Filtering subscriber traffic to prevent denial-of-service attacks
First Claim
Patent Images
1. A method of preventing a denial of service attack, comprising:
- storing address lease information, including a Media Access Control (MAC) address, an Internet Protocol (IP) address, and a port, for a subscriber in a database coupled to a network edge device when an address lease is associated with the subscriber, wherein the address lease information associated with the subscriber further comprises the subscriber'"'"'s previous MAC addresses and a maximum rate a MAC address is allowed to change for packets transmitted by the subscriber;
receiving subscriber packets on at least one port of the network edge device;
comparing source address information from packets purportedly transmitted by the subscriber with address lease information associated with the subscriber; and
forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber.
13 Assignments
0 Petitions
Accused Products
Abstract
A method of storing address lease information including a Media Access Control (MAC) address, an IP address, and a port for a subscriber in a database coupled to a network edge device when an address lease is associated with the subscriber, receiving subscriber packets on at least one port of the network edge device, comparing source address information from packets purportedly transmitted by the subscriber with address lease information associated with the subscriber, and forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber.
-
Citations
14 Claims
-
1. A method of preventing a denial of service attack, comprising:
-
storing address lease information, including a Media Access Control (MAC) address, an Internet Protocol (IP) address, and a port, for a subscriber in a database coupled to a network edge device when an address lease is associated with the subscriber, wherein the address lease information associated with the subscriber further comprises the subscriber'"'"'s previous MAC addresses and a maximum rate a MAC address is allowed to change for packets transmitted by the subscriber; receiving subscriber packets on at least one port of the network edge device; comparing source address information from packets purportedly transmitted by the subscriber with address lease information associated with the subscriber; and forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A network device for preventing a denial of service attack, comprising:
-
at least one first network port for transmitting and receiving network packets to and from a subscriber network; at least one second network port coupled to the first network port, the second network port for transmitting and receiving network packets to and from a provider network; and means for storing and accessing the assigned address lease information in a database, including a Media Access Control (MAC) address, an Internet Protocol (IP) address and port for a subscriber, reading the source address information, including MAC and IP addresses, from packets purportedly transmitted by the subscriber, determining whether a MAC address change rate exceeds a predetermined rate, comparing source address information from packets against the assigned address lease information from the database and forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber, and if the MAC address change does not exceed the predetermined rate. - View Dependent Claims (8, 9, 10, 11)
-
-
12. A machine readable medium having embodied thereon an instruction set, the instruction set being executable by a machine to perform a method, the method comprising:
-
storing address lease information including a Media Access Control (MAC) address, an Internet Protocol (IP) address, and a port for a subscriber in a database coupled to a network edge device when an address lease is associated with the subscriber, wherein the address lease information associated with the subscriber further comprises the subscriber'"'"'s previous MAC addresses and a maximum rate a MAC address is allowed to change for packets transmitted by the subscriber; receiving subscriber packets on at least one port of the network edge device; comparing source address information from packets purportedly transmitted by the subscriber with address lease information associated with the subscriber; and forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber. - View Dependent Claims (13, 14)
-
Specification