Packet flooding defense system
DC CAFCFirst Claim
1. A packet flooding defense system for a network comprising a plurality of host computers, routers, communication lines and transmitted data packets, said system comprising:
- at least one firewall, said firewall comprising;
hardware and software serving to control packet transmission between said network and a host computer connected to an internal network;
means for classifying data packets received at said firewall;
means for associating a maximum acceptable transmission rate with each class of data packet received at said firewall;
means for said firewall to find information for packets it receives regarding the path by which said packets came to said firewall; and
whereby, said firewall can use said information to allocate the transmission rate for each class in a desired way.
2 Assignments
Litigations
0 Petitions
Reexamination
Accused Products
Abstract
The invention prevents “packet flooding”, where an attacker uses up all available bandwidth to a victim with useless data. It can also be used to prevent some other related denial of service attacks. The defense is distributed among cooperating sites and routers. The sites identify data they don'"'"'t want. The routers help sites to determine which routers forward that data. The sites then ask these routers to reduce the rate at which such data is forwarded. Variations of the defense protect against packet flooding attacks on routers and attacks in which an attacker tries to use up some service offered by a site.
31 Citations
3 Claims
-
1. A packet flooding defense system for a network comprising a plurality of host computers, routers, communication lines and transmitted data packets, said system comprising:
- at least one firewall, said firewall comprising;
hardware and software serving to control packet transmission between said network and a host computer connected to an internal network;
means for classifying data packets received at said firewall;
means for associating a maximum acceptable transmission rate with each class of data packet received at said firewall;
means for said firewall to find information for packets it receives regarding the path by which said packets came to said firewall; and
whereby, said firewall can use said information to allocate the transmission rate for each class in a desired way.
- at least one firewall, said firewall comprising;
-
2. A packet flooding defense system for a network comprising a plurality of host computers, routers, communication lines and transmitted data packets, said system comprising:
-
at least one firewall, said firewall comprising;
hardware and software serving to control packet transmission between said network and a host computer connected to an internal network;
means for classifying data packets received at said firewall;
means for associating a maximum acceptable transmission rate with each class of data packet received at said firewall;
means for said firewall to determine the rate at which data packets of each class are transmitted from a router to said firewall;
means for said router to receive information regarding maximum acceptable transmission rate for data packets being transmitted to said firewall;
means for said router to control the rate of transmission of data packets from said router to said firewall; and
whereby, the rate of data packet transmissions received at said firewall is kept below the maximum acceptable transmission rate for each data packet class by said control of the rate of transmission of data packets from said router, thereby freeing a portion of the network providing data packet transmission to said firewall. - View Dependent Claims (3)
said router is capable of receiving information regarding maximum acceptable transmission rate for each class of data packet being transmitted to said firewall; and
said router is capable of controlling the rate of transmission of each class of data packets to said firewall.
-
Specification