Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses

US 7,444,404 B2
Filed: 02/05/2001
Issued: 10/28/2008
Est. Priority Date: 02/05/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A network comprising:

a plurality of network nodes;

a plurality of routing devices to route network traffics between selected ones of said network nodes; and

a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures;

wherein the director bases said determination on at least spatial distribution profiles of said source addresses, and in view of at least one reference source address spatial distribution profile.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A director is provided to receive source address instances of packets routed through routing devices of a network. The director determines whether any of the reported source address instances are to be deemed as spoof source address instances. The director further determines where filtering actions are to be deployed to filter out packets having certain source addresses deemed to be spoof instances. The director makes its determinations based at least in part on a selected one of a number of consistency measures. The consistency measures may include but are not limited to spatial consistency, destination consistency, migration consistency, and temporary consistency. The consistency measures are evaluated using spatial, destination source address range, migration and timing S/D/M/T distribution profiles of the reported source addresses. In some embodiments, the determinations are based further in view of reference S/D/M/T distribution profiles, which may be an exemplary S/D/M/T distribution profile of a typical non-spoof source address or a historical S/D/M/T distribution profile of the source address.

354 Citations

45 Claims

1. A network comprising:
- a plurality of network nodes;
  
  a plurality of routing devices to route network traffics between selected ones of said network nodes; and
  
  a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures;
  
  wherein the director bases said determination on at least spatial distribution profiles of said source addresses, and in view of at least one reference source address spatial distribution profile.
- View Dependent Claims (2)
- - 2. The network of claim 1, wherein said at least one reference source address spatial distribution profile comprises at least a selected one of an exemplary spatial distribution profile for a non-spoof source address in general, and a historical spatial distribution profile for a particular source address.

3. A network comprising:
- a plurality of network nodes;
  
  a plurality of routing devices to route network traffics between selected ones of said network nodes; and
  
  a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures;
  
  wherein the director bases said determination on at least destination source address range (DSAR) distribution profiles of said source addresses, and in view of at least one reference DSAR distribution profile.
- View Dependent Claims (4)
- - 4. The network of claim 3, wherein said at least one reference DSAR distribution profile comprises at least a selected one of an exemplary DSAR distribution profile for a non-spoof source address in general, and a historical DSAR distribution profile for a particular source address.

5. A network comprising:
- a plurality of network nodes;
  
  a plurality of routing devices to route network traffics between selected ones of said network nodes; and
  
  a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures;
  
  wherein the director bases said determination on at least migration distribution profiles of said source addresses, and in view of at least one reference migration distribution profile.
- View Dependent Claims (6)
- - 6. The network of claim 5, wherein said at least one reference migration distribution profile comprises at least a selected one of an exemplary migration distribution profile for a non-spoof source address in general, and a historical migration distribution profile for a particular source address.

7. A network comprising:
- a plurality of network nodes;
  
  a plurality of routing devices to route network traffics between selected ones of said network nodes; and
  
  a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures;
  
  wherein the director is further equipped to determine whether filtering actions are to be taken to filter out packets with source addresses having instances deemed to be spoof source addresses, and if filtering actions are to taken, where among said routing devices, said filtering actions are to be taken.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The network of claim 7, wherein the director bases said determination on at least timing distribution profiles of said source addresses, and in view of at least one reference source address timing distribution profile.
  - 9. The network of claim 8, wherein said at least one reference source address timing distribution profile comprises at least a selected one of an exemplary timing distribution profile for a non-spoof source address in general, and a historical timing distribution profile for a particular source address.
  - 10. The network of claim 7, wherein the director takes into consideration in making said where determination, where packets of non-spoof instances of a source address having instances deemed to be spoof source addresses are likely to be routed in said network.
  - 11. The network of claim 7, wherein the director comprises a plurality of director devices cooperatively coupled to each other to jointly make said determination.
  - 12. The network of claim 7, wherein the network further comprises a plurality of sensors, either integrally disposed in a subset of said routing devices or externally disposed and coupled to the subset of routing devices, to monitor and report on source addresses of packets routed through the subset of routing devices.
  - 13. The network of claim 12, wherein the sensors are further equipped to facilitate application of desired source address based filtering on packets being routed through selected ones of said subset of routing devices.

