Detection and prevention of encapsulated network attacks using an intermediate device
First Claim
1. A method comprising:
- receiving, with an intermediate device, packets;
determining, with the intermediate device, whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, wherein the intermediate device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device;
applying a set of heuristics to the data units to determine whether the data units are encrypted;
when the data units are determined not to be encrypted, extracting, with the intermediate device, the encapsulated data units from the one or more received packets determined to be associated with the network tunnel;
when the data units are determined not the be encrypted, generating, with the intermediate device, temporary packets from the data units, wherein the temporary packets are different from the originally received packets;
analyzing, with the intermediate device, the temporary packets to detect a network attack,wherein analyzing the temporary packet to detect a network attack comprises processing the data units within the temporary packets with the intermediate network device to identify network elements associated with the data units, forming application-layer communications from the data units within the temporary packets, processing the application-layer communications with protocol-specific decoders to identify application-layer elements, and applying an attack definition to the network elements and the application-layer elements to detect the network attack;
selectively transmitting, with the intermediate device, the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted;
analyzing, with the intermediate device, those of the received packets determined not to be associated with the network tunnel to detect a network attack without generating the temporary packets from the received packets; and
selectively transmitting, with the intermediate device, those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets.
1 Assignment
0 Petitions
Accused Products
Abstract
A network device is capable of recognizing and blocking network attacks associated with packet flows regardless of whether the packet flows are encapsulated within network tunnels. For example, the network device includes a filter module that receives packets associated with a network tunnel from an ingress device to an egress device. The filter module applies heuristics to determine whether the packets encapsulate encrypted data units. If the data units are not encrypted, the filter module extracts the data units and generates temporary packets for use within the network device. An attack detection engine within the device analyzes the temporary packets to detect any network attacks carried by the encapsulated data units. A forwarding component selectively forwards the packets to the egress device based on whether any network attacks are detected.
-
Citations
28 Claims
-
1. A method comprising:
-
receiving, with an intermediate device, packets; determining, with the intermediate device, whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, wherein the intermediate device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device; applying a set of heuristics to the data units to determine whether the data units are encrypted; when the data units are determined not to be encrypted, extracting, with the intermediate device, the encapsulated data units from the one or more received packets determined to be associated with the network tunnel; when the data units are determined not the be encrypted, generating, with the intermediate device, temporary packets from the data units, wherein the temporary packets are different from the originally received packets; analyzing, with the intermediate device, the temporary packets to detect a network attack, wherein analyzing the temporary packet to detect a network attack comprises processing the data units within the temporary packets with the intermediate network device to identify network elements associated with the data units, forming application-layer communications from the data units within the temporary packets, processing the application-layer communications with protocol-specific decoders to identify application-layer elements, and applying an attack definition to the network elements and the application-layer elements to detect the network attack; selectively transmitting, with the intermediate device, the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted; analyzing, with the intermediate device, those of the received packets determined not to be associated with the network tunnel to detect a network attack without generating the temporary packets from the received packets; and selectively transmitting, with the intermediate device, those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method comprising:
-
receiving, with an intermediate device, packets; determining, with the intermediate device, whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, wherein the intermediate device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device; applying a set of heuristics to the data units to determine whether the data units are encrypted; when the data units are determined not to be encrypted, extracting, with the intermediate device, the encapsulated data units from the one or more received packets determined to be associated with the network tunnel; when the data units are determined not the be encrypted, generating, with the intermediate device, temporary packets from the data units, wherein the temporary packets are different from the originally received packets; analyzing, with the intermediate device, the temporary packets to detect a network attack based upon application of an attack definition; selectively transmitting, with the intermediate device, the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted; analyzing, with the intermediate device, those of the received packets determined not to be associated with the network tunnel to detect a network attack without generating the temporary packets from the received packets; and selectively transmitting, with the intermediate device, those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets; wherein applying a set of heuristics comprises; examining the data units for indicators of a size of payloads within the data units; determining an actual size for each of the payloads; comparing the indicators with the actual size of each of the payloads; and determining whether the data units are encrypted based on a result of the comparison. - View Dependent Claims (16)
