Peer-to-peer name resolution protocol (PNRP) security infrastructure and method

US 7,720,962 B2
Filed: 03/15/2006
Issued: 05/18/2010
Est. Priority Date: 04/29/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of inhibiting denial of service attacks based on consumption of processor capacity at a node in a peer-to-peer network, comprising:

receiving a potentially malicious message at the node in the peer-to-peer network;

wherein the potentially malicious message comprises a RESOLVE message, the RESOLVE message comprising at least one message field;

examining processor capacity at the node; and

rejecting processing of the potentially malicious RESOLVE message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above a predetermined level, wherein rejecting processing of the potentially malicious RESOLVE message comprises sending an AUTHORITY message, the AUTHORITY message containing an indication that the potentially malicious RESOLVE message will not be processed because the consumption of processor capacity at the node is above the predetermined level; and

accepting processing of the RESOLVE message when examining the node processor capacity indicates that the consumption of processor capacity at the node is below the predetermined level, and processing the RESOLVE message at the node.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A security infrastructure and methods are presented that inhibit the ability of a malicious node from disrupting the normal operations of a peer-to-peer network. The methods of the invention allow both secure and insecure identities to be used by nodes by making them self-verifying. When necessary or opportunistic, ID ownership is validated by piggybacking the validation on existing messages. The probability of connecting initially to a malicious node is reduced by randomly selecting to which node to connect. Further, information from malicious nodes is identified and can be disregarded by maintaining information about prior communications that will require a future response. Denial of service attacks are inhibited by allowing the node to disregard requests when its resource utilization exceeds a predetermined limit. The ability for a malicious node to remove a valid node is reduced by requiring that revocation certificates be signed by the node to be removed.

54 Citations

View as Search Results

12 Claims

1. A method of inhibiting denial of service attacks based on consumption of processor capacity at a node in a peer-to-peer network, comprising:
- receiving a potentially malicious message at the node in the peer-to-peer network;
  
  wherein the potentially malicious message comprises a RESOLVE message, the RESOLVE message comprising at least one message field;
  
  examining processor capacity at the node; and
  
  rejecting processing of the potentially malicious RESOLVE message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above a predetermined level, wherein rejecting processing of the potentially malicious RESOLVE message comprises sending an AUTHORITY message, the AUTHORITY message containing an indication that the potentially malicious RESOLVE message will not be processed because the consumption of processor capacity at the node is above the predetermined level; and
  
  accepting processing of the RESOLVE message when examining the node processor capacity indicates that the consumption of processor capacity at the node is below the predetermined level, and processing the RESOLVE message at the node.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, further comprising:
    - calculating a bitpos as a hash of the at least one message field when a first node identification is not locally registered;
      
      setting a first bit at an index of a bit vector, the index of the bit vector corresponding to the bitpos;
      
      storing the bit vector at the node, the bit vector specifically identifying the RESOLVE message with a sending node;
      
      finding a next hop to forward the RESOLVE message;
      
      modifying the RESOLVE message to indicate processing the RESOLVE message; and
      
      forwarding the RESOLVE message to the next hop if the next hop is verified.
  - 3. The method of claim 1, wherein the indication that the RESOLVE message will not be processed comprises a set AF_REJECT_TOO_BUSY field.

4. A computer-readable storage medium having computer-executable instructions for inhibiting denial of service attacks based on consumption of processor capacity at a node in a peer-to-peer network, the computer-executable instructions comprising instructions for:
- receiving a potentially malicious message at the node in the peer-to-peer network;
  
  wherein the potentially malicious message comprises a RESOLVE message, the RESOLVE message comprising at least one message field;
  
  examining processor capacity at the node;
  
  rejecting processing of the potentially malicious message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above a predetermined level, wherein rejecting processing of the potentially malicious message comprises sending an AUTHORITY message, the AUTHORITY message containing an indication that the potentially malicious message will not be processed because the consumption of processor capacity at the node is above the predetermined level; and
  
