Protecting against spoofed DNS messages

US 7,313,815 B2
Filed: 09/17/2004
Issued: 12/25/2007
Est. Priority Date: 08/30/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for authenticating communication traffic, comprising:

receiving a first request, sent over a network from a source address, to provide first network information regarding a first domain name;

sending a response to the source address in reply to the first request;

receiving a second request from the source address, in reply to the response, to provide second network information regarding a second domain name; and

assessing authenticity of the first request based on the second request.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.

56 Citations

View as Search Results

49 Claims

1. A method for authenticating communication traffic, comprising:
- receiving a first request, sent over a network from a source address, to provide first network information regarding a first domain name;
  
  sending a response to the source address in reply to the first request;
  
  receiving a second request from the source address, in reply to the response, to provide second network information regarding a second domain name; and
  
  assessing authenticity of the first request based on the second request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1, and comprising, if the first request is assessed to be authentic, sending a further response to the source address containing the network information corresponding to the given domain name.
  - 3. A method according to claim 2, wherein assessing the authenticity comprises discarding the first request if the first request is not assessed to be authentic.
  - 4. A method according to claim 2, wherein the network information comprises a network address associated with the domain name.
  - 5. A method according to claim 1, wherein sending the response comprises encoding information in the response, and wherein assessing the authenticity comprises checking the second request for the encoded information.
  - 6. A method according to claim 1, wherein receiving the first request comprises intercepting the first request prior to delivery of the first request to a destination address of the first request, and comprising submitting the first request to the destination address responsively to the assessed authenticity of the first request.
  - 7. A method according to claim 6, wherein assessing the authenticity comprises making a record of the source address as an authentic address, and wherein submitting the first request comprises verifying the source address based on the record, and allowing the network information to be furnished to the verified source address.
  - 8. A method according to claim 1, wherein first and second requests and the response comprises data packets, and wherein the source address comprises an Internet Protocol (IP) address.
  - 9. A method according to claim 8, wherein the first and second requests respectively comprise first and second Domain Name System (DNS) requests, and wherein the response comprises a DNS response.

10. A method for authenticating communication traffic, comprising:
- receiving a first request, sent over a network from a source address, to provide network information regarding a given domain name;
  
  sending a response to the source address in reply to the first request;
  
  receiving a second request from the source address in reply to the response; and
  
  assessing authenticity of the first request based on the second request,wherein sending the response comprises encoding information in the response, and wherein assessing the authenticity comprises checking the second request for the encoded information, andwherein encoding the information comprises encoding the information in an artificial domain name, and wherein receiving the second request comprises receiving a query for the network information corresponding to the artificial domain name.

11. A method for authenticating communication traffic, comprising:
- receiving a data packet sent over a network from a source address to a destination address;
  
  sending an outgoing Domain Name System (DNS) message to the source address;
  
  receiving an incoming DNS message in response to the outgoing DNS message; and
  
  processing the incoming DNS message so as to assess authenticity of the received data packet,wherein receiving the data packet comprises receiving a first DNS request directed to a DNS server, and wherein sending the outgoing DNS message comprises sending a DNS response, and wherein receiving the incoming DNS message comprises receiving a second DNS request, andwherein receiving the first DNS request comprises receiving a request from a client for network information regarding a first domain name, and wherein sending the DNS response comprises sending a first DNS response redirecting the client to submit the second DNS request with regard to a second domain name.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. A method according to claim 11, and comprising, if the received data packet is assessed to be authentic, sending a further DNS response to the source address so as to provide a resource record from the DNS server as requested by the first DNS request.
  - 13. A method according to claim 12, wherein receiving the first DNS request comprises intercepting the first DNS request prior to delivery of the first DNS request to the DNS server, and comprising allowing the DNS server to provide the resource record to the source address responsively to the assessed authenticity of the of the received data packet.
  - 14. A method according to claim 11, wherein redirecting the client comprises encoding information in the second domain name, and wherein processing the incoming DNS message comprises checking for the encoded information in the second DNS request.
  - 15. A method according to claim 14, and comprising, if the encoded information in the second DNS request is correct, sending a second DNS response redirecting the client to submit a third DNS request in order to receive the network information requested by the first DNS request.
  - 16. A method according to claim 14, wherein sending the outgoing DNS message comprises sending a first DNS packet containing encoded information, and wherein receiving the incoming DNS message comprises receiving a second DNS packet, and wherein processing the incoming DNS message comprises checking the second DNS packet for the encoded information.
  - 17. A method according to claim 16, wherein sending the first DNS packet comprises inserting the encoded information in an artificial domain name in the first DNS packet, and wherein checking the second DNS packet comprises examining the artificial domain name in the second DNS packet.