14. A networking method comprising:
- receiving information associated with source addresses of packets being routed to and from a plurality of network nodes of a network;
  
  determining whether selected instances of said source addresses are spoof instances of said source addresses, based at least in part on one or more consistency measures; and
  
  managing said network based at least in part on the results of said determination;
  
  wherein said determination is made based at least in part on spatial distribution profiles of said source addresses, and in view of at least one reference source address spatial distribution profile.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The method of claim 14, wherein said determination comprises constructing said spatial distribution profiles of said source addresses.
  - 16. The method of claim 14, wherein said determining comprises determining whether each of the spatial distribution profiles of the source addresses is within a resemblance tolerance limit when compared to each of the at least one reference source address spatial distribution profile.
  - 17. The method of claim 14, wherein said at least one reference spatial distribution profile comprises at least a selected one of an exemplary spatial distribution profile for a non-spoof source address in general, and a historical spatial distribution profile for a particular source address.
  - 18. The method of claim 14, wherein said determination is made based on at least timing distribution profiles of said source addresses, and in view of at least one reference source address timing distribution profile.
  - 19. The method of claim 18, wherein said determining comprises constructing said timing distribution profiles of said source addresses.
  - 20. The method of claim 18, wherein said determining comprises determining whether each of the timing distribution profiles of the source addresses is within a resemblance tolerance limit when compared to each of the at least one reference source address timing distribution profile.
  - 21. The method of claim 18, wherein said at least one reference timing distribution profile comprises at least a selected one of an exemplary timing distribution profile for a non-spoof source address in general, and a historical timing distribution profile for a particular source address.
  - 22. The method of claim 14, wherein said managing comprises determining whether filtering actions are to be taken in said network to filter out at least some packets having source addresses deemed to be having spoof instances, and if filtering actions are to be taken, where among a plurality of routing devices, said filtering actions are to be taken.
  - 23. The method of claim 22, wherein said where determination comprises taking into consideration where packets of non-spoof instances of a source address having instances deemed to be spoof source addresses are likely to be routed in said network.

24. A networking method comprising:
- receiving information associated with source addresses of packets being routed to and from a plurality of network nodes of a network;
  
  determining whether selected instances of said source addresses are spoof instances of said source addresses, based at least in part on one or more consistency measures; and
  
  managing said network based at least in part on the results of said determination;
  
  wherein said determination is made based at least in part on destination source address range (DSAR) distribution profiles of said source addresses, and in view of at least one reference DSAR distribution profile.
- View Dependent Claims (25, 26, 27)
- - 25. The method of claim 24, wherein said determination comprises constructing said DSAR distribution profiles of said source addresses.
  - 26. The method of claim 24, wherein said determining comprises determining whether each of the DSAR distribution profiles of the source addresses is within a resemblance tolerance limit when compared to each of the at least one reference source address DSAR distribution profile.
  - 27. The method of claim 24, wherein said at least one reference DSAR distribution profile comprises at least a selected one of an exemplary DSAR distribution profile for a non-spoof source address in general, and a historical DSAR distribution profile for a particular source address.

28. A networking method comprising:
- receiving information associated with source addresses of packets being routed to and from a plurality of network nodes of a network;
  
  determining whether selected instances of said source addresses are spoof instances of said source addresses, based at least in part on one or more consistency measures; and
  
  managing said network based at least in part on the results of said determination;
  
  wherein said determination is made based at least in part on migration distribution profiles of said source addresses, and in view of at least one reference migration distribution profile.
- View Dependent Claims (29, 30, 31)
- - 29. The method of claim 28, wherein said determining comprises constructing said migration distribution profiles of said source addresses.
  - 30. The method of claim 28, wherein said determining comprises determining whether each of the migration distribution profiles of the source addresses is within a resemblance tolerance limit when compared to each of the at least one reference source address migration distribution profile.
  - 31. The method of claim 28, wherein said at least one reference migration distribution profile comprises at least a selected one of an exemplary migration distribution profile for a non-spoof source address in general, and a historical migration distribution profile for a particular source address.

