Method and apparatus for intercepting performance metric packets for improved security and intrusion detection

US 7,124,173 B2
Filed: 04/30/2001
Issued: 10/17/2006
Est. Priority Date: 04/30/2001
Status: Active Grant

First Claim

Patent Images

1. A method of gathering information about a connection between a sender and a recipient in a network comprising the steps of:

generating an information query by the sender;

sending the information query to the recipient;

receiving the information query at a border device of the recipient; and

processing the information query at the border device to provide information in a response to the information query, the response from the border device to the sender including address identification information of the recipient that is different than that of the border device and different than that of the sender, and measurement information about a portion of the connection, the portion being that between the sender and the border device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method in which a border device of a destination network located outside of a recipient personal computer or network intercepts a performance measurement packet for a specified recipient in order to relieve problems that arise when performance metric packets are interpreted as harmful to a recipient network or server. A border device intercepts the performance metric packet and returns requested information to the sender while masking the source address of the response as the original destination address of the original recipient or the network number of that recipient. The sender of the packet receives ample information on the performance metrics to the perimeter of the recipient for use in its application and the recipient network is protected as well by masking the IP addresses in use on the its network. The method is applicable in both existing performance metric protocols and is adaptable to a new protocol which would also additionally assist in identifying the purpose of the performance metric packets and protecting the destination network from outside interference. The number of performance metrics queried by some applications could also be reduced through the use of CIDR network block tables. These tables would be referenced to determine if a previous response was cached from this network block or to allow for a longer cache time-out due to the static nature of CIDR blocks.

Citations

19 Claims

1. A method of gathering information about a connection between a sender and a recipient in a network comprising the steps of:
- generating an information query by the sender;
  
  sending the information query to the recipient;
  
  receiving the information query at a border device of the recipient; and
  
  processing the information query at the border device to provide information in a response to the information query, the response from the border device to the sender including address identification information of the recipient that is different than that of the border device and different than that of the sender, and measurement information about a portion of the connection, the portion being that between the sender and the border device.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1 further comprising the steps of:
    - storing at least a portion of the information sent from the border device to the sender at the sender when a destination address of the information query corresponds to a predetermined group of addresses stored at the sender; and
      
      utilizing the stored information from the response whenever an information query is generated including any of the predetermined group of addresses stored at the sender.
  - 3. The method of claim 2, further comprising the steps of:
    - deleting the stored information after a predetermined period of time.
  - 4. The method of claim 1, wherein in the receiving step, the border device responds on behalf of one or more other active or inactive addresses, where the information query is selected from a group consisting of a service availability query, a system availability query and a performance measurement query.

5. A method of gathering information about a connection between a sender and a recipient in a network comprising the steps of:
- generating an information query by the sender;
  
  sending the information query to the recipient; and
  
  receiving the information query at a border device of the recipient; and
  
  processing the information query at the border device according to a plurality of predetermined rules,wherein said predetermined rules include;
  
  (a) providing information requested by the information query in a response to the information query, the response from the border device to the sender including address identification information of the recipient that is different than that of the border device and different than that of the sender and, measurement information about a portion of the connection;
  
  (b) discarding the information query; and
  
  (c) passing the information query through the border device to the recipient for response.
- View Dependent Claims (6, 7, 8, 9, 10)
- - 6. The method of claim 5 wherein:
    - one of said plurality of predetermined rules provides for discarding the information query when the information query is of a size larger than a predetermined range of allowable sizes.
  - 7. The method of claim 5, wherein:
    - one rule of said plurality of predetermined rules provides for passing the information query through the border unit to the recipient for response when the information query includes predetermined identification information.
  - 8. The method of claim 5, further comprising the steps of:
    - storing at least the information of the response provided from the border device when a destination address of the information query to which the response was generated corresponds to any of a plurality of predetermined addresses stored at the sender; and
      
      using the stored information of the response whenever an information query including any of the plurality of predetermined addresses stored at the sender is generated rather than sending the information query to the recipient.
  - 9. The method according to claim 8, wherein:
    - the stored information is deleted after a predetermined period of time passes.
  - 10. The method of claim 5, wherein in the receiving step, the border device responds on behalf of one or more other active or inactive addresses, where the information query is selected from a group consisting of a service availability query, a system availability query and a performance measurement query.

