Thwarting denial of service attacks originating in a DOCSIS-compliant cable network

US 7,372,809 B2
Filed: 05/18/2004
Issued: 05/13/2008
Est. Priority Date: 05/18/2004
Status: Active Grant

First Claim

Patent Images

1. A method for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:

detecting transmission of a packet used to perpetrate a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS;

capturing a source IP address of the CPE and a domain name of the target from the attack packet; and

directing a DNS cache server to ignore a domain name request from the CPE comprising the source IP address and the target domain name, wherein the DNS cache server is used to thwart the denial of service attack directed to the target domain name from the CPE.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for thwarting denial of service attacks originating in a DOCSIS-compliant cable network (DCN) are described. A DCN comprises one or more sub-networks each comprising an access network, one or more cable modem termination systems (CMTSs) and one or more cable modems (CMs). The DCN also accesses an edge server and a local DNS cache server. The DCN interfaces with the Internet and accesses a remote DNS server according to well-known protocols. The CMTS is adapted to compare the source IP address included in IP packet headers to the IP address of the customer premises equipment (CPE) from which the IP packet originates as assigned by the DNS. Data packets that have spoofed addresses are either deleted or quarantined. Packets reaching the edge server are evaluated by an attack detection system. A packet determined to be part of a denial of service attack is inspected and the source IP address and the destination IP address extracted. A cache controller is instructed to prevent a DNS cache server from responding to a domain name request containing both the extracted source IP address and destination IP address.

Citations

18 Claims

1. A method for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:
- detecting transmission of a packet used to perpetrate a denial of service attack against a target originating from a customer premises equipment (CPE) connected to the DNS;
  
  capturing a source IP address of the CPE and a domain name of the target from the attack packet; and
  
  directing a DNS cache server to ignore a domain name request from the CPE comprising the source IP address and the target domain name, wherein the DNS cache server is used to thwart the denial of service attack directed to the target domain name from the CPE.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein detecting the occurrence of a denial of service attack against a target originating from a customer premises equipment (CPE) comprises evaluating network statistical data to identify anomalies in IP traffic that are indicative of a denial of service attack.
  - 3. The method of claim 1 further comprising:
    - receiving a packet at a cable modem termination system (CMTS) from the CPE, wherein the CPE is connected to a cable modem, wherein the CPE is assigned an IP address, wherein the cable modem comprises a unique MAC address, and wherein the packet comprises a MAC address of the cable modem and the assigned IP address of the CPE;
      
      determining if the MAC address of the modem and the assigned IP address of the CPE in the packet match a stored MAC/IP address pair;
      
      if the MAC address of the modem and the assigned IP address of the CPE in the packet do not match a stored MAC/IP address pair, then discarding all packets having the unauthorized packet source IP address; and
      
      if the MAC address of the modem and the assigned IP address of the CPE in the packet match a stored MAC/IP address pair, then forwarding the packet.
  - 4. The method of claim 1, wherein the CPE is a general-purpose computer.
  - 5. The method of claim 1 further comprising:
    - determining whether a preset time period has expired since the DNS cache server was directed to ignore the domain name request from the CPE comprising the source IP address and the target domain name; and
      
      if the preset time period has expired, then directing the DNS cache server to process the domain name request from the CPE comprising the source IP address and the target domain name.
  - 6. The method of claim 1 further comprising:
    - assigning the CPE a new source IP address;
      
      monitoring a rate of domain name requests comprising the new source IP address;
      
      determining if the rate of domain name requests comprising the new source IP address is indicative of a denial of service attack originating from the CPE; and
      
      if the rate of domain name requests comprising the new source IP address is indicative of a denial of service attack, then directing the DNS cache server to ignore the domain name requests from the CPE comprising the new source IP address.

7. A method for limiting domain name service (DNS) request messages originating from within a DOCSIS-compliant cable network (DCN) comprising:
- receiving a DNS request message directed to a domain name from a customer premises equipment (CPE);
  
  obtaining the source IP address of the CPE and the domain name from the DNS request message;
  
  calculating a DNS request message transmission rate for DNS request messages directed to the domain name from the source IP address;
  
  comparing the DNS request message transmission rate to a threshold DNS message transmission rate, wherein the DNS message threshold rate establishes a maximum number of DNS request messages directed to a same domain name from a same source IP address over a period of time; and
  
  in the event the DNS request message transmission rate exceeds the threshold DNS message transmission rate, directing a DNS cache server to ignore a domain name request from the CPE comprising the assigned IP address and the target domain name, wherein the DNS cache server is used to thwart the denial of service attack directed to the target domain name from the CPE.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The method of claim 7, wherein calculating a DNS request message transmission rate from the source IP address comprises:
    - time-stamping a first DNS request message and a last DNS request message directed to the domain name from the source IP address;
      
      counting the DNS request messages from the source IP inclusive of the first DNS request message directed to the domain name and the last DNS request message directed to the domain name;
      
      determining an elapsed time segment between the first and last DNS request messages by computing the difference between the time-stamp of the last DNS request message and the first DNS request message; and
      
      calculating the DNS request message transmission rate for the source IP address by dividing the DNS request message count by the elapsed time segment.
  - 9. The method of claim 7, wherein calculating a DNS request message transmission rate for the source IP address comprises:
    - counting the DNS request messages directed to the domain name from the source IP address during a clock interval; and
      