32. An apparatus comprising:
- (a) a storage medium having stored therein a plurality of programming instructions designed to implement a director to receive reporting of information associated with source addresses of packets routed through a plurality of routing devices of a network, and to determine whether at least some instances of said source addresses are spoof instances based on at least spatial distribution profiles of said source addresses, and in view of at least one reference source address spatial distribution profile; and
  
  (b) a processor coupled the storage medium to execute the programming instructions.
- View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
- - 33. The apparatus of claim 32, wherein said programming instructions are designed to be able to construct said spatial distribution profiles of said source addresses.
  - 34. The apparatus of claim 32, wherein said programming instructions are designed to be able to determine whether each of the spatial distribution profiles of the source addresses is within a resemblance tolerance limit when compared to each of the at least one reference source address spatial distribution profile.
  - 35. The apparatus of claim 32, wherein said programming instructions are designed to make said determination based on at least destination source address range (DSAR) distribution profiles of said source addresses, and in view of at least one reference source address DSAR distribution profile.
  - 36. The apparatus of claim 35, wherein said programming instructions are designed to be able to construct said DSAR distribution profiles of said source addresses.
  - 37. The apparatus of claim 35, wherein said programming instructions are designed to be able to determine whether each of the DSAR distribution profiles of the source addresses is within a resemblance tolerance limit when compared to each of the at least one reference source address DSAR distribution profile.
  - 38. The apparatus of claim 32, wherein said programming instructions are designed to make said determination based on at least migration distribution profiles of said source addresses, and in view of at least one reference source address migration distribution profile.
  - 39. The apparatus of claim 38, wherein said programming instructions are designed to be able to construct said migration distribution profiles of said source addresses.
  - 40. The apparatus of claim 38, wherein said programming instructions are designed to be able to determine whether each of the migration distribution profiles of the source addresses is within a resemblance tolerance limit when compared to each of the at least one reference source address migration distribution profile.
  - 41. The apparatus of claim 32, wherein said programming instructions are designed to make said determination based on at least timing distribution profiles of said source addresses, and in view of at least one reference source address timing distribution profile.
  - 42. The apparatus of claim 41, wherein said programming instructions are designed to be able to construct said timing distribution profiles of said source addresses.
  - 43. The apparatus of claim 41, wherein said programming instructions are designed to be able to determine whether each of the timing distribution profiles of the source addresses is within a resemblance tolerance limit when compared to each of the at least one reference source address timing distribution profile.
  - 44. The apparatus of claim 32, wherein said programming instructions are designed to be able to determine whether filtering actions are to be taken in said network to filter out at least some packets having source addresses deemed to be having spoof instances, and if filtering actions are to be taken, further determine where among a plurality of routing devices, said filtering actions are to be taken.
  - 45. The apparatus of claim 44, wherein said programming instructions are designed to take into consideration where packets of non-spoof instances of a source address having instances deemed to be spoof source addresses are likely to be routed in said network, when making said where determination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Anderson, Thomas E., Wetherall, David J., Savage, Stefan R.
Primary Examiner(s)
Follansbee; John
Assistant Examiner(s)
PHILLIPS, HASSAN A

Application Number

US09/777,550
Publication Number

US 20020107960A1
Time in Patent Office

2,822 Days
Field of Search

709/223, 709/224, 709/225, 709/238, 709/240, 713/200, 713/201
US Class Current

709/225
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/35   involving non-standard use ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

354 Citations

45 Claims

Specification

Use Cases

Quick Links

Others

Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

354 Citations

45 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others