Prevention of bandwidth congestion in a denial of service or other internet-based attack
First Claim
Patent Images
1. A method for preventing bandwidth congestion on a network, said method comprising:
- providing a destination site router connected to a destination site locally and also to an Internet connection;
providing a plurality of origin site routers one or many of which may be connected to an attacking site, wherein each of said plurality of origin site routers has a respective address associated with it;
providing connectivity between said origin and destination site routers to the Internet or other wide area networks (WAN), but allowing addresses not corresponding to said attacking site access to the Internet or other WAN;
detecting a bandwidth congestion at said destination site router, wherein said bandwidth congestion originates at said attacking site;
informing said origin site router and other intermediate routers within the Internet, or other WAN, of said bandwidth congestion and of an attacking address corresponding to said attacking site from which said bandwidth congestion originated, wherein said attacking address is determined from a request packet received from said attacking site;
preventing said attacking address corresponding to said attacking site from being used to gain access to the Internet or other WAN.
4 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for preventing a Denial of Service attack directed at a target that is hosted on a server. The attack is detected and the IP address of the source client of the attack is identified. The IP address of the source of the attack is then communicated upstream to router devices close to the attacking source and the attacker is prevented from further attacks until it is determined that the attacker poses no threat. The detection of the attack and the communication of the identity of the attacker to upstream routers is performed automatically or by human intervention.
115 Citations
14 Claims
-
1. A method for preventing bandwidth congestion on a network, said method comprising:
-
providing a destination site router connected to a destination site locally and also to an Internet connection; providing a plurality of origin site routers one or many of which may be connected to an attacking site, wherein each of said plurality of origin site routers has a respective address associated with it; providing connectivity between said origin and destination site routers to the Internet or other wide area networks (WAN), but allowing addresses not corresponding to said attacking site access to the Internet or other WAN; detecting a bandwidth congestion at said destination site router, wherein said bandwidth congestion originates at said attacking site; informing said origin site router and other intermediate routers within the Internet, or other WAN, of said bandwidth congestion and of an attacking address corresponding to said attacking site from which said bandwidth congestion originated, wherein said attacking address is determined from a request packet received from said attacking site; preventing said attacking address corresponding to said attacking site from being used to gain access to the Internet or other WAN. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A network system that prevents bandwidth congestion on a network, said system comprising:
-
an origin client router connected to a plurality of clients through an Internet connection, said plurality of clients including an attacking client, and wherein each of said plurality of clients has a respective address associated with it; a destination site router connected to a destination server, said destination site router or firewall or client further comprising a bandwidth congestion detector operable to detect a bandwidth congestion condition and a communication device operable to communicate said bandwidth congestion condition and said addresses to said plurality of clients; a router-router connection between said origin client router and said destination site router, wherein said router-router connection provides a discrete amount of access bandwidth by which said client router and said destination site router can pass data traffic back and forth to each other; wherein said bandwidth congestion detector detects a bandwidth congestion condition originating at said attacking client and directed to said destination server and automatically informs said origin client router of said attacking client'"'"'s respective address, and wherein further, said origin client router prevents said address of said attacking client from causing further bandwidth congestion, but allows legitimate client address access to the Internet connection, wherein said attacking client'"'"'s respective address is determined from a request packet received from said attacking client. - View Dependent Claims (9, 10)
-
-
11. A method for preventing bandwidth congestion on a network, said method comprising:
-
providing a destination site router connected to a destination site locally and also to an Internet connection; providing a plurality of origin site routers one or many of which may be connected to an attacking site, wherein each of said plurality of sites has a respective address associated with it; providing connectivity between said origin and destination routers to the Internet or other wide area networks (WAN); detecting a bandwidth congestion at a firewall connected to said destination site router, wherein said bandwidth congestion originates at said attacking site; informing said origin site router and other intermediate routers within the Internet, or other WAN, of said bandwidth congestion and of an attacking address corresponding to said attacking site from which said bandwidth congestion originated, wherein said attacking address is determined from a request packet received from said attacking site; preventing said attacking address corresponding to said attacking site from being used to gain access to the Internet or other WAN, but allowing legitimate addresses access to the Internet or other WAN.
-
-
12. A method for preventing bandwidth congestion on a network, said method comprising:
-
providing a destination site router connected to a destination site locally and also to an Internet connection; providing a plurality of origin site routers one or many of which may be connected to an attacking site, wherein each of said plurality of sites has a respective address associated with it; providing connectivity between said origin and destination routers to the Internet or other wide area networks (WAN); detecting a bandwidth congestion at said destination site, wherein said bandwidth congestion originates at said attacking site; informing said origin site router and other intermediate routers within the Internet, or other WAN, of said bandwidth congestion and of an attacking address corresponding to said attacking site from which said bandwidth congestion originated, wherein said attacking address is determined from a request packet received from said attacking site; preventing said attacking address corresponding to said attacking site from being used to gain access to the Internet or other WAN, but allowing legitimate addresses access to the Internet or other WAN.
-
-
13. A network system that prevents bandwidth congestion on a network, said system comprising:
-
an origin client router connected to a plurality of clients through an Internet connection, said plurality of clients including an attacking client, and wherein each of said plurality of clients has a respective address associated with it; a destination site router connected to a destination server; a firewall connected to said destination server, said firewall comprising a bandwidth congestion detector operable to detect a bandwidth congestion condition and a communication device operable to communicate said bandwidth congestion condition and said addresses to said plurality of clients; a router-router connection between said origin client router and said destination site router, wherein said router-router connection provides a discrete amount of access bandwidth by which said client router and said destination site router can pass data traffic back and forth to each other; wherein said bandwidth congestion detector detects a bandwidth congestion condition originating at said attacking client and directed to said destination server and automatically informs said origin client router of said attacking client'"'"'s respective address, and wherein further, said origin client router prevents said address of said attacking client from causing further bandwidth congestion, but allows legitimate clients access to the Internet connection, wherein said attacking client'"'"'s respective address is determined from a request packet received from said attacking client.
-
-
14. A network system that prevents bandwidth congestion on a network, said system comprising:
-
an origin client router connected to a plurality of clients through an Internet connection, said plurality of clients including an attacking client, and wherein each of said plurality of clients has a respective address associated with it; a destination site router connected to a destination server, said destination server comprising a bandwidth congestion detector operable to detect a bandwidth congestion condition and a communication device operable to communicate said bandwidth congestion condition and said addresses to said plurality of clients; a router-router connection between said origin client router and said destination site router, wherein said router-router connection provides a discrete amount of access bandwidth by which said client router and said destination site router can pass data traffic back and forth to each other; wherein said bandwidth congestion detector detects a bandwidth congestion condition originating at said attacking client and directed to said destination server and automatically informs said origin client router of said attacking client'"'"'s respective address, and wherein further, said origin client router prevents said address of said attacking client from causing further bandwidth congestion, but allows legitimate client(s) access to the Internet connection, wherein said attacking client'"'"'s respective address is determined from a request packet received from said attacking client.
-
Specification