18. An apparatus for authenticating communication traffic, comprising a guard device, which is adapted to receive a first request, sent over a network from a source address, to provide first network information regarding a first domain name, to send a response to the source address in reply to the first request, to receive a second request from the source address, in reply to the response, to provide second network information regarding a second domain name, and to assess authenticity of the first request based on the second request.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26)
- - 19. An apparatus according to claim 18, wherein the guard device is adapted to intercept the first request prior to delivery of the first request to a server holding the network information, and upon assessing the first request to be authentic, to submit the first request to the server, so as to provide a further response to the source address containing the network information corresponding to the given domain name.
  - 20. An apparatus according to claim 19, wherein the guard device is adapted to retrieve the network information from the server and to send the further response containing the retrieved network information.
  - 21. An apparatus according to claim 19, wherein the guard device is adapted to discard the first request if the first request is not assessed to be authentic.
  - 22. An apparatus according to claim 19, and comprising a memory, wherein the guard device is adapted, upon assessing the first request to be authentic, to make a record of the source address in the memory as an authentic address, and upon receiving a further request from the source address, to verify the source address of the further request based on the record, so as to allow the server to furnish the network information to the verified source address.
  - 23. An apparatus according to claim 18, wherein the network information comprises a network address associated with the domain name.
  - 24. An apparatus according to claim 18, wherein the guard device is adapted to encode information in the response, and to assess the authenticity of the first request by checking the second request for the encoded information.
  - 25. An apparatus according to claim 18, wherein the first and second requests and the response comprises data packets, and wherein the source address comprises an Internet Protocol (IP) address.
  - 26. An apparatus according to claim 25, wherein the first and second requests respectively comprise first and second Domain Name System (DNS) requests, and wherein the response comprises a DNS response.

27. An apparatus for authenticating communication traffic, comprising a guard device, which is adapted to receive a first request, sent over a network from a source address, to provide network information regarding a given domain name, to send a response to the source address in reply to the first request, to receive a second request from the source address in reply to the response, and to assess authenticity of the first request based on the second request,wherein the guard device is adapted to encode information in the response, and to assess the authenticity of the first request by checking the second request for the encoded information, andwherein the guard device is adapted to encode the information in an artificial domain name, and to generate the response so as to cause a client at the source address to submit in the second request a query for the network information corresponding to the artificial domain name.

28. An apparatus for authenticating communication traffic, comprising a guard device, which is adapted to receive a data packet sent over a network from a source address to a destination address, to send an outgoing Domain Name System (DNS) message to the source address, to receive an incoming DNS message in response to the outgoing DNS message, and to process the incoming DNS message so as to assess authenticity of the received data packet,wherein the data packet comprises a first DNS request directed to a DNS server, and wherein the outgoing DNS message comprises a DNS response, and the incoming DNS message comprises a second DNS request, andwherein the first DNS request comprises a request from a client for network information regarding a first domain name, and wherein the DNS response comprises a first DNS response redirecting the client to submit the second DNS request with regard to a second domain name.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. An apparatus according to claim 28, wherein the guard device is adapted to intercept the first DNS request prior to delivery of the first DNS request to the DNS server, and upon assessing the first DNS request to be authentic, to submit the first DNS request to the DNS server, so as to provide to the source address a resource record from the DNS server as requested by the first DNS request.
  - 30. An apparatus according to claim 28, wherein the guard device is adapted to encode information in the second domain name, and to check for the encoded information in the second DNS request so as to assess the authenticity of the first DNS request.
  - 31. An apparatus according to claim 30, wherein the guard device is adapted, if the encoded information in the second DNS request is correct, to send a second DNS response redirecting the client to submit a third DNS request in order to receive the requested network information.
  - 32. An apparatus according to claim 28, wherein the outgoing DNS message comprises a first DNS packet containing encoded information, and wherein the incoming DNS message comprises a second DNS packet, and wherein the guard device is adapted to check the second DNS packet for the encoded information so as to assess the authenticity of the received data packet.
  - 33. An apparatus according to claim 32, wherein the guard device is adapted to insert the encoded information in an artificial domain name in the first DNS packet, and to check the second DNS packet by examining the artificial domain name in the second DNS packet.

