Network traffic regulation including consistency based detection and filtering of packets with spoof source addresses
First Claim
1. A network comprising:
- a plurality of network nodes;
a plurality of routing devices to route network traffics between selected ones of said network nodes; and
a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures;
wherein the director bases said determination on at least spatial distribution profiles of said source addresses, and in view of at least one reference source address spatial distribution profile.
3 Assignments
0 Petitions
Accused Products
Abstract
A director is provided to receive source address instances of packets routed through routing devices of a network. The director determines whether any of the reported source address instances are to be deemed as spoof source address instances. The director further determines where filtering actions are to be deployed to filter out packets having certain source addresses deemed to be spoof instances. The director makes its determinations based at least in part on a selected one of a number of consistency measures. The consistency measures may include but are not limited to spatial consistency, destination consistency, migration consistency, and temporary consistency. The consistency measures are evaluated using spatial, destination source address range, migration and timing S/D/M/T distribution profiles of the reported source addresses. In some embodiments, the determinations are based further in view of reference S/D/M/T distribution profiles, which may be an exemplary S/D/M/T distribution profile of a typical non-spoof source address or a historical S/D/M/T distribution profile of the source address.
354 Citations
45 Claims
-
1. A network comprising:
-
a plurality of network nodes; a plurality of routing devices to route network traffics between selected ones of said network nodes; and a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures; wherein the director bases said determination on at least spatial distribution profiles of said source addresses, and in view of at least one reference source address spatial distribution profile. - View Dependent Claims (2)
-
-
3. A network comprising:
-
a plurality of network nodes; a plurality of routing devices to route network traffics between selected ones of said network nodes; and a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures; wherein the director bases said determination on at least destination source address range (DSAR) distribution profiles of said source addresses, and in view of at least one reference DSAR distribution profile. - View Dependent Claims (4)
-
-
5. A network comprising:
-
a plurality of network nodes; a plurality of routing devices to route network traffics between selected ones of said network nodes; and a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures; wherein the director bases said determination on at least migration distribution profiles of said source addresses, and in view of at least one reference migration distribution profile. - View Dependent Claims (6)
-
-
7. A network comprising:
-
a plurality of network nodes; a plurality of routing devices to route network traffics between selected ones of said network nodes; and a director coupled to said routing devices to determine whether selected instances of source addresses of packets routed by said routing devices are spoof source addresses, based at least in part on one or more consistency measures; wherein the director is further equipped to determine whether filtering actions are to be taken to filter out packets with source addresses having instances deemed to be spoof source addresses, and if filtering actions are to taken, where among said routing devices, said filtering actions are to be taken. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A networking method comprising:
-
receiving information associated with source addresses of packets being routed to and from a plurality of network nodes of a network; determining whether selected instances of said source addresses are spoof instances of said source addresses, based at least in part on one or more consistency measures; and managing said network based at least in part on the results of said determination; wherein said determination is made based at least in part on spatial distribution profiles of said source addresses, and in view of at least one reference source address spatial distribution profile. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
-
-
24. A networking method comprising:
-
receiving information associated with source addresses of packets being routed to and from a plurality of network nodes of a network; determining whether selected instances of said source addresses are spoof instances of said source addresses, based at least in part on one or more consistency measures; and managing said network based at least in part on the results of said determination; wherein said determination is made based at least in part on destination source address range (DSAR) distribution profiles of said source addresses, and in view of at least one reference DSAR distribution profile. - View Dependent Claims (25, 26, 27)
-
-
28. A networking method comprising:
-
receiving information associated with source addresses of packets being routed to and from a plurality of network nodes of a network; determining whether selected instances of said source addresses are spoof instances of said source addresses, based at least in part on one or more consistency measures; and managing said network based at least in part on the results of said determination; wherein said determination is made based at least in part on migration distribution profiles of said source addresses, and in view of at least one reference migration distribution profile. - View Dependent Claims (29, 30, 31)
-
-
32. An apparatus comprising:
-
(a) a storage medium having stored therein a plurality of programming instructions designed to implement a director to receive reporting of information associated with source addresses of packets routed through a plurality of routing devices of a network, and to determine whether at least some instances of said source addresses are spoof instances based on at least spatial distribution profiles of said source addresses, and in view of at least one reference source address spatial distribution profile; and (b) a processor coupled the storage medium to execute the programming instructions. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45)
-
Specification