Method and apparatus for preventing spoofing of network addresses

US 7,234,163 B1
Filed: 09/16/2002
Issued: 06/19/2007
Est. Priority Date: 09/16/2002
Status: Active Grant

First Claim

Patent Images

1. A method of preventing spoofing of network addresses, the method comprising the computer-implemented steps of:

establishing one or more bindings outside an Address Resolution Protocol (ARP) table, wherein each of the one or more bindings is between an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port identifier, and wherein said IP address and said MAC address identify a device that is the only device physically connected to a port of a second device which port is identified by said port identifier;

determining whether there is a particular binding among the one or more bindings,wherein said particular binding is between a first IP address, a first MAC address, and a first port identifier,wherein said first IP address and said first MAC address identify a first device that is the only device connected to a particular port of said second device which particular port is identified by said first port identifier,wherein at least one of (i) that said first IP address is different from a second IP address, (ii) that said first MAC address is different from a second MAC address, or (iii) that said first port identifier is different from a second port identifier, is true,wherein at least one of (i) that said first IP address is same as said second IP address, (ii) that said first MAC address is same as said second MAC address, or (iii) that said first port identifier is same as said second port identifier, is true, andwherein said second IP address, said second MAC address, and said second port identifier comprise a claim for a binding relationship therebetween;

in response to determining that there is said particular binding among the one or more bindings, determining that said particular port of said second device is under attack; and

updating said ARP table in memory based on said particular binding.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method is disclosed for preventing spoofing of network addresses. A binding is established between an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port. An Address Resolution Protocol (ARP) table is updated based on the binding.

Citations

26 Claims

1. A method of preventing spoofing of network addresses, the method comprising the computer-implemented steps of:
- establishing one or more bindings outside an Address Resolution Protocol (ARP) table, wherein each of the one or more bindings is between an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port identifier, and wherein said IP address and said MAC address identify a device that is the only device physically connected to a port of a second device which port is identified by said port identifier;
  
  determining whether there is a particular binding among the one or more bindings,wherein said particular binding is between a first IP address, a first MAC address, and a first port identifier,wherein said first IP address and said first MAC address identify a first device that is the only device connected to a particular port of said second device which particular port is identified by said first port identifier,wherein at least one of (i) that said first IP address is different from a second IP address, (ii) that said first MAC address is different from a second MAC address, or (iii) that said first port identifier is different from a second port identifier, is true,wherein at least one of (i) that said first IP address is same as said second IP address, (ii) that said first MAC address is same as said second MAC address, or (iii) that said first port identifier is same as said second port identifier, is true, andwherein said second IP address, said second MAC address, and said second port identifier comprise a claim for a binding relationship therebetween;
  
  in response to determining that there is said particular binding among the one or more bindings, determining that said particular port of said second device is under attack; and
  
  updating said ARP table in memory based on said particular binding.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. A method as recited in claim 1,wherein said first Internet Protocol (IP) address and said first Media Access Control (MAC) address are identified by an Address Resolution Protocol (ARP) message received through said particular port identified by said first port identifier.
  - 3. A method as recited in claim 1, further comprising the computer-implemented step of:
    - generating a notification upon determining that said particular port of said second device is under attack.
  - 4. A method as recited in claim 3, further comprising the computer-implemented step of:
    - sending a warning to said particular port.
  - 5. A method as recited in claim 3, further comprising the computer-implemented step of:
    - sending said notification to said particular port identified by said first port identifier that is included in said binding that includes said first IP address or said first MAC address.
  - 6. A method as recited in claim 1, further comprising the computer-implemented step of:
    - interrupting communication from a second port identified by said second port identifier upon determining that said particular port of said second device is under attack.
  - 7. A method as recited in claim 1, further comprising the computer-implemented step of:
    - assigning, upon determining that said particular port of said second device is under attack, a new IP address to said first device that is connected to said particular port, wherein said new IP address differs from said first IP address.
  - 8. A method as recited in claim 1, further comprising updating said ARP table linked to said second device with the one or more bindings in a specified frequency.
  - 9. A method as recited in claim 8, wherein said frequency is based on a volume of network traffic.
  - 10. A method as recited in claim 1, further comprising updating said ARP table linked to said second device with the one or more bindings in response to receiving an ARP packet.
  - 11. A method as recited in claim 1, wherein the step of establishing one or more bindings further comprises receiving said IP address, said MAC address and said port identifier in a Dynamic Host Configuration Protocol (DHCP) request.

12. An apparatus for preventing spoofing of network addresses, comprising:
- means for establishing one or more bindings outside an Address Resolution Protocol (ARP) table, wherein each of the one or more bindings is between an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port identifier, and wherein said IP address and said MAC address identify a device that is the only device physically connected to a port of a second device which port is identified by said port identifier;
  
  means for determining whether there is a particular binding among the one or more bindings,wherein said particular binding is between a first IP address, a first MAC address, and a first port identifier,wherein said first IP address and said first MAC address identify a first device that is the only device connected to a particular port of said second device which particular port is identified by said first port identifier,wherein at least one of (i) that said first IP address is different from a second IP address, (ii) that said first MAC address is different from a second MAC address, or (iii) that said first port identifier is different from a second port identifier, is true,wherein at least one of (i) that said first IP address is same as said second IP address, (ii) that said first MAC address is same as said second MAC address, or (iii) that said first port identifier is same as said second port identifier, is true, andwherein said second IP address, said second MAC address, and said second port identifier comprise a claim for a binding relationship therebetween;
  
  means for determining that said particular port of said second device is under attack, in response to determining that there is a particular binding among the one or more bindings; and
  
  means for updating said ARP table in memory based on said particular binding.
- View Dependent Claims (13, 14)
- - 13. An apparatus as recited in claim 12,wherein said first Internet Protocol (IP) address and said first Media Access Control (MAC) address are identified by an Address Resolution Protocol (ARP) message received through said particular port identified by said first port identifier.
  - 14. An apparatus as recited in claim 12, further comprising:
    - means for assigning, upon determining that said particular port of said second device is under attack, a new IP address to said first device that is connected to said particular port, wherein said new IP address differs from said first IP address.