-
-
17. A network device comprising:
-
a filter module to receive packets, determine whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, apply a set of heuristics to the data units to determine whether the data units are encrypted and, when the data units are determined not to be encrypted, extract data units encapsulated within those of the packets determined to be associated with the network tunnel, wherein the network device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device, wherein the filter module includes a packet generation module to generate, when the data units are determined not to be encrypted, temporary packets from the extracted data units, wherein the temporary packets are different from the originally received packets; an attack detection engine to process the data units within the temporary packets to identify network elements associated with the data units, form application-layer communications from the data units within the temporary packets, process the application-layer communications with protocol-specific decoders to identify application-layer elements to detect a network attack; and a forwarding component to selectively forward the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted, wherein the forwarding component further analyzes those of the received packets determined not to be associated with the network tunnel to detect a network to detect a network attack without generating the temporary packets from the received packets, and selectively transmitting those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets. - View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A network device comprising:
-
a filter module to receive packets, determine whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel, apply a set of heuristics to the data units to determine whether the data units are encrypted and, when the data units are determined not to be encrypted, extract data units encapsulated within those of the packets determined to be associated with the network tunnel, wherein the network device is positioned between the ingress device and the egress device along the network tunnel, and wherein the intermediate device is separate from both the ingress device and the egress device, wherein the filter module includes a packet generation module to generate, when the data units are determined not to be encrypted, temporary packets from the extracted data units, wherein the temporary packets are different from the originally received packets; an attack detection engine to analyze packets to detect a network attack based on application of an attack definition; and a forwarding component to selectively forward the originally received packets to the egress device based on the analysis of the temporary packets such that the originally received packets that share the same data units as the temporary packets from which the network attack is detected are not transmitted and the originally received packets that share the same data units as the temporary packets from which the network attack is not detected are transmitted, wherein the forwarding component further analyzes those of the received packets determined not to be associated with the network tunnel to detect a network to detect a network attack without generating the temporary packets from the received packets, and selectively transmitting those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets, wherein the filter module examines the data units to determine indicators of a size of payloads within the data units and compares the indicators with an actual size for each of the payloads, and extracts the data units based on the result of the comparison.
-
-
28. A computer-readable medium comprising instructions that cause a programmable processor within a network device to:
-
present a user interface that receives input specifying an attack definition; and configure a forwarding plane of the network device to receive packets; determine whether one or more of the received packets are associated with a network tunnel that extends from an ingress device to an egress device by detecting the protocol to which the packet adheres, wherein those of the received packets determined to be associated with the network tunnel encapsulate data units for transmission along the network tunnel; apply a set of heuristics to the data units to determine whether the data units are encrypted; when the data units are determined not to be encrypted, extracting the encapsulated data units from the one or more received packets determined to be associated with the network tunnel; when the data units are determined not to be encrypted, generate temporary packets from data units encapsulated within those of the originally received packets determined to be associated with the network tunnel; apply the attack definition to the temporary packets to detect a network attack by processing the data units within the temporary packets with the network device to identify network elements associated with the data units, forming application-layer communications with protocol-specific decoders to identify application-layer elements, and applying the attack definition to the network elements and the application-layer elements to detect the network attack; and forward the originally received packets to an egress device of the tunnel based on the application of the attack definition to the temporary packets such that those of the originally received packets sharing the same data units as those of the temporary packets from which the network attack is detected are not transmitted and those of the originally received packets sharing the same data units as those of the temporary packets from which the network attack is not detected are transmitted, wherein the forwarding component further analyzes those of the received packets determined not to be associated with the network tunnel to detect a network to detect a network attack without generating the temporary packets from the received packets, and selectively transmitting those of the received packets determined not to be associated with the network tunnel based on the analysis of these packets, wherein the network device is positioned between the ingress device and the egress device, and wherein the network device is separate from both the ingress device and the egress device.
-
Specification