Router based defense against denial of service attacks using dynamic feedback from attacked host

US 7,760,722 B1
Filed: 10/21/2005
Issued: 07/20/2010
Est. Priority Date: 10/21/2005
Status: Active Grant

First Claim

Patent Images

1. A method for processing packets, comprising:

receiving a first packet from a network by an edge device, wherein the edge device comprises a first list and a second list, wherein first list is associated with a first queue, the second list is associated with a second queue, and wherein the first packet is directed to a first host;

analyzing, by the edge device, the first packet to obtain first packet information used to determine to which temporary data structure to forward the first packet, wherein the first packet information identifies a source of the first packet;

in response to determining that the first list does not specify the source;

forwarding, by the edge device, the first packet to the second queue,processing the first packet from the second queue, wherein processing the first packet from the second queue comprises;

sending a message to the first host operatively connected to the edge device to send a first test to the source;

sending the first test to the source by the first host using the packet information,obtaining an unsuccessful response to the first test by the host;

forwarding, by the host, the unsuccessful response to the edge device; and

placing the first packet information on the second list based on the unsuccessful response to the first test;

receiving a second packet from the network by the edge device, wherein the second packet is directed to a second host;

after receiving the second packet;

analyzing, by the edge device, the second packet to obtain second packet information, wherein the second packet information identifies that the second packet was received from the source; and

in response to determining that the second list comprises the source, dropping the second packet by the edge device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An edge device including a first list and a second list, a first queue and a second queue configured to receive packets, wherein packet information for each of the packets forwarded to the first queue is on a first list and packet information for each of the packets forwarded to the second queue is not on the first list. The edge device is configured to, for each of the packets stored in the second queue, send a message to a host to send a first test to a source of the packet, wherein the host is operatively connected to the edge device, obtain a response to the first test from the host, place the packet information on the first list, if a successful response to the first test is received, and place the packet information on a second list, if an unsuccessful response to the first test is received.

Citations

20 Claims

1. A method for processing packets, comprising:
- receiving a first packet from a network by an edge device, wherein the edge device comprises a first list and a second list, wherein first list is associated with a first queue, the second list is associated with a second queue, and wherein the first packet is directed to a first host;
  
  analyzing, by the edge device, the first packet to obtain first packet information used to determine to which temporary data structure to forward the first packet, wherein the first packet information identifies a source of the first packet;
  
  in response to determining that the first list does not specify the source;
  
  forwarding, by the edge device, the first packet to the second queue,processing the first packet from the second queue, wherein processing the first packet from the second queue comprises;
  
  sending a message to the first host operatively connected to the edge device to send a first test to the source;
  
  sending the first test to the source by the first host using the packet information,obtaining an unsuccessful response to the first test by the host;
  
  forwarding, by the host, the unsuccessful response to the edge device; and
  
  placing the first packet information on the second list based on the unsuccessful response to the first test;
  
  receiving a second packet from the network by the edge device, wherein the second packet is directed to a second host;
  
  after receiving the second packet;
  
  analyzing, by the edge device, the second packet to obtain second packet information, wherein the second packet information identifies that the second packet was received from the source; and
  
  in response to determining that the second list comprises the source, dropping the second packet by the edge device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein packets in the first queue are processed at a higher processing priority than packets in the second queue.
  - 3. The method of claim 1, wherein the first test is a Turing test.
  - 4. The method of claim 1, wherein analyzing the first packet information to determine to which queue to forward the first packet is performed after the edge device has detected a denial of service attack.
  - 5. The method of claim 1, wherein the edge device is a router.
  - 6. The method of claim 1, wherein the first queue is a virtual serialization queue.
  - 7. The method of claim 1, wherein the first list and the second list are cleared periodically.
  - 8. The method of claim 1, wherein the first list is cleared after a specific amount of time has elapsed.
  - 9. The method of claim 1, wherein the packet information comprises at least one selected from the group consisting of a source Internet Protocol (IP) address, a destination IP address, a Source Transmission Control Protocol (TCP) port, and a destination TCP port.
  - 10. The method of claim 1, wherein the second packet is directed to the second host when the second host is to receive the second packet to comply with load balancing requirements specified by the edge device.