  accepting processing of the RESOLVE message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is below the predetermined level.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The computer-readable storage medium of claim 4, wherein the indication that the RESOLVE message will not be processed comprises a set AF_REJ ECT_TOO_BUSY field.
  - 6. The computer-readable storage medium of claim 4, further comprising:
    - processing the RESOLVE message;
      
      converting the RESOLVE message to a RESPOND message when another node identification is locally registered at the node; and
      
      sending the RESPOND message to the other node.
  - 7. The computer-readable storage medium of claim 4, further comprising:
    - processing the RESOLVE message at the node;
      
      calculating a bitpos as a hash of the at least one message field when a second node identification is not locally registered;
      
      setting a first bit at an index of a bit vector, the index of the bit vector corresponding to the bitpos;
      
      storing the bit vector at the node, the bit vector specifically identifying the RESOLVE message with the second node;
      
      finding a next hop to forward the RESOLVE message;
      
      modifying the RESOLVE message to indicate processing the RESOLVE message;
      
      and forwarding the RESOLVE message to the next hop if the next hop is verified.
  - 8. The computer-readable storage medium of claim 7, further comprising:
    - setting a second bit in the RESOLVE message when the next hop is not verified;
      
      and forwarding the RESOLVE message to the next hop;
      
      wherein the second bit comprises a request to identify the ownership of the RESOLVE message.

9. A method of inhibiting denial of service attacks based on consumption of processor capacity at a node in a peer-to-peer network, comprising:
- receiving a potentially malicious message at the node in the peer-to-peer network;
  
  wherein the message is a FLOOD message, the FLOOD message containing a peer address certificate (PAC);
  
  determining that the PAC should be stored in a cache at the node;
  
  examining processor capacity at the node; and
  
  rejecting processing of the potentially malicious message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above a predetermined level, wherein rejecting processing of the potentially malicious message comprises sending an AUTHORITY message, the AUTHORITY message containing an indication that the potentially malicious message will not be processed because the consumption of processor capacity at the node is above the predetermined level.
- View Dependent Claims (10, 11, 12)
- - 10. The method of claim 9, wherein receiving a message at the node in the peer-to-peer network further comprises:
    - determining that the PAC should be stored in one of two lowest cache levels at the node;
      
      wherein rejecting processing of the message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above the predetermined level comprises placing the PAC in a node set aside list for later processing.
  - 11. The method of claim 10, further comprising processing the PAC in the node set aside list at a random interval, if, during the random interval, the consumption of processor capacity at the node is below the predetermined level.
  - 12. The method of claim 9, wherein receiving the message at the node in the peer-to-peer network further comprises determining that the PAC should be stored in a node cache level higher than two lowest cache levels at the node, and wherein rejecting processing of the message when examining the processor capacity at the node indicates that the consumption of processor capacity at the node is above the predetermined level comprises rejecting the FLOOD message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Miller, John L., Gavrilescu, Alexandru, Gupta, Rohit, Wheeler, Graham A.
Primary Examiner(s)
Dinh; Khanh Q

Application Number

US11/375,749
Publication Number

US 20060174005A1
Time in Patent Office

1,525 Days
Field of Search

709/217, 709/224, 709/251, 709/228, 709/232, 709/220, 709/221, 370/253, 370/252, 370/258, 370/227, 714/1, 714/2
US Class Current

709/224
CPC Class Codes

H04L 61/00   Network arrangements, proto...

H04L 61/45   Network directories; Name-t...

H04L 63/0823   using certificates cryptogr...

H04L 63/126   the source of the received ...

H04L 63/1458   Denial of Service

H04L 67/104   Peer-to-peer [P2P] networks

Y10S 707/99939   Privileged access

Peer-to-peer name resolution protocol (PNRP) security infrastructure and method

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

54 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Peer-to-peer name resolution protocol (PNRP) security infrastructure and method

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

54 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links