Bigoted IPv6 Filtering Apparatus

US 20150180831A1
Filed: 12/20/2013
Published: 06/25/2015
Est. Priority Date: 12/20/2013
Status: Abandoned Application

First Claim

Patent Images

1. A system comprising client devices and servers communicatively coupled on a network:

the client devices configured to receive aggregated filter results in a data structure, to receive a request to connect with an Internet Protocol (IP) address, to perform a filter process to determine a plurality of locations within the data structure, and to accept or deny the connection based on the values in said locations within the data structure;

the client devices further configured to determine if the IP address is associated with malicious or undesired content and, if true, to transmit such IP address to a cloud service.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus accesses many locations of a store for information about a specific Internet Protocol address. A filter concentrates and condenses a diffuse population widely dispersed in a ginormous address range into a smaller storage space with controllable error rate. A cloud service acquires, aggregates, and distributes IP address data structure records from and to globally distributed network access devices. A system of filter elements operating in parallel determines a plurality of storage addresses in memory to represent Internet Protocol addresses categorized for security. A method determines a plurality of storage addresses from each Internet Protocol address so characteristics of the IP address can be accessed at the storage addresses.

Citations

20 Claims

1. A system comprising client devices and servers communicatively coupled on a network:
- the client devices configured to receive aggregated filter results in a data structure, to receive a request to connect with an Internet Protocol (IP) address, to perform a filter process to determine a plurality of locations within the data structure, and to accept or deny the connection based on the values in said locations within the data structure;
  
  the client devices further configured to determine if the IP address is associated with malicious or undesired content and, if true, to transmit such IP address to a cloud service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The system of claim 1 further comprising an address gathering server.
  - 3. The system of claim 1 further comprising a filter information storage cloud.
  - 4. The filter information storage cloud of claim 3 enabled to develop and store summarized data by walking across all possible bits for a given netblock and entirely blocking it when the a threshold is met.
  - 5. The system of claim 1 further comprising a filter generation cloud which hasone or more parallel filter servers to receive IP addresses, access a storage architecture, annotate address locations with codes, and globally aggregate subresults.
  - 6. The system of claim 1 further comprising:
    - Administrative workstations to overrule and overwrite determinations such as asserting whiteout for trusted IP addresses.
  - 7. The system of claim 1 further comprising:
    - a front end filter server to provision client devices with aggregated results.
  - 8. The system of claim 1 whereby a determination by a client device that an IPv6 address serving or transmitting malicious content is transmitted to a cloud service, stored into a plurality of locations in a storage architecture, and proliferated to all other client devices communicatively connected.
  - 9. The system of claim 1 whereby a request for an HTTP session to a webserver is denied because the IPv6 address of the resolved domain name is associated with a blacklist.
  - 10. The system of claim 1 whereby connection requests from email servers are denied because the IPv6 host sender is associated with a blacklist.

11. A filter apparatus to determine access addresses for a storage device to record data about an Internet Protocol address, the filter apparatus comprising:
- an input register for reception of an Internet Protocol address;
  
  an output register for emission of a plurality of s-addresses for accessing a non-transitory store;
  
  a C stage filter comprising an array of sequentially coupled filter elements;
  
  wherein each of C stages has b filter elements in parallel;
  
  wherein each filter element of a stage is configured with the same IP address, bitmask and the same Modulus;
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The filter apparatus of claim 11, wherein except for the first of C stages, each filter element receives a succinct suffix from the stage preceeding it.
  - 13. The filter apparatus of claim 11, wherein except for the final stage, each filter element applies the bitmask to the least significant bits of the IP address.
  - 14. The filter apparatus of claim 11, wherein except for the first of C stages transforms the received first succinct suffix and the masked IP address into a generated second succinct suffix.
  - 15. The filter apparatus of claim 11, wherein each filter element of the final stage is coupled to an s-address register into which it stores the result of transforming the received succinct suffix and the masked iP address.
  - 16. The filter apparatus of claim 11, wherein each first filter element transforms the full IP address with the integer value of the bit of the filter it initiates instead of a succinct suffix.

17. A method for operation of a filter element which has a processor and memory, the method comprising:
- receiving a modulus and a bit mask;
  
  receiving an Internet Protocol (IP) address;
  
  applying the bit mask to the least significant bits of the IP address;
  
  receiving a first succinct suffix;
  
  transforming said first succinct suffix,wherein transforming includes performing a hash using the masked IP address, the received first succinct suffix, and the modulus; and
  
  providing the transformed first succinct suffix as a second succinct suffix.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17 wherein the first succinct suffix is an integer representing a bit number.
  - 19. The method of claim 17 wherein the second succinct suffix is a location in a storage device which can be accessed for a read or write operation.
  - 20. The method of claim 19, further comprising at least one of:
    - reading from all the locations in the storage device to determine if the Internet Protocol address has previously been determined to be controlled by a malicious operator, andwriting into all the locations in the storage device to record that the IP address is presently determined to be controlled by a malicious operator.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barracuda Networks Incorporated
Original Assignee
Barracuda Networks Incorporated
Inventors
Bowers, Jeremy P.

Application Number

US13/902,161
Publication Number

US 20150180831A1
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 63/0236 Filtering by address, proto...

H04L 63/1408 by monitoring network traff...

Bigoted IPv6 Filtering Apparatus

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Bigoted IPv6 Filtering Apparatus

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links