Protecting networks from access link flooding attacks
First Claim
1. A method comprising:
- establishing a packet tunnel between a first local area network and a second local area network, the packet tunnel having a source network address within an address space of the first local area network and a destination network address within an address space of the second local area network;
reserving for the packet tunnel an amount of bandwidth within an access link;
detecting a network attack;
in response to the detected network attack, splitting the packet tunnel by selecting an intermediate network device, wherein the intermediate network device has a network address from a network address space other than the address space of the first local area network and the address space of the second local area network, wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network;
establishing a first packet tunnel from the first local area network to the intermediate network device;
establishing a second packet tunnel that originates from the intermediate network device to the second local area network;
canceling the reserved bandwidth for the packet tunnel;
reserving for the second packet tunnel an amount of bandwidth within the access link; and
communicating a virtual private network (VPN) traffic from the first local area network to the second local area network by redirecting the VPN traffic from the first local area network to the intermediate network device through the first packet tunnel and forwarding the VPN traffic from the intermediate network device to the second local area network through the second packet tunnel.
2 Assignments
0 Petitions
Accused Products
Abstract
Automated techniques are described that provide continuous, uninterrupted operation of the secure packet tunnels in spite of access link flooding attacks. A system is described that includes a source device and a destination device coupled to a network. The source and destination devices may comprise, for example, edge routers that couple local area networks to the network via access links. The source device and the destination device establish a packet tunnel that has a source network address and a destination network address. Upon detecting a network attack, the destination device selects a new network address for at least one of the source network address and the destination network address and establishes a new packet tunnel with the source device. The source network address and the destination network address may comprise port numbers, Internet Protocol (IP) addresses, or other information describing the source and destination devices.
33 Citations
30 Claims
-
1. A method comprising:
-
establishing a packet tunnel between a first local area network and a second local area network, the packet tunnel having a source network address within an address space of the first local area network and a destination network address within an address space of the second local area network; reserving for the packet tunnel an amount of bandwidth within an access link; detecting a network attack; in response to the detected network attack, splitting the packet tunnel by selecting an intermediate network device, wherein the intermediate network device has a network address from a network address space other than the address space of the first local area network and the address space of the second local area network, wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network; establishing a first packet tunnel from the first local area network to the intermediate network device; establishing a second packet tunnel that originates from the intermediate network device to the second local area network; canceling the reserved bandwidth for the packet tunnel; reserving for the second packet tunnel an amount of bandwidth within the access link; and communicating a virtual private network (VPN) traffic from the first local area network to the second local area network by redirecting the VPN traffic from the first local area network to the intermediate network device through the first packet tunnel and forwarding the VPN traffic from the intermediate network device to the second local area network through the second packet tunnel. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A method comprising:
-
establishing a virtual private network service including a packet tunnel having a source network address within an address space of a first local area network and a destination network address within an address space of a second local area network; reserving for the packet tunnel an amount of bandwidth within an access link; detecting a network attack; establishing a new virtual private network service upon detecting the network attack, by selecting an intermediate network device having a network address from a network address space other than the address space of the first local area network and the address space of the second local area network, wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network; establishing a first packet tunnel from the first local area network to the intermediate network device; and establishing a second packet tunnel that originates from the intermediate network device to the second local area network; canceling the reserved bandwidth for the packet tunnel after establishing the new virtual private network service; and reserving for the second packet tunnel an amount of bandwidth within the access link upon canceling the reserved bandwidth for the packet tunnel. - View Dependent Claims (17, 18)
-
-
19. A system comprising
a source device coupled to a first local area network; - and
a destination device coupled to a second local area network, wherein the source device and the destination device establish a packet tunnel having a source network address within an address space of the first local area network and a destination network address within an address space of the second local area network, reserve for the packet tunnel an amount of bandwidth within an access link, upon detecting a network attack, select a new network address from a network address space other than the address space of the first local area network and the address space of the second locale area network, and split the packet tunnel by establishing a first packet tunnel from the first local area network to an intermediate network device having the new network address and establishing a second packet tunnel from the intermediate network device to the second local area, wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network, wherein the destination device cancels the reserved bandwidth for the packet tunnel after the second packet tunnel is established, and reserves for the second packet tunnel an amount of bandwidth within the access link upon canceling the reserved bandwidth for the packet tunnel, and wherein the source device communicates virtual private network (VPN) traffic from the first local area network to the second local area network by redirecting the VPN traffic from the first local area network to the intermediate network device through the first packet tunnel for forwarding the intermediate network device to the second local area network through the second packet tunnel. - View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- and
-
29. A computer-readable medium comprising instructions to cause a processor to:
-
establish a packet tunnel having a source network address within an address space of a first local area network and a destination network address within an address space of a second local area network; reserve for the packet tunnel an amount of bandwidth within an access link; detect a network attack; in response to the detected network attack, split the packet tunnel by selecting an intermediate network device, wherein the intermediate network device has a network address from a network address space other than the address space of the first local area network and the address space of the second local area network, wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network; communicate the network address to a source device for the packet tunnel for establishing a first packet tunnel from the first local area network to the intermediate network device; establish a second packet tunnel that originates from the intermediate network device to the second local area network; cancel the reserved bandwidth for the packet tunnel; reserve for the second packet tunnel an amount of bandwidth within the access link; and receive virtual private network (VPN) traffic that was redirected from the first local area network to the intermediate network device through the first packet tunnel and forwarded the VPN traffic from the intermediate network device to the second local area network through the second packet tunnel. - View Dependent Claims (30)
-
Specification