34. A computer software product for authenticating communication traffic, comprising a computer-readable medium in which program instructions are stored, wherein the instructions, when read by a computer, cause the computer to receive a first request, sent over a network from a source address, to provide first network information regarding a first domain name, to send a response to the source address in reply to the first request, to receive a second request from the source address, in reply to the response, to provide second network information regarding a second domain name, and to assess authenticity of the first request based on the second request.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42)
- - 35. A product according to claim 34, wherein the instructions cause the computer to intercept the first request prior to delivery of the first request to a server holding the network information, and upon assessing the first request to be authentic, to submit the first request to the server, so as to provide a further response to the source address containing the network information corresponding to the given domain name.
  - 36. A product according to claim 35, wherein the instructions cause the computer to retrieve the network information from the server and to send the further response containing the retrieved network information.
  - 37. A product according to claim 35, wherein the instructions cause the computer to discard the first request if the first request is not assessed to be authentic.
  - 38. A product according to claim 35, wherein the instructions cause the computer, upon assessing the first request to be authentic, to make a record of the source address in a memory of the computer as an authentic address, and upon receiving a further request from the source address, to verify the source address of the further request based on the record, so as to allow the server to furnish the network information to the verified source address.
  - 39. A product according to claim 34, wherein the network information comprises a network address associated with the domain name.
  - 40. A product according to claim 34, wherein the instructions cause the computer to encode information in the response, and to assess the authenticity of the first request by checking the second request for the encoded information.
  - 41. A product according to claim 34, wherein first and second requests and the response comprises data packets, and wherein the source address comprises an Internet Protocol (IP) address.
  - 42. A product according to claim 41, wherein the first and second requests respectively comprise first and second Domain Name System (DNS) requests, and wherein the response comprises a DNS response.

43. A computer software product for authenticating communication traffic, comprising a computer-readable medium in which program instructions are stored, wherein the instructions, when read by a computer, cause the computer to receive a first request, sent over a network from a source address, to provide network information regarding a given domain name, to send a response to the source address in reply to the first request, to receive a second request from the source address in reply to the response, and to assess authenticity of the first request based on the second request,wherein the instructions cause the computer to encode information in the response, and to assess the authenticity of the first request by checking the second request for the encoded information, andwherein the instructions cause the computer to encode the information in an artificial domain name, and to generate the response so as to cause a client at the source address to submit in the second request a query for the network information corresponding to the artificial domain name.

44. A computer software product for authenticating communication traffic, comprising a computer-readable medium in which program instructions are stored, wherein the instructions, when read by a computer, cause the computer to receive a data packet sent over a network from a source address to a destination address, to send an outgoing Domain Name System (DNS) message to the source address, to receive an incoming DNS message in response to the outgoing DNS message, and to process the incoming DNS message so as to assess authenticity of the received data packet,wherein the data packet comprises a first DNS request directed to a DNS server, and wherein the outgoing DNS message comprises a DNS response, and the incoming DNS message comprises a second DNS request, andwherein the first DNS request comprises a request from a client for network information regarding a first domain name, and wherein the DNS response comprises a first DNS response redirecting the client to submit the second DNS request with regard to a second domain name.
- View Dependent Claims (45, 46, 47, 48, 49)
- - 45. A product according to claim 44, wherein the instructions cause the computer to intercept the first DNS request prior to delivery of the first DNS request to the DNS server, and upon assessing the first DNS request to be authentic, to submit the first DNS request to the DNS server, so as to provide to the source address a resource record from the DNS server as requested by the first DNS request.
  - 46. A product according to claim 44, wherein the instructions cause the computer to encode information in the second domain name, and to check for the encoded information in the second DNS request so as to assess the authenticity of the first DNS request.
  - 47. A product according to claim 46, wherein the instructions cause the computer, if the encoded information in the second DNS request is correct, to send a second DNS response redirecting the client to submit a third DNS request in order to receive the requested network information.
  - 48. A product according to claim 44, wherein the outgoing DNS message comprises a first DNS packet containing encoded information, and wherein the incoming DNS message comprises a second DNS packet, and wherein the instructions cause the computer to check the second DNS packet for the encoded information so as to assess the authenticity of the received data packet.
  - 49. A product according to claim 48, wherein the instructions cause the computer to insert the encoded information in an artificial domain name in the first DNS packet, and to check the second DNS packet by examining the artificial domain name in the second DNS packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Pazi, Guy, Touitou, Dan, Golan, Alon, Afek, Yehuda
Primary Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US10/943,638
Publication Number

US 20050044352A1
Time in Patent Office

1,194 Days
Field of Search

726/7, 713/154, 713/170
US Class Current

726/7
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 61/4511   using domain name system [DNS]

H04L 63/08   for authentication of entit...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Protecting against spoofed DNS messages

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

56 Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting against spoofed DNS messages

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

56 Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links