating the effects of a DoS attack against a home agent supporting mobility for a plurality of mobile nodes. Furthermore the invention also relates to a home agent, a mobile node and a communication system implementing the method for mitigating the effects of a DoS attack against a home agent supporting mobility for a plurality of mobile nodes. To consider the problem of DoS attacks in the design of a mechanism for improving communication systems enabling mobility of mobile nodes, the invention proposes to configure a plurality of addresses at which the home agent is reachable in a communications network and to assign to each of the mobile nodes at least one of the plurality of home agent addresses. If a denial of service attack is detected by the home agent, the home agent de-configures the home agent address to which data packets of the denial of service attack are destined.

Citations

66 Claims

1-40. -40. (canceled)

41. A method for mitigating effects of a denial of service attack against a home agent supporting mobility for a plurality of mobile nodes, the method comprising:
- configuring at the home agent a plurality of home agent addresses at which the home agent is reachable in a communications network,assigning to each of the mobile nodes at least one of the plurality of home agent addresses, andif a denial of service attack is detected by the home agent, de-configuring by the home agent the home agent address to which data packets of the denial of service attack are destined.
- View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58)
- - 42. The method according to claim 41, farther comprising monitoring at the home agent the receiving rate of packets received at the home agent for each of the configured home agent addresses and detecting at the home agent a denial of service attack based on the monitored receiving rates
  - 43. The method according to claim 42, further comprising identifying a home agent address for which the receiving rate of data packets destined to the home agent address is above a threshold level, and de-configuring the identified home agent address by the home agent.
  - 44. The method according to claim 41, further comprising advertising by the home agent a link layer address of the home agent for the de-configured home agent address, wherein the advertised link layer address is different from the home agent'"'"'s link layer address.
  - 45. The method according to claim 41, wherein the home agent address assigned to at least one mobile node is masked in the header of packets exchanged between the at least one mobile node and the home agent.
  - 46. The method according to claim 45, wherein the home agent address is masked by including a pseudo home agent address being a network layer address transparent to higher protocol layers and to mobility-related security functions.
  - 47. The method according to claim 45, wherein the pseudo home agent address is generated using a keyed hash function, and the method further comprises configuring the home agent with the pseudo home agent address generated using the keyed hash function.
  - 48. The method according to claim 41, wherein one of the mobile nodes and the home agent generate a pseudo home agent address or a home agent address using a keyed hash function based on a key used for securing the exchange of data packets between the home agent and the one of the mobile nodes.
  - 49. The method according to claim 41, further comprising changing a pseudo home agent address or home agent address periodically in a session between one of the mobile nodes and the home agent.
  - 50. The method according to claim 41, wherein plural ones of the mobile nodes are assigned the same home agent address, and the method further comprises assigning a new different home agent address to a respective mobile node of said plural mobile nodes upon de-configuring the home agent address assigned to said respective mobile node.
  - 51. The method according to claim 41, further comprising maintaining at the home agent a record of denial of service attacks, the record indicating a respective attacked home agent address and a list of mobile nodes that have been assigned the respective attacked home agent address.
  - 52. The method according to claim 51, further comprising detecting an attack on a mobile node based on the maintained record and stopping the provision of mobility services for the attacked mobile node.
  - 53. The method according to claim 41, wherein each mobile node is uniquely identified by its assigned home agent address and the method further comprises:
    - generating at the home agent a home agent address for a mobile node in response to receiving an anycast or multicast request sent by a mobile node for setting up a security association between the home agent and the requesting mobile node or for discovering a home agent address, andresponding to the anycast or multicast request using the generated home agent address.
  - 54. The method according to claim 53, further comprising configuring an interface of the home agent with the generated home agent address for the mobile node upon generation of the home agent address.
  - 55. The method according to claim 53, further comprising making a seed value of the home agent publicly available and generating a home agent address for a mobile node based on the seed value and a key used for securing the exchange of data packets between the home agent and mobile node.
  - 56. The method according to claim 55, wherein the seed value is an address that is made public by binding the address to a domain name of the home agent in DNS.
  - 57. The method according to claim 55, wherein the mobile node and the home agent both generate the same home agent address based on the seed value and the key.
  - 58. The method according to claim 55, further comprising configuring an interface of the home agent with the generated home agent address.

59. A home agent for mitigating the effects of a denial of service attack, wherein the home agent supports mobility a plurality of mobile nodes, the home agent comprising:
- a processing unit that configures a plurality of addresses at which the home agent is reachable in a communications network, and for assigning to each of the mobile nodes at least one of the plurality of home agent addresses,wherein the processing unit further de-configures the home agent address to which data packets of the denial of service attack are destined, if a denial of service attack is detected by the home agent.

60. A mobile node for use in a communication system supporting mobility, the mobile node comprising:
- a processing unit that generates a pseudo home agent address or a home agent address of the home agent to be included in the header of packets to be exchanged between a mobile node and the home agent, anda communication unit that exchanges packets with the home agent using the generated pseudo home agent address or the home agent address respectively.
- View Dependent Claims (61, 62, 63, 64)
- - 61. The mobile node according to claim 60, wherein the processing unit generates the pseudo home agent address respectively the home agent address using a keyed hash function based on a key used for securing the exchange of data packets between the home agent and the mobile node.
  - 62. The mobile node according to claim 60, wherein the communication unit transmits an anycast or multicast request for setting up a security association between the home agent and the requesting mobile node or for discovering a home agent address to the home agent and to receive in response to the anycast or multicast request including a home agent address generated in response to the anycast or multicast request by the home agent.
  - 63. The mobile node according to claim 60, wherein the communication unit obtains a seed value of the home agent and the processing unit generates a home agent address for a mobile node based on the seed value and a key used for securing the exchange of data packets between the home agent and the mobile node.
  - 64. The mobile node according to claim 62, wherein the mobile node and the home agent both generate the same home agent address based on the seed value and the key.

65. A computer-readable medium storing instructions that, when executed by a processor of a home agent, cause the home agent to mitigate the effects of a denial of service attack, wherein the home agent supports mobility of a plurality of mobile nodes, by:
- configuring a plurality of addresses at which the home agent is reachable in a communications network,assigning to each of the mobile nodes at least one of the plurality of home agent addresses, andde-configuring the home agent address to which data packets of the denial of service attack are destined, if a denial of service attack is detected by the home agent.

66. A computer-readable medium storing instructions that, when executed by a processor of a mobile node, cause the mobile node to:
- generate a pseudo home agent address or a home agent address of the home agent to be included in the header of packets to be exchanged between a mobile node and the home agent, andexchange packets with the home agent using the generated pseudo home agent address or the home agent address respectively.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Panasonic Corporation (Panasonic Holdings Corporation)
Original Assignee
Panasonic Corporation (Panasonic Holdings Corporation)
Inventors
Hakenbert, Rolf, Weniger, Kilian, Bachmann, Jens

Application Number

US12/514,999
Publication Number

US 20090307485A1
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 43/0894   Packet rate

H04L 63/1458   Denial of Service

H04W 12/126   Anti-theft arrangements, e....

H04W 12/128   Anti-malware arrangements, ...

H04W 8/04   Registration at HLR or HSS ...

H04W 8/26   Network addressing or numbe...

H04W 80/04   Network layer protocols, e....

METHOD FOR MITIGATING DENIAL OF SERVICE ATTACKS AGAINST A HOME AGAINST

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

66 Claims

Specification

Solutions

Use Cases

Quick Links

METHOD FOR MITIGATING DENIAL OF SERVICE ATTACKS AGAINST A HOME AGAINST

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

66 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links