System and method for source IP anti-spoofing security

US 7,516,487 B1
Filed: 05/20/2004
Issued: 04/07/2009
Est. Priority Date: 05/21/2003
Status: Active Grant

First Claim

Patent Images

1. A network device providing switching functionality for use in a computer network having a plurality of hosts, each host having a MAC address, the network device comprising:

a plurality of ports;

a table for storing source IP address and MAC address pairs for data packets received on the plurality of ports; and

a processor operable to;

determine a number of unsuccessful validation attempts for one or more new source IP addresses received over a given time period, wherein the one or more new source IP addresses correspond to source IP addresses that are not stored in the table;

compare the number of unsuccessful validation attempts with a threshold number of unsuccessful validation attempts;

if the number of unsuccessful validation attempts is less than the threshold number, cause the network device to operate in a first mode, wherein in the first mode validation is performed on data packets received from new source IP addresses after the given time period;

if the number of unsuccessful validation attempts is greater than the threshold number, cause the network device to operate in a second mode, wherein in the second mode data packets received from new source IP addresses after the given time period are dropped without validation;

identify a MAC address of a host coupled to a port in the plurality of ports;

learn and verify a source IP address associated with the MAC address;

store the source IP address and the MAC address in the table; and

after storing the source IP address and the MAC address, apply a group of rules for forwarding a data packet received on the port if the data packet has the MAC address and the source IP address.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.

Citations

16 Claims

1. A network device providing switching functionality for use in a computer network having a plurality of hosts, each host having a MAC address, the network device comprising:
- a plurality of ports;
  
  a table for storing source IP address and MAC address pairs for data packets received on the plurality of ports; and
  
  a processor operable to;
  
  determine a number of unsuccessful validation attempts for one or more new source IP addresses received over a given time period, wherein the one or more new source IP addresses correspond to source IP addresses that are not stored in the table;
  
  compare the number of unsuccessful validation attempts with a threshold number of unsuccessful validation attempts;
  
  if the number of unsuccessful validation attempts is less than the threshold number, cause the network device to operate in a first mode, wherein in the first mode validation is performed on data packets received from new source IP addresses after the given time period;
  
  if the number of unsuccessful validation attempts is greater than the threshold number, cause the network device to operate in a second mode, wherein in the second mode data packets received from new source IP addresses after the given time period are dropped without validation;
  
  identify a MAC address of a host coupled to a port in the plurality of ports;
  
  learn and verify a source IP address associated with the MAC address;
  
  store the source IP address and the MAC address in the table; and
  
  after storing the source IP address and the MAC address, apply a group of rules for forwarding a data packet received on the port if the data packet has the MAC address and the source IP address.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The network device of claim 1, wherein in the first mode the processor is operable to:
    - attempt to validate new source IP addresses for received data packets;
      
      associate MAC addresses with the new source IP addresses if the new source IP addresses have been validated;
      
      transmit the received data packets if the new source IP addresses have been validated; and
      
      drop the received data packets if the new source IP addresses cannot be successfully validated.
  - 3. The network device of claim 1, wherein in the second mode the processor is operable to transmit data packets received on a port if the data packets have source IP addresses that have been previously validated, and to drop the data packets without validation if the data packets have new source IP addresses.
  - 4. The method of claim 3, wherein once the processor goes into the second mode, it continues to operate in the second mode until the processor determines that a number of new source IP addresses detected on a port drops below the threshold number.
  - 5. The method of claim 3, wherein once the processor goes into the second mode, it continues to operate in the second mode for a first time period, and after the first period of time the processor returns to operate in the first mode.

6. In a network device having a plurality of ports and providing switching functions between ports, a method for providing port security, comprising:
- determining a number of unsuccessful validation attempts for one or more new source IP addresses received over a given time period, wherein the one or more new source IP addresses correspond to source IP addresses that are not stored in a table of the network device;
  
  comparing the number of unsuccessful validation attempts with a threshold number of unsuccessful validation attempts;
  
  if the number of unsuccessful validation attempts is less than the threshold number, continuing operation of the network device in a first mode, wherein in the first mode validation is performed on data packets received from new source IP addresses after the given time period;
  
  if the number of unsuccessful validation attempts is greater than the threshold number, operating the network device in a second mode, wherein in the second mode data packets received from new source IP addresses after the given time period are dropped without validation;
  
  identifying a MAC address of a host coupled to a port of the network device;
  
  learning and verifying a source IP address associated with the MAC address;
  
  storing the source IP address and the MAC address in the table; and
  
  after storing the source IP address and the MAC address, applying a group of rules for forwarding a data packet received on the port if the data packet has the MAC address and the source IP address.
- View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
- - 7. The method of claim 6, wherein the group of rules determines a group of ports in the plurality of ports through which the host can transmit data packets.
  - 8. The method of claim 6, wherein the group of rules defines a group of ports in the plurality of ports through which the host cannot transmit data packets.
  - 9. The method of claim 6, wherein the group of rules determines a group of ports in the plurality of ports through which the data packet can be transmitted.
  - 10. The method of claim 6, wherein the group of rules defines a group of ports in the plurality of ports through which the data packet cannot be transmitted.
  - 11. The method of claim 6, wherein the threshold number is determined by a system administrator.
  - 12. The method of claim 6, wherein the threshold number is determined based on a past operation history of the network device.
  - 13. The method of claim 6, wherein operating the network device in the first mode includes:
    - attempting to validate new source IP addresses;
      
      storing MAC address and source IP address pairs for new source IP addresses which have been validated; and
      
      dropping data packets from source IP addresses where the attempts to validate the source IP address have not been successful.
  - 14. The method of claim 6, wherein operating the network device in the second mode includes:
    - transmitting data packets received on a port if the data packets have source IP addresses that have been previously validated; and
      
      dropping data packets received on the port without validation if the data packets have new source IP addresses.
  - 15. The method of claim 14, wherein operating the network device in the second mode further includes:
    - continuing to operate in the second mode until it is determined that a number of new source IP addresses detected on the port drops below the threshold number.
  - 16. The method of claim 14, wherein operating the network device in the second mode further includes:
    - continuing to operate in the second mode for a first time period; and
      
      returning to operate in the first mode after the first time period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
Foundry Networks Incorporated (Broadcom, Inc.)
Inventors
Suresh, Ravindran, Kwan, Philip, Jain, Nitin, Szeto, Ronald W.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
POLTORAK, PIOTR

Application Number

US10/850,505
Time in Patent Office

1,783 Days
Field of Search

726/11, 726/13, 726 22- 23
US Class Current

726/22
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 63/0263   Rule management

H04L 63/101   Access control lists [ACL]

H04L 63/1441   Countermeasures against mal...

System and method for source IP anti-spoofing security

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for source IP anti-spoofing security

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links