Protecting networks from access link flooding attacks

US 7,356,596 B2
Filed: 01/25/2002
Issued: 04/08/2008
Est. Priority Date: 12/07/2001
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing a packet tunnel between a first local area network and a second local area network, the packet tunnel having a source network address within an address space of the first local area network and a destination network address within an address space of the second local area network;

reserving for the packet tunnel an amount of bandwidth within an access link;

detecting a network attack;

in response to the detected network attack, splitting the packet tunnel by selecting an intermediate network device, wherein the intermediate network device has a network address from a network address space other than the address space of the first local area network and the address space of the second local area network, wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network;

establishing a first packet tunnel from the first local area network to the intermediate network device;

establishing a second packet tunnel that originates from the intermediate network device to the second local area network;

canceling the reserved bandwidth for the packet tunnel;

reserving for the second packet tunnel an amount of bandwidth within the access link; and

communicating a virtual private network (VPN) traffic from the first local area network to the second local area network by redirecting the VPN traffic from the first local area network to the intermediate network device through the first packet tunnel and forwarding the VPN traffic from the intermediate network device to the second local area network through the second packet tunnel.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Automated techniques are described that provide continuous, uninterrupted operation of the secure packet tunnels in spite of access link flooding attacks. A system is described that includes a source device and a destination device coupled to a network. The source and destination devices may comprise, for example, edge routers that couple local area networks to the network via access links. The source device and the destination device establish a packet tunnel that has a source network address and a destination network address. Upon detecting a network attack, the destination device selects a new network address for at least one of the source network address and the destination network address and establishes a new packet tunnel with the source device. The source network address and the destination network address may comprise port numbers, Internet Protocol (IP) addresses, or other information describing the source and destination devices.

33 Citations

View as Search Results

30 Claims

1. A method comprising:
- establishing a packet tunnel between a first local area network and a second local area network, the packet tunnel having a source network address within an address space of the first local area network and a destination network address within an address space of the second local area network;
  
  reserving for the packet tunnel an amount of bandwidth within an access link;
  
  detecting a network attack;
  
  in response to the detected network attack, splitting the packet tunnel by selecting an intermediate network device, wherein the intermediate network device has a network address from a network address space other than the address space of the first local area network and the address space of the second local area network, wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network;
  
  establishing a first packet tunnel from the first local area network to the intermediate network device;
  
  establishing a second packet tunnel that originates from the intermediate network device to the second local area network;
  
  canceling the reserved bandwidth for the packet tunnel;
  
  reserving for the second packet tunnel an amount of bandwidth within the access link; and
  
  communicating a virtual private network (VPN) traffic from the first local area network to the second local area network by redirecting the VPN traffic from the first local area network to the intermediate network device through the first packet tunnel and forwarding the VPN traffic from the intermediate network device to the second local area network through the second packet tunnel.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, wherein the source network address and the destination network address comprise port numbers.
  - 3. The method of claim 1, wherein the source network address and the destination network address comprise Internet Protocol (IP) addresses.
  - 4. The method of claim 1, wherein detecting a network attack comprises detecting an attack on the access link coupling a destination network device to a network.
  - 5. The method of claim 1, further comprising exchanging a set of available network addresses between a source network device originating the packet tunnel and a destination network device terminating the packet tunnel, wherein the set of available network addresses correspond to a plurality of intermediate network devices.
  - 6. The method of claim 1, wherein splitting the packet tunnel by selecting an intermediate device comprises:
    - maintaining a set of available network addresses for a plurality of available intermediate network devices, wherein the network addresses are within network address spaces other than the address space of the first local area network and the address space of the second local area network; and
      
      selecting one of the network addresses.
  - 7. The method of claim 1, further comprising:
    - upon detecting a network attack, sending a message from a destination network device for the packet tunnel to a source network device for the packet tunnel instructing the source network device to establish the first packet tunnel with the intermediate network device.
  - 8. The method of claim 7, further comprising:
    - establishing a secure signaling channel between the source network device and the destination network device; and
      
      sending the message via the secure signaling channel.
  - 9. The method of claim 1, further comprisingde-encapsulating at the intermediate network device packets received from the first packet tunnel;
    - andre-encapsulating the packets at the intermediate network device for communication via the second packet tunnel.
  - 10. The method of claim 1, further comprising:
    - establishing a secure signaling channel between a source network device and a destination network device;
      
      sending via the secure signaling channel control packets between the source network device and the destination network device to monitor the performance of the first and second packet tunnels; and
      
      selecting a new intermediate network device when the performance reaches a minimum threshold.
  - 11. The method of claim 10, further comprising maintaining a set of possible intermediate network devices for a plurality of available intermediate network devices, wherein the network addresses are within network address spaces other than the address space of the first local area network and the address space of the second local area network, and wherein selecting the intermediate network device comprises selecting one of the possible intermediate network devices from the set.
  - 12. The method of claim 1, wherein reserving an amount of bandwidth comprises sending a reservation message from a destination network device terminating the packet tunnel to a service provider access device.
  - 13. The method of claim 12, wherein sending a reservation message comprises sending the reservation message according to the Resource Reservation Protocol (RSVP).
  - 14. The method of claim 1, wherein establishing a packet tunnel comprises:
    - maintaining a set of available multicast network addresses;
      
      selecting one of the multicast network addresses for the packet tunnel; and
      
      subscribing to a multicast channel for the selected multicast network address.
  - 15. The method of claim 14, wherein establishing a second packet tunnel comprises:
    - unsubscribing to the multicast channel;
      
      selecting one of the multicast network addresses for a new destination network address;
      
      establishing the second packet tunnel using the new destination network address; and
      
      subscribing to a multicast channel for the selected multicast network address.