11. A border device positioned between a sender and a recipient for use in gathering information regarding a connection between the sender and the recipient in a network, the border device comprising:
- a receiver for receiving an information query from the sender addressed to the recipient;
  
  a processor for processing the information query on behalf of the recipient to generate a response to the sender including address identification information of the recipient that is different than that of the border device and different than that of the sender, and measurement information about a portion of the connection, the portion being that between the sender and the border device; and
  
  a transmitter for sending the response to the sender.
- View Dependent Claims (12, 13, 14)
- - 12. The border device of claim 11, wherein:
    - the border device responds to information queries for a plurality of recipients.
  - 13. The border device of claim 11, wherein the border device is a router.
  - 14. The method of claim 11, wherein the border device responds on behalf of one or more other active or inactive addresses, where the information query is selected from a group consisting of a service availability query, a system availability query and a performance measurement query.

15. A method of gathering performance measurement information regarding a connection between a sender and a recipient in a network comprising the steps of:
- generating a performance measurement packet by the sender;
  
  sending the performance measurement packet to the recipient;
  
  receiving the performance measurement packet at a border device of the recipient; and
  
  processing the performance measurement packet at the border device according to a plurality of predetermined rules, wherein said predetermined rules provide for one of;
  
  (a) generating a response packet to the performance measurement packet to provide performance metric information to be sent from the border device to the sender, the response packet including address information of the recipient that is different than that of the border device and different than that of the sender and performance metric information about a portion of the connection, the performance metric information being about the portion between the sender and the border device;
  
  (b) discarding the performance measurement packet; and
  
  (c) passing the performance measurement packet to the recipient.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The method of claim 15, wherein:
    - one of the predetermined rules provides for discarding the performance measurement packet when a size of the performance measurement packet exceeds a range of allowable sizes.
  - 17. The method of claim 15, wherein:
    - one rule of the plurality of predetermined rules provides for passing the performance measurement packet through the border device to the recipient when the performance measurement packet includes predetermined identification information.
  - 18. The method according to claim 15, further comprising the steps of:
    - storing at least the performance metric information of the response packet generated by the border device in response to the performance measurement packet when a destination address of the performance measurement packet corresponds to one of a plurality of predetermined addresses stored at the sender; and
      
      using the stored performance metric information of the response packet whenever a performance measurement packet including any of the plurality of predetermined addresses stored at the sender is generated by the sender rather than sending the performance measurement packet to the recipient.
  - 19. The method according to claim 18, further comprising the step of:
    - deleting the stored performance metric information after a predetermined period of time.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Huawei Technologies Co., Ltd. (Huawei Investment & Holding Co., Ltd.)
Original Assignee
Kathleen M. Moriarty
Inventors
Moriarty, Kathleen M.
Primary Examiner(s)
Maung, Zarni
Assistant Examiner(s)
PHILLIPS, HASSAN A

Application Number

US09/844,849
Publication Number

US 20020161755A1
Time in Patent Office

1,996 Days
Field of Search

713/200, 713/201, 709/224, 709/219, 709/229, 726/2
US Class Current

709/219
CPC Class Codes

H04L 43/08   Monitoring or testing based...

H04L 43/10   Active monitoring, e.g. hea...

H04L 63/0236   Filtering by address, proto...

H04L 63/1441   Countermeasures against mal...

H04L 67/1001   for accessing one among a p...

H04L 67/101   based on network conditions

Method and apparatus for intercepting performance metric packets for improved security and intrusion detection

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for intercepting performance metric packets for improved security and intrusion detection

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links