      setting the DNS request message transmission rate to the message count.
  - 10. The method of claim 7, wherein the CPE is a general-purpose computer.
  - 11. The method of claim 7 further comprising:
    - receiving a packet at a cable modem termination system (CMTS) from the CPE, wherein the CPE is connected to a cable modem, wherein the CPE is assigned an IP address, wherein the cable modem comprises a unique MAC address, and wherein the packet comprises a MAC address of the cable modem and the assigned IP address of the CPE;
      
      determining if the MAC address of the modem and the assigned IP address of the CPE in the packet match a stored MAC/IP address pair;
      
      if the MAC address of the modem and the assigned IP address of the CPE in the packet do not match a stored MAC/IP address pair, then discarding all packets having the unauthorized packet source IP address; and
      
      if the MAC address of the modem and the assigned IP address of the CPE in the packet match a stored MAC/IP address pair, then forwarding the packet.
  - 12. The method of claim 7 further comprising:
    - determining whether a preset time period has expired since the DNS cache server was directed to ignore the domain name request from the CPE comprising the source IP address and the target domain name; and
      
      if the preset time period has expired, then directing the DNS cache server to process the domain name request from the CPE comprising the source IP address and the target domain name.
  - 13. The method of claim 7 further comprising:
    - assigning the CPE a new source IP address;
      
      monitoring a rate of domain name requests comprising the new source IP address;
      
      determining if the rate of domain name requests comprising the new source IP address is indicative of a denial of service attack originating from the CPE; and
      
      if the rate of domain name requests comprising the new source IP address is indicative of a denial of service attack, then directing the DNS cache server to ignore the domain name requests from the CPE comprising the new source IP address.

14. A system for thwarting a denial of service attack originating from a DOCSIS-compliant cable network (DCN) comprising:
- a DNS cache server comprising instructions from responding to domain name requests from a customer premises equipment (CPE) connected to the DCN;
  
  an edge server, wherein the edge server comprises instructions for receiving an IP packet from the CPE that is destined for delivery to a site connected to the Internet, wherein the site is identified by a domain name associated with a unique IP address;
  
  an attack detection system connected to the edge server, wherein the attack detection system comprises instructions for;
  
  detecting the occurrence of a denial of service attack against a target originating from the CPE; and
  
  capturing the source IP address of the CPE and a domain name of the target of the denial of service attack;
  
  a cache controller connected to the attack detection system and to the DNS cache server, wherein the cache controller comprises instructions for;
  
  receiving from the attack detection system the source IP address of the CPE and the target domain name; and
  
  directing a DNS cache to ignore a domain name request from the CPE that is directed to the target domain name, wherein the DNS cache server is used to thwart the denial of service attack directed to the target domain name from the CPE.
- View Dependent Claims (15, 16, 17, 18)
- - 15. The system of claim 14, wherein the CPE is a general-purpose computer.
  - 16. The system of claim 14, wherein CPE is connected to the DCN via a cable modem, wherein the system further comprises a cable modem termination system (CMTS), and wherein the CMTS comprises instructions for:
    - receiving a packet from the CPE, wherein the CPE is connected to the cable modem, wherein the CPE is assigned an IP address, wherein the cable modem comprises a unique MAC address, and wherein the packet comprises a MAC address of the cable modem and the assigned IP address of the CPE;
      
      determining if the MAC address of the modem and the assigned IP address of the CPE in the packet match a stored MAC/IP address pair;
      
      if the MAC address of the modem and the assigned IP address of the CPE in the packet do not match a stored MAC/IP address pair, then discarding all packets having the unauthorized packet source IP address; and
      
      if the MAC address of the modem and the assigned IP address of the CPE in the packet match a stored MAC/IP address pair, then forwarding the packet.
  - 17. The system of claim 14, wherein the DNS cache server further comprises instructions for:
    - determining whether a preset time period has expired since the DNS cache server was directed to ignore the domain name request from the CPE comprising the source IP address and the target domain name; and
      
      if the preset time period has expired, then directing the DNS cache server to process the domain name request from the CPE comprising the source IP address and the target domain name.
  - 18. The system of claim 14, wherein system further comprises means for assigning the CPE a new source IP address and wherein the cache controller comprises instructions for:
    - monitoring a rate of domain name requests comprising the new source IP address;
      
      determining if the rate of domain name requests comprising the new source IP address is indicative of a denial of service attack originating from the CPE; and
      
      if the rate of domain name requests comprising the new source IP address is indicative of a denial of service attack, then directing the DNS cache server to ignore the domain name requests from the CPE comprising the new source IP address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Time Warner Cable Enterprises LLC (Charter Communications Incorporated)
Original Assignee
Time Warner Cable Inc. (Charter Communications Incorporated)
Inventors
Gould, Kenneth, Chen, John Anthony
Primary Examiner(s)
Backer; Firmin
Assistant Examiner(s)
NGO, NGUYEN HOANG

Application Number

US10/848,397
Publication Number

US 20050259645A1
Time in Patent Office

1,456 Days
Field of Search

370229-235, 370/389, 370/392, 370/401, 370/464
US Class Current

370/229
CPC Class Codes

H04L 61/35   involving non-standard use ...

H04L 61/4511   using domain name system [DNS]

H04L 61/58   Caching of addresses or names

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 67/63   Routing a service request d...

H04N 21/25816   involving client authentica...

H04N 21/42676   for modulating an analogue ...

H04N 21/42684   Client identification by a ...

H04N 21/6118   involving cable transmissio...

H04N 21/64322   IP

H04N 7/173   with two-way working, e.g. ...

Thwarting denial of service attacks originating in a DOCSIS-compliant cable network

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Thwarting denial of service attacks originating in a DOCSIS-compliant cable network

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links