16. A method comprising:
- establishing a virtual private network service including a packet tunnel having a source network address within an address space of a first local area network and a destination network address within an address space of a second local area network;
  
  reserving for the packet tunnel an amount of bandwidth within an access link;
  
  detecting a network attack;
  
  establishing a new virtual private network service upon detecting the network attack, by selecting an intermediate network device having a network address from a network address space other than the address space of the first local area network and the address space of the second local area network, wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network;
  
  establishing a first packet tunnel from the first local area network to the intermediate network device; and
  
  establishing a second packet tunnel that originates from the intermediate network device to the second local area network;
  
  canceling the reserved bandwidth for the packet tunnel after establishing the new virtual private network service; and
  
  reserving for the second packet tunnel an amount of bandwidth within the access link upon canceling the reserved bandwidth for the packet tunnel.
- View Dependent Claims (17, 18)
- - 17. The method of claim 16, wherein establishing a packet tunnel comprises:
    - maintaining a set of available multicast network addresses;
      
      selecting one of the multicast network addresses for the destination network address of the packet tunnel; and
      
      subscribing to a multicast channel for the selected multicast network address.
  - 18. The method of claim 16, wherein detecting a network attack comprises detecting an attack on an access link coupling a destination network device to a network.

19. A system comprisinga source device coupled to a first local area network;
- anda destination device coupled to a second local area network,wherein the source device and the destination device establish a packet tunnel having a source network address within an address space of the first local area network and a destination network address within an address space of the second local area network, reserve for the packet tunnel an amount of bandwidth within an access link, upon detecting a network attack, select a new network address from a network address space other than the address space of the first local area network and the address space of the second locale area network, and split the packet tunnel by establishing a first packet tunnel from the first local area network to an intermediate network device having the new network address and establishing a second packet tunnel from the intermediate network device to the second local area,wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network,wherein the destination device cancels the reserved bandwidth for the packet tunnel after the second packet tunnel is established, and reserves for the second packet tunnel an amount of bandwidth within the access link upon canceling the reserved bandwidth for the packet tunnel, andwherein the source device communicates virtual private network (VPN) traffic from the first local area network to the second local area network by redirecting the VPN traffic from the first local area network to the intermediate network device through the first packet tunnel for forwarding the intermediate network device to the second local area network through the second packet tunnel.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 20. The system of claim 19, wherein the source network address and the destination network address comprise port numbers.
  - 21. The system of claim 19, wherein the source network address and the destination network address comprise Internet Protocol (IP) addresses.
  - 22. The system of claim 19, wherein the destination device and the source device comprise edge routers that couple local area networks to the public network.
  - 23. The system of claim 19, wherein the destination device detects an attack on an access link coupling the destination device to the public network.
  - 24. The system of claim 19, wherein the destination device and the source device exchange a set of available network addresses for the source network address and the destination network address of the packet tunnel.
  - 25. The system of claim 19, wherein the destination device comprises a storage medium to store a set of available network addresses for use as the source network address and the destination network address of the packet tunnel.
  - 26. The system of claim 19, wherein the intermediate network device de-encapsulates packets received from the first packet tunnel and re-encapsulates the packets for communication to the destination device via the second packet tunnel.
  - 27. The system of claim 19, wherein the source device and the destination device establish a secure signaling channel and send via the secure signaling channel control packets to monitor the performance of the first and second packet tunnels.
  - 28. The system of claim 27, wherein the destination device selects a new intermediate network device when the performance reaches a minimum threshold.

29. A computer-readable medium comprising instructions to cause a processor to:
- establish a packet tunnel having a source network address within an address space of a first local area network and a destination network address within an address space of a second local area network;
  
  reserve for the packet tunnel an amount of bandwidth within an access link;
  
  detect a network attack;
  
  in response to the detected network attack, split the packet tunnel by selecting an intermediate network device, wherein the intermediate network device has a network address from a network address space other than the address space of the first local area network and the address space of the second local area network, wherein the first local area network and the second local area network are separated by a public network, and wherein the intermediate network device has a network address from a network address space of the public network;
  
  communicate the network address to a source device for the packet tunnel for establishing a first packet tunnel from the first local area network to the intermediate network device;
  
  establish a second packet tunnel that originates from the intermediate network device to the second local area network;
  
  cancel the reserved bandwidth for the packet tunnel;
  
  reserve for the second packet tunnel an amount of bandwidth within the access link; and
  
  receive virtual private network (VPN) traffic that was redirected from the first local area network to the intermediate network device through the first packet tunnel and forwarded the VPN traffic from the intermediate network device to the second local area network through the second packet tunnel.
- View Dependent Claims (30)
- - 30. The computer-readable medium of claim 29, further comprising instructions to cause the processor to select the intermediate network device by:
    - maintaining a set of available network addresses; and
      
      selecting one of the network addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Architecture Technology Corporation
Original Assignee
Architecture Technology Corporation
Inventors
Ramanujan, Ranga S., Kaddoura, Maher N., Wu, Xiaoming, Millikin, Kevin S.
Primary Examiner(s)
Cardone, Jason
Assistant Examiner(s)
Gillis, Brian J

Application Number

US10/057,043
Publication Number

US 20030110288A1
Time in Patent Office

2,265 Days
Field of Search

709/238, 709/227, 709/235, 709/201, 713/201, 726/22
US Class Current

709/227
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/1458   Denial of Service

Protecting networks from access link flooding attacks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

33 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting networks from access link flooding attacks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

33 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links