11. An edge device, comprising:
- a first list and a second list comprising packet information;
  
  a first queue configured to receive packets, wherein packet information for each of a plurality of packets forwarded to the first queue is on a first list;
  
  a second queue configured to receive packets, wherein packet information for each of the plurality of packets forwarded to the second queue is not on the first list;
  
  wherein the edge device is configured to;
  
  receive a first packet of the plurality of packets from a network, wherein the first packet is directed to a first host;
  
  analyze the first packet to determine that packet information of the first packet is not in the first list, wherein the packet information of the first packet identifies a source of the first packet;
  
  forward the first packet to the second queue based on the source not being specified in the first list;
  
  process the first packet from the second queue, wherein processing the first packet comprises;
  
  sending a message to the first host to send a first test to the source, wherein the first host is operatively connected to the edge device, and wherein the host obtains, in response to the first test, an unsuccessful response from the source;
  
  obtaining the unsuccessful response to the first test from the host; and
  
  placing the first packet information on the second list based on the unsuccessful response to the first test;
  
  receive a second packet of the plurality of packets from the network, wherein the second packet is directed to a second host;
  
  after receiving the second packet;
  
  analyze the second packet to obtain packet information of the second packet, wherein the packet information of the second packet identifies that the second packet was received from the source; and
  
  in response to determining that the second list comprises the source, dropping the second packet by the edge device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The edge device of claim 11, wherein the edge device is a router.
  - 13. The edge device of claim 11, wherein the first test is a Turing test.
  - 14. The edge device of claim 11, wherein packets on the first queue are processed at a higher processing priority than packets on the second queue.
  - 15. The edge device of claim 11, wherein the first list and the second list are cleared periodically.
  - 16. The edge device of claim 11, wherein the first list is cleared after a specific amount of time has elapsed.
  - 17. The edge device of claim 11, wherein the first queue is a virtual serialization queue.
  - 18. The edge device of claim 11, wherein the second packet is directed to the second host when the second host is to receive the second packet to comply with load balancing requirements specified by the edge device.

19. A computer readable medium, comprising instructions stored thereon for:
- receiving a first packet from a network by an edge device, wherein the edge device comprises a first list and a second list, wherein the first list is associated with a first queue, wherein the second list is associated with a second queue, and wherein the first packet is directed to a first host;
  
  analyzing, by the edge device, the first packet to obtain first packet information used to determine to which temporary data structure to forward the first packet, wherein the packet information identifies a source of the first packet;
  
  in response to determining that the first list does not specify the source;
  
  forwarding, by the edge device, the first packet to the second queue,processing the first packet from the second queue, wherein processing the first packet from the second queue comprises;
  
  sending a message to the first host operatively connected to the edge device to send a first test to the source;
  
  sending the first test to the source by the first host using the packet information,obtaining an unsuccessful response to the first test by the host;
  
  forwarding, by the host, the unsuccessful response to the edge device; and
  
  placing the first packet information on the second list based on the unsuccessful response to the first test;
  
  receiving a second packet from the network by the edge device, wherein the second packet is directed to a second host;
  
  after receiving the second packet;
  
  analyzing, by the edge device, the second packet to obtain second packet information, wherein the second packet information identifies that the second packet was received from the source; and
  
  in response to determining that the second list comprises the source, dropping the second packet by the edge device.
- View Dependent Claims (20)
- - 20. The computer readable medium of claim 19, wherein the second packet is directed to the second host when the second host is to receive the second packet to comply with load balancing requirements specified by the edge device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Oracle America, Inc. (Oracle Corporation)
Inventors
Tripathi, Sunay, Perlman, Radia J., Masputra, Cahya Adiansyah
Primary Examiner(s)
Vu; Huy D
Assistant Examiner(s)
RENNER, BRANDON M

Application Number

US11/256,254
Time in Patent Office

1,733 Days
Field of Search

None
US Class Current

370/389
CPC Class Codes

H04L 63/1458 Denial of Service

Router based defense against denial of service attacks using dynamic feedback from attacked host

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Router based defense against denial of service attacks using dynamic feedback from attacked host

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links