15. An apparatus for preventing spoofing of network addresses, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor; and
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  establishing one or more bindings outside an Address Resolution Protocol (ARP) table, wherein each of the one or more bindings is between an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port identifier, and wherein said IP address and said MAC address identify a device that is the only device physically connected to a port of a second device which port is identified by said port identifier;
  
  determining whether there is a particular binding among the one or more bindings,wherein said particular binding is between a first IP address, a first MAC address, and a first port identifier,wherein said first IP address and said first MAC address identify a first device that is the only device connected to a particular port of said second device which particular port is identified by said first port identifier,wherein at least one of (i) that said first IP address is different from a second IP address, (ii) that said first MAC address is different from a second MAC address, or (iii) that said first port identifier is different from a second port identifier, is true,wherein at least one of (i) that said first IP address is same as said second IP address, (ii) that said first MAC address is same as said second MAC address, or (iii) that said first port identifier is same as said second port identifier, is true, andwherein said second IP address, said second MAC address, and said second port identifier comprise a claim for a binding relationship therebetween;
  
  in response to determining that there is said particular binding among the one or more bindings, determining that said particular port of said second device is under attack; and
  
  updating said ARP table in memory based on said particular binding.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. An apparatus as recited in claim 15,wherein said first Internet Protocol (IP) address and said first Media Access Control (MAC) address are identified by an Address Resolution Protocol (ARP) message received through said particular port identified by said first port identifier.
  - 17. An apparatus as recited in claim 15, wherein the one or more stored sequences of instructions which, when executed by the processor, cause the processor to further carry out the step of:
    - assigning, upon determining that said particular port of said second device is under attack, a new IP address to said first device that is connected to said particular port, wherein said new IP address differs from said first IP address.
  - 18. An apparatus as recited in claim 15, further comprising the step of:
    - generating a notification upon determining that said particular port of said second device is under attack.
  - 19. An apparatus as recited in claim 18, further comprising the step of:
    - sending a warning to said particular port.
  - 20. An apparatus as recited in claim 18, further comprising the step of:
    - sending said notification to said particular port identified by said first port identifier that is included in said binding that includes said first IP address or said first MAC address.
  - 21. An apparatus as recited in claim 15, further comprising the step of:
    - interrupting communication from a second port identified by said second port identifier upon determining that said particular port of said second device is under attack.
  - 22. An apparatus as recited in claim 15, further comprising the step of updating said ARP table linked to said second device with the one or more bindings in a specified frequency.
  - 23. An apparatus as recited in claim 22, wherein said frequency is based on a volume of network traffic.
  - 24. An apparatus as recited in claim 15, further comprising the step of updating said ARP table linked to said second device with the one or more bindings in response to receiving an ARP packet.
  - 25. An apparatus as recited in claim 15, wherein the step of establishing one or more bindings further comprises receiving said IP address, said MAC address and said port identifier in a Dynamic Host Configuration Protocol (DHCP) request.

26. A computer-readable medium carrying one or more sequences of instructions for preventing spoofing of network addresses, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- establishing one or more bindings outside an Address Resolution Protocol (ARP) table, wherein each of the one or more bindings is between an Internet Protocol (IP) address, a Media Access Control (MAC) address, and a port identifier, and wherein said IP address and said MAC address identify a device that is the only device physically connected to a port of a second device which port is identified by said port identifier;
  
  determining whether there is a particular binding among the one or more bindings,wherein said particular binding is between a first IP address, a first MAC address, and a first port identifier,wherein said first IP address and said first MAC address identify a first device that is the only device connected to a particular port of said second device which particular port is identified by said first port identifier,wherein at least one of (i) that said first IP address is different from a second IP address, (ii) that said first MAC address is different from a second MAC address, or (iii) that said first port identifier is different from a second port identifier, is true,wherein at least one of (i) that said first IP address is same as said second IP address, (ii) that said first MAC address is same as said second MAC address, or (iii) that said first port identifier is same as said second port identifier, is true, andwherein said second IP address, said second MAC address, and said second port identifier comprise a claim for a binding relationship therebetween;
  
  in response to determining that there is said particular binding among the one or more bindings, determining that said particular port of said second device is under attack; and
  
  updating said ARP table in memory based on said particular binding.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Rayes, Ammar, Cheung, Michael
Primary Examiner(s)
Vu; Kim
Assistant Examiner(s)
Patel; Nirav

Application Number

US10/244,996
Time in Patent Office

1,737 Days
Field of Search

726 11- 13, 726 22- 25, 709/223, 709/224, 709/220, 709/227, 370/401, 370/392, 370/229, 370/230, 370/497, 370/475, 370/395.52, 370/395.5, 370/351, 370/355, 713151-154
US Class Current

726/22
CPC Class Codes

H04L 2463/145   Detection or countermeasure...

H04L 61/00   Network arrangements, proto...

H04L 61/10   of different types

H04L 63/1466   Active attacks involving in...

Method and apparatus for preventing spoofing of network addresses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for preventing spoofing of network addresses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links