Method and apparatus for tracing a denial-of-service attack back to its source
First Claim
1. A method for tracing a denial-of-service attack on a victim machine back towards its source, comprising steps of:
- operating a traceback program on at least one path to receive two input parameters, (a) an IP address (v) of the victim machine and (b) an IP address (r) of a router that is immediately upstream of the victim machine;
determining a set of routers that are neighbors (n) of r;
for each neighbor n of r, determining if r is n'"'"'s next-hop for traffic addressed to v, or to a network that v is on, where node n'"'"'s next-hop for traffic addressed to v is the IP address of the node that n will forward a packet to if the destination address in the packet is v;
if r is not n'"'"'s next-hop for traffic addressed to v, skip over n and query the next neighbor of r, while if r is n'"'"'s next-hop for traffic addressed to v, determining an amount of traffic that n is forwarding to r that is addressed to v;
based on the determined amounts of traffic of said neighbors determining the identity of the neighbor n of r that is the principal source of packets flowing to r that are addressed to v;
continuing one node further upstream from the determined neighbor n of r that is the principal source of packets flowing to r that are addressed to v; and
continuing to traceback through interconnected routers until a source of denial-of-service attack packets to v is determined or until further traceback is not possible.
2 Assignments
0 Petitions
Accused Products
Abstract
A backtracking method, program and unit that involves a traceback computer program for tracking a denial-of-service attack on a victim machine, v, back toward the source of the denial-of service attack. The traceback program determines a set of routers that are upstream neighbors of v and determines which of those neighbors is the principal source of packets flowing to v. After determining the identity of the neighbor node, n, that is the principal source of packets flowing to v, the traceback program continues further upstream from n to determine the upstream neighbor of n that is the principal source of packets to v. After determining this upstream neighbor, the program continues further upstream until the source of the denial-of-service packets is determined.
-
Citations
23 Claims
-
1. A method for tracing a denial-of-service attack on a victim machine back towards its source, comprising steps of:
-
operating a traceback program on at least one path to receive two input parameters, (a) an IP address (v) of the victim machine and (b) an IP address (r) of a router that is immediately upstream of the victim machine; determining a set of routers that are neighbors (n) of r; for each neighbor n of r, determining if r is n'"'"'s next-hop for traffic addressed to v, or to a network that v is on, where node n'"'"'s next-hop for traffic addressed to v is the IP address of the node that n will forward a packet to if the destination address in the packet is v; if r is not n'"'"'s next-hop for traffic addressed to v, skip over n and query the next neighbor of r, while if r is n'"'"'s next-hop for traffic addressed to v, determining an amount of traffic that n is forwarding to r that is addressed to v; based on the determined amounts of traffic of said neighbors determining the identity of the neighbor n of r that is the principal source of packets flowing to r that are addressed to v; continuing one node further upstream from the determined neighbor n of r that is the principal source of packets flowing to r that are addressed to v; and continuing to traceback through interconnected routers until a source of denial-of-service attack packets to v is determined or until further traceback is not possible. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
- 9. A backtracking unit for tracing a denial-of-service attack on a victim machine back towards its source or sources, comprising a data processor responsive to a traceback computer program stored on a computer-readable media for receiving a first input parameter of an IP address (v) of the victim machine and a second input parameter of an IP address (r) of a router that is immediately upstream of the victim machine, said traceback computer program controlling operation of said data processor to determine a set of routers that are neighbors (n) of r and, for each neighbor n of r, to determine if r is n'"'"'s next-hop for traffic addressed to v, where node n'"'"'s next-hop for traffic addressed to v is the IP address of the node that n will forward a packet to if the destination address in the packet is v, said traceback computer program further controlling operation of said data processor for the case where r is not n'"'"'s next-hop for traffic addressed to v, to skip over n and to query the next neighbor of r, while for the case where r is n'"'"'s next-hop for traffic addressed to v, to determine an amount of traffic that n is forwarding to r that is addressed to v, based on the determined amounts of traffic of said neighbors, determining the identity of the neighbor n of r that is the principal source of packets flowing to r that are addressed to v or to a network to which v is connected, for continuing further upstream from the determined neighbor n of r that is the principal source of packets flowing to r that are addressed to v to continue to traceback through interconnected routers until a source of denial-of-service attack packets to v is determined, or until further traceback is not possible.
-
16. A method for determining an identity of a source of undesirable packets received from a data communications network, comprising steps of:
-
operating a traceback function to receive at least one input parameter, namely a network address (v) of a first device receiving the undesirable packets; determining a set of network routers that are neighbors (n) of a network router (r) that is coupled to a second device immediately upstream of the first device; and querying individual ones of packet routers in order to determine a packet router that is a largest source of packets addressed to v via r, or to a network to which v is connected, and continuing to query packet routers up through a hierarchy of interconnected packet routers until an identity of a source of the undesirable packets is discovered or until further backtracking is not possible. - View Dependent Claims (17, 18, 19, 20, 21)
-
-
22. A method for tracing a denial-of-service attack on a victim machine back towards its source, comprising steps of:
-
operating a traceback program on at least one path to receive two input parameters, (a) an IP address (v) of the victim machine and (b) an IP address (r) of a router that is immediately upstream of the victim machine; determining a set of routers that are neighbors (n) of r; for each neighbor n of r, determining if r is n'"'"'s next-hop for traffic addressed to v, or to a network that v is on, where node n'"'"'s next-hop for traffic addressed to v is the IP address of the node that n will forward a packet to if the destination address in the packet is v; if r is not n'"'"'s next-hop for traffic addressed to v, skip over n and query the next neighbor of r, while if r is n'"'"'s next-hop for traffic addressed to v, determining an amount of traffic that n is forwarding to r that is addressed to v by sending at least one message to a neighbor router n for determining a count of packets that router n is sending to router r that are addressed to v or to a network on which v resides; based on the determined counts of packets of said neighbors n, determining the identity of the neighbor n of r that is the principal source of packets flowing to r that are addressed to v, continuing one node further upstream from the determined neighbor n of r that is the principal source of packets flowing to r that are addressed to v, and continuing to traceback through interconnected routers until a source of denial-of-service attack packets to v is determined or until further traceback is not possible; and establishing a black hole host route to v as close as is possible to the source of the denial-of-service attack packets. - View Dependent Claims (23)
-
Specification