Methods, systems and computer program products for detecting a spoofed source address in IP datagrams
First Claim
1. A method of determining if a packet has a spoofed source Internet Protocol (IP) address, comprising:
- evaluating a source media access control (MAC) address of the packet and the source IP address to determine if the source IP address of the packet has been bound to the source MAC address at a source device of the packet; and
determining that the source IP address is spoofed if the source IP address is not bound to the source MAC address and the source MAC address is not associated with a gateway routing device,wherein evaluating a source MAC address of the packet and the source IP address further comprises;
identifying an entry in an address resolution protocol (ARP) table corresponding to the source MAC address;
comparing an IP address of the identified entry to the source IP address to determine if the IP address of the identified entry corresponds to the source IP address;
identifying the source IP address as bound to the source MAC address at the source device if the IP address of the identified entry corresponds to the source IP address;
sending an ARP request to the source IP address if no entry in the ARP table is identified as corresponding to the source MAC address; and
incorporating an entry corresponding to the MAC address into the ARP table if a response is received to the ARP request.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods, systems and computer program products are provided for determining if a packet has a spoofed source Internet Protocol (IP) address. A source media access control (MAC) address of the packet and the source IP address are evaluated to determine if the source IP address of the packet has been bound to the source MAC address at a source device of the packet. The packet is determined to have a spoofed source IP address if the evaluation indicates that the source IP address is not bound to the source MAC address. Such an evaluation may be made for packets having a subnet of the source IP address which matches a subnet from which the packet originated.
-
Citations
23 Claims
-
1. A method of determining if a packet has a spoofed source Internet Protocol (IP) address, comprising:
-
evaluating a source media access control (MAC) address of the packet and the source IP address to determine if the source IP address of the packet has been bound to the source MAC address at a source device of the packet; and determining that the source IP address is spoofed if the source IP address is not bound to the source MAC address and the source MAC address is not associated with a gateway routing device, wherein evaluating a source MAC address of the packet and the source IP address further comprises; identifying an entry in an address resolution protocol (ARP) table corresponding to the source MAC address; comparing an IP address of the identified entry to the source IP address to determine if the IP address of the identified entry corresponds to the source IP address;
identifying the source IP address as bound to the source MAC address at the source device if the IP address of the identified entry corresponds to the source IP address;sending an ARP request to the source IP address if no entry in the ARP table is identified as corresponding to the source MAC address; and incorporating an entry corresponding to the MAC address into the ARP table if a response is received to the ARP request. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method of determining if a packet has a spoofed source Internet Protocol (IP) address, comprising:
-
evaluating a source media access control (MAC) address of the packet and the source IP address to determine if the source IP address of the packet has been bound to the source MAC address at a source device of the packet; determining that the source IP address of the packet is spoofed if the source IP address is not bound to the source MAC address; and discarding the packet if the source IP address is associated with at least one MAC address other than the source MAC address, wherein evaluating a source MAC address of the packet and the source IP address further comprises; identifying an entry in an address resolution protocol (ARP) table corresponding to the source MAC address; comparing an IP address of the identified entry to the source IP address to determine if the IP address of the identified entry corresponds to the source IP address; identifying the source IP address as bound to the source MAC address at the source device if the IP address of the identified entry corresponds to the source IP address; sending an ARP request to the source IP address if no entry in the ARP table is identified as corresponding to the source MAC address; and incorporating an entry corresponding to the MAC address into the ARP table if a response is received to the ARP request. - View Dependent Claims (15, 16, 17)
-
-
18. A method of determining if a packet has a spoofed source Internet Protocol (IP) address, comprising:
-
evaluating a source media access control (MAC) address of the packet and the source IP address to determine if the source IP address of the packet has been bound to the source MAC address at a source device of the packet; determining that the source IP address of the packet is spoofed if the source IP address is not bound to the source MAC address; monitoring packets from a source device to determine if the source device has more IP addresses bound to the MAC address of the source device than a predefined limit; and identifying the source device as having more IP addresses bound to its MAC address than the predefined limit so as to allow corrective action to be taken to reduce network degradation as a result of a denial of service attack utilizing the spoofed source IP address bound to the MAC address of the source device, wherein evaluating a source MAC address of the packet and the source IP address further comprises; identifying an entry in an address resolution protocol (ARP) table corresponding to the source MAC address; comparing an IP address of the identified entry to the source IP address to determine if the IP address of the identified entry corresponds to the source IP address; identifying the source IP address as bound to the source MAC address at the source device if the IP address of the identified entry corresponds to the source IP address; sending an ARP request to the source IP address if no entry in the ARP table is identified as corresponding to the source MAC address; and incorporating an entry corresponding to the MAC address into the ARP table if a response is received to the ARP request, and wherein the corrective action to be taken to reduce network degradation as a result of a denial of service attack utilizing the spoofed source IP address bound to the MAC address of the source device comprises discarding packets from the source device and notifying a system administrator that the source has more IP address bound to its MAC address than the predefined limit. - View Dependent Claims (19, 20)
-
-
21. A method of determining if a packet has a spoofed source Internet Protocol (IP) address, comprising:
-
evaluating a source media access control (MAC) address of the packet and the source IP address to determine if the source IP address of the packet has been bound to the source MAC address at a source device of the packet; determining that the source IP address of the packet is spoofed if the source IP address is not bound to the source MAC address; determining if a source IP address is bound to a MAC address of more than one source device; and identifying the source devices having the IP address bound to the MAC addresses so as to allow corrective action to be taken to reduce network degradation as a result of a denial of service attack utilizing the spoofed source IP address bound to the MAC addresses of the source devices, wherein evaluating a source MAC address of the packet and the source IP address further comprises; identifying an entry in an address resolution protocol (ARP) table corresponding to the source MAC address; comparing an IP address of the identified entry to the source IP address to determine if the IP address of the identified entry corresponds to the source IP address; identifying the source IP address as bound to the source MAC address at the source device if the IP address of the identified entry corresponds to the source IP address; sending an ARP request to the source IP address if no entry in the ARP table is identified as corresponding to the source MAC address; and incorporating an entry corresponding to the MAC address into the ARP table if a response is received to the ARP request. - View Dependent Claims (22, 23)
-
Specification