Filtering subscriber traffic to prevent denial-of-service attacks

US 7,379,423 B1
Filed: 03/20/2003
Issued: 05/27/2008
Est. Priority Date: 03/20/2003
Status: Active Grant

First Claim

Patent Images

1. A method of preventing a denial of service attack, comprising:

storing address lease information, including a Media Access Control (MAC) address, an Internet Protocol (IP) address, and a port, for a subscriber in a database coupled to a network edge device when an address lease is associated with the subscriber, wherein the address lease information associated with the subscriber further comprises the subscriber'"'"'s previous MAC addresses and a maximum rate a MAC address is allowed to change for packets transmitted by the subscriber;

receiving subscriber packets on at least one port of the network edge device;

comparing source address information from packets purportedly transmitted by the subscriber with address lease information associated with the subscriber; and

forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber.

View all claims

13 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of storing address lease information including a Media Access Control (MAC) address, an IP address, and a port for a subscriber in a database coupled to a network edge device when an address lease is associated with the subscriber, receiving subscriber packets on at least one port of the network edge device, comparing source address information from packets purportedly transmitted by the subscriber with address lease information associated with the subscriber, and forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber.

Citations

14 Claims

1. A method of preventing a denial of service attack, comprising:
- storing address lease information, including a Media Access Control (MAC) address, an Internet Protocol (IP) address, and a port, for a subscriber in a database coupled to a network edge device when an address lease is associated with the subscriber, wherein the address lease information associated with the subscriber further comprises the subscriber'"'"'s previous MAC addresses and a maximum rate a MAC address is allowed to change for packets transmitted by the subscriber;
  
  receiving subscriber packets on at least one port of the network edge device;
  
  comparing source address information from packets purportedly transmitted by the subscriber with address lease information associated with the subscriber; and
  
  forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein if the source MAC address, static IP address, and port from the packets do not correspond to the subscriber'"'"'s address lease information, the packet is discarded and an alert generated for a network administrator.
  - 3. The method of claim 1, wherein before comparing the source address information from the packets, a network provider assigns an IP address lease to the subscriber.
  - 4. The method of claim 3, wherein the IP address is a static IP address.
  - 5. The method of claim 3, wherein the IP address is a dynamically assigned IP address.
  - 6. The method of preventing a denial of service attack, as recited in claim 1, further comprising:
    - ensuring source MAC addresses of packets received do not exceed a maximum rate the MAC addresses may change for packets transmitted by the subscriber.

7. A network device for preventing a denial of service attack, comprising:
- at least one first network port for transmitting and receiving network packets to and from a subscriber network;
  
  at least one second network port coupled to the first network port, the second network port for transmitting and receiving network packets to and from a provider network; and
  
  means for storing and accessing the assigned address lease information in a database, including a Media Access Control (MAC) address, an Internet Protocol (IP) address and port for a subscriber, reading the source address information, including MAC and IP addresses, from packets purportedly transmitted by the subscriber, determining whether a MAC address change rate exceeds a predetermined rate, comparing source address information from packets against the assigned address lease information from the database and forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber, and if the MAC address change does not exceed the predetermined rate.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The network device of claim 7, wherein the second network port receives the assigned address lease information from the database on a network server.
  - 9. The network device of claim 7, wherein a machine capable of receiving packets from the first port and second port executes an instruction set to compare the source address information from the packets against the assigned address lease information and discard packets that do not correspond to the address lease information assigned to the subscriber.
  - 10. The network device of claim 9, wherein the machine is a network server comprised of a Central Processing Unit (CPU) and a storage medium.
  - 11. The network device of claim 9, wherein the machine is an Application Specific Integrated Circuit (ASIC).

12. A machine readable medium having embodied thereon an instruction set, the instruction set being executable by a machine to perform a method, the method comprising:
- storing address lease information including a Media Access Control (MAC) address, an Internet Protocol (IP) address, and a port for a subscriber in a database coupled to a network edge device when an address lease is associated with the subscriber, wherein the address lease information associated with the subscriber further comprises the subscriber'"'"'s previous MAC addresses and a maximum rate a MAC address is allowed to change for packets transmitted by the subscriber;
  
  receiving subscriber packets on at least one port of the network edge device;
  
  comparing source address information from packets purportedly transmitted by the subscriber with address lease information associated with the subscriber; and
  
  forwarding those of the packets if source address information from the packets, including source MAC and IP addresses, corresponds to address lease information associated with the subscriber.
- View Dependent Claims (13, 14)
- - 13. The machine-readable medium as recited in claim 12, wherein the method further includes discarding the packet and generating an alert for a network administrator if the source MAC address, static IP address, and port from the packets do not correspond to the subscriber'"'"'s address lease information.
  - 14. The machine-readable medium as recited in claim 12, wherein the method further includes ensuring source MAC addresses of packets received do not exceed a maximum rate the MAC addresses may change for packets transmitted by the subscriber.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Calix Incorporated
Original Assignee
Occam Networks Incorporated (Calix Incorporated)
Inventors
Ilgun, Koral, Altarac, Henri, Caves, Evan John
Primary Examiner(s)
Vu; Huy D.
Assistant Examiner(s)
MATTIS, JASON E

Application Number

US10/394,288
Time in Patent Office

1,895 Days
Field of Search

370/232, 370/230, 370/392
US Class Current

370/232
CPC Class Codes

H04L 63/1458 Denial of Service

Filtering subscriber traffic to prevent denial-of-service attacks

First Claim

13 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Filtering subscriber traffic to prevent denial-of-service attacks

First Claim

13 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links