System and method for source IP anti-spoofing security
First Claim
1. A network device providing switching functionality for use in a computer network having a plurality of hosts, each host having a MAC address, the network device comprising:
- a plurality of ports;
a table for storing source IP address and MAC address pairs for data packets received on the plurality of ports; and
a processor operable to;
determine a number of unsuccessful validation attempts for one or more new source IP addresses received over a given time period, wherein the one or more new source IP addresses correspond to source IP addresses that are not stored in the table;
compare the number of unsuccessful validation attempts with a threshold number of unsuccessful validation attempts;
if the number of unsuccessful validation attempts is less than the threshold number, cause the network device to operate in a first mode, wherein in the first mode validation is performed on data packets received from new source IP addresses after the given time period;
if the number of unsuccessful validation attempts is greater than the threshold number, cause the network device to operate in a second mode, wherein in the second mode data packets received from new source IP addresses after the given time period are dropped without validation;
identify a MAC address of a host coupled to a port in the plurality of ports;
learn and verify a source IP address associated with the MAC address;
store the source IP address and the MAC address in the table; and
after storing the source IP address and the MAC address, apply a group of rules for forwarding a data packet received on the port if the data packet has the MAC address and the source IP address.
7 Assignments
0 Petitions
Accused Products
Abstract
A system and method that provides for using source IP addresses and MAC addresses in a network to provide security against attempts by users of the network to use false source IP addresses in data packets. The system and method provide for analyzing MAC addresses and source IP addresses at the datalink (layer 2) level, and to use the information derived from such analysis to block access through a port where a host device is using a false, or spoofed, source IP address in transmitted data packets. Further, the system and method provide for validating initially learned source IP addresses, and for determining whether the number of unsuccessful attempts to validate new source IP addresses exceeds a threshold level, and where the number does exceed the threshold number the system and method can provide for operation in a possible attack mode.
-
Citations
16 Claims
-
1. A network device providing switching functionality for use in a computer network having a plurality of hosts, each host having a MAC address, the network device comprising:
-
a plurality of ports; a table for storing source IP address and MAC address pairs for data packets received on the plurality of ports; and a processor operable to; determine a number of unsuccessful validation attempts for one or more new source IP addresses received over a given time period, wherein the one or more new source IP addresses correspond to source IP addresses that are not stored in the table; compare the number of unsuccessful validation attempts with a threshold number of unsuccessful validation attempts; if the number of unsuccessful validation attempts is less than the threshold number, cause the network device to operate in a first mode, wherein in the first mode validation is performed on data packets received from new source IP addresses after the given time period; if the number of unsuccessful validation attempts is greater than the threshold number, cause the network device to operate in a second mode, wherein in the second mode data packets received from new source IP addresses after the given time period are dropped without validation; identify a MAC address of a host coupled to a port in the plurality of ports; learn and verify a source IP address associated with the MAC address; store the source IP address and the MAC address in the table; and after storing the source IP address and the MAC address, apply a group of rules for forwarding a data packet received on the port if the data packet has the MAC address and the source IP address. - View Dependent Claims (2, 3, 4, 5)
-
-
6. In a network device having a plurality of ports and providing switching functions between ports, a method for providing port security, comprising:
-
determining a number of unsuccessful validation attempts for one or more new source IP addresses received over a given time period, wherein the one or more new source IP addresses correspond to source IP addresses that are not stored in a table of the network device; comparing the number of unsuccessful validation attempts with a threshold number of unsuccessful validation attempts; if the number of unsuccessful validation attempts is less than the threshold number, continuing operation of the network device in a first mode, wherein in the first mode validation is performed on data packets received from new source IP addresses after the given time period; if the number of unsuccessful validation attempts is greater than the threshold number, operating the network device in a second mode, wherein in the second mode data packets received from new source IP addresses after the given time period are dropped without validation; identifying a MAC address of a host coupled to a port of the network device; learning and verifying a source IP address associated with the MAC address; storing the source IP address and the MAC address in the table; and after storing the source IP address and the MAC address, applying a group of rules for forwarding a data packet received on the port if the data packet has the MAC address and the source IP address. - View Dependent Claims (7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
Specification