Thwarting denial of service attacks originating in a DOCSIS-compliant cable network
First Claim
1. A method for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:
- detecting transmission of a packet used to perpetrate a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS;
capturing a source IP address of the CPE and a domain name of the target from the attack packet; and
directing a DNS cache server to ignore a domain name request from the CPE comprising the source IP address and the target domain name, wherein the DNS cache server is used to thwart the denial of service attack directed to the target domain name from the CPE.
7 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for thwarting denial of service attacks originating in a DOCSIS-compliant cable network (DCN) are described. A DCN comprises one or more sub-networks each comprising an access network, one or more cable modem termination systems (CMTSs) and one or more cable modems (CMs). The DCN also accesses an edge server and a local DNS cache server. The DCN interfaces with the Internet and accesses a remote DNS server according to well-known protocols. The CMTS is adapted to compare the source IP address included in IP packet headers to the IP address of the customer premises equipment (CPE) from which the IP packet originates as assigned by the DNS. Data packets that have spoofed addresses are either deleted or quarantined. Packets reaching the edge server are evaluated by an attack detection system. A packet determined to be part of a denial of service attack is inspected and the source IP address and the destination IP address extracted. A cache controller is instructed to prevent a DNS cache server from responding to a domain name request containing both the extracted source IP address and destination IP address.
-
Citations
18 Claims
-
1. A method for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:
-
detecting transmission of a packet used to perpetrate a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS; capturing a source IP address of the CPE and a domain name of the target from the attack packet; and directing a DNS cache server to ignore a domain name request from the CPE comprising the source IP address and the target domain name, wherein the DNS cache server is used to thwart the denial of service attack directed to the target domain name from the CPE. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A method for limiting domain name service (DNS) request messages originating from within a DOCSIS-compliant cable network (DCN) comprising:
-
receiving a DNS request message directed to a domain name from a customer premises equipment (CPE); obtaining the source IP address of the CPE and the domain name from the DNS request message; calculating a DNS request message transmission rate for DNS request messages directed to the domain name from the source IP address; comparing the DNS request message transmission rate to a threshold DNS message transmission rate, wherein the DNS message threshold rate establishes a maximum number of DNS request messages directed to a same domain name from a same source IP address over a period of time; and in the event the DNS request message transmission rate exceeds the threshold DNS message transmission rate, directing a DNS cache server to ignore a domain name request from the CPE comprising the assigned IP address and the target domain name, wherein the DNS cache server is used to thwart the denial of service attack directed to the target domain name from the CPE. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A system for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:
-
a DNS cache server comprising instructions from responding to domain name requests from a customer premises equipment (CPE) connected to the DCN; an edge server, wherein the edge server comprises instructions for receiving an IP packet from the CPE that is destined for delivery to a site connected to the Internet, wherein the site is identified by a domain name associated with a unique IP address; an attack detection system connected to the edge server, wherein the attack detection system comprises instructions for; detecting the occurrence of a denial of service attack against a target originating from the CPE; and capturing the source IP address of the CPE and a domain name of the target of the denial of service attack; a cache controller connected to the attack detection system and to the DNS cache server, wherein the cache controller comprises instructions for; receiving from the attack detection system the source IP address of the CPE and the target domain name; and directing a DNS cache to ignore a domain name request from the CPE that is directed to the target domain name, wherein the DNS cache server is used to thwart the denial of service attack directed to the target domain name from the CPE. - View Dependent Claims (15, 16, 17, 18)
-
Specification