DETECTION OF ROGUE CLIENT-AGNOSTIC NAT DEVICE TUNNELS
1 Assignment
0 Petitions
Accused Products
Abstract
Provided are techniques for the prevention of certain types of attacks on computing systems. The current disclosure, which describes one particular type of attack, is directed to the detection and prevention of an attack rather than the mechanics of the particular described attack. The claimed subject matter both detects and prevents an attack without exposing a network to denial-of-service (DoS) attacks by being too restrictive.
74 Citations
25 Claims
-
1-7. -7. (canceled)
-
8. An apparatus for providing computer security, comprising:
-
a processor; a computer readable storage medium (CRSM) coupled to the processor; and logic, stored on the CRSM and executed on the processor, for; examining a packet to determine whether the packet is an incoming packet or an outgoing packet, wherein the packet corresponds to a source internet protocol (IP) address, a destination IP address and a port number; processing an outgoing packet, comprising storing in a table, in conjunction with the source IP address and the port number, an indication that the source IP address represents a potential threat; and processing an incoming packet, comprising; correlating the destination IP address and port number with source IP address and port numbers, respectively of entries in the table; and if the destination IP address and the port number match a source IP address and port number of an entry in the table, storing, in all entries in the table with a source IP address corresponding to the destination IP address, an indication that the source IP represents a non-threat; and if the destination IP address matches a source IP address and the port number does not correlate to a corresponding port number, storing, in conjunction with all entries in the table with a source IP address corresponding to the destination, an indication that the source IP address represents a threat. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer programming product for providing computer security, comprising:
-
a computer readable storage medium (CRSM); and logic, stored on the CRSM for execution on a processor, to; examine a packet to determine whether the packet is an incoming packet or an outgoing packet, wherein the packet corresponds to a source interne protocol (IP) address, a destination IP address and a port number; if the packet is an outgoing packet, store in a table, in conjunction with the source IP address and the port number, an indication that the source IP address represents a potential threat; and if the packet is an incoming packet, correlate the destination IP address and port number with source IP address and port numbers, respectively of entries in the table; and if the destination IP address and the port number match a source IP address and port number of an entry in the table, store, in all entries in the table with a source IP address corresponding to the destination IP address, an indication that the source IP represents a non-threat; and if the destination IP address matches a source IP address and the port number does not correlate to a corresponding port number, store, in all entries in the table with a source IP address corresponding to the destination, an indication that the source IP address represents a threat. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A firewall, comprising:
-
a processor; a computer readable storage medium (CRSM) coupled to the processor; and logic, stored on the CRSM and executed on the processor, for; examining a packet to determine whether the packet is an incoming packet or an outgoing packet, wherein the packet corresponds to a source interne protocol (IP) address, a destination IP address and a port number; processing an outgoing packet, comprising storing in a table, in conjunction with the source IP address and the port number, an indication that the source IP address represents a potential threat; and processing an incoming packet, comprising; correlating the destination IP address and port number with source IP address and port numbers, respectively of entries in the table; and if the destination IP address and the port number match a source IP address and port number of an entry in the table, storing, in all entries in the table with a source IP address corresponding to the destination IP address, an indication that the source IP represents a non-threat; and if the destination IP address matches a source IP address and the port number does not correlate to a corresponding port number, storing, in conjunction with all entries in the table with a source IP address corresponding to the destination, an indication that the source IP address represents a threat. - View Dependent Claims (21, 22, 23, 24, 25)
-
Specification