Method and system for monitoring control signal traffic over a computer network

US 7,844,696 B2
Filed: 06/27/2002
Issued: 11/30/2010
Est. Priority Date: 06/27/2001
Status: Active Grant

First Claim

Patent Images

1. A method for monitoring control signal traffic over a computer network comprising a plurality of routers by a monitoring computer system, the method comprising acts of:

maintaining, by the monitoring computer, at least one peering session with at least one of the plurality of routers, wherein the act of maintaining includes an act of sending messages by the monitoring computer system to the at least one of the plurality of routers;

configuring the at least one of the plurality of routers to direct control signals relating to control of a routing protocol via the at least one peering session maintained to the monitoring computer system, wherein the monitoring computer system is separate from a router network including the plurality of routers;

receiving, by the computer system from the at least one of the plurality of routers via the at least one peering session, at least one control signal communicated to one or more other routers;

storing the at least one control signal in a database of monitoring the computer system;

identifying, by the monitoring computer system based on the at least one control signal, at least one change to a network topology;

generating an alert message identifying the at least one change to the network topology;

sending the alert message to a computer system of a network administrator;

determining, by the computer system of the network administrator based on the alert message received, an anomaly in the computer network; and

displaying, to the network administrator in a display of the computer system of the network administrator, an indication of the anomaly in the computer network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method is provided for detecting, tracking and/or blocking control signal attacks, which can occur between local computer systems and/or between remote computer systems, network links, and/or routing systems over a computer network. The system includes a router monitor adapted to receive a plurality of control signals and related information from the computer network and to process the plurality of control signals and related information to detect one or more control signal anomalies. The router monitor is further adapted to generate a plurality of alert signals representing the one or more control signal anomalies. The system further includes a controller that is coupled to the router monitor and is adapted to receive the plurality of alert signals from the router monitor. The controller is constructed and arranged to respond to the plurality of alert signals by tracking attributes related to the one or more control signal anomalies to at least one source, and to block the one or more control signal anomalies using a filtering mechanism executed in close proximity to the at least one source.

132 Citations

30 Claims

1. A method for monitoring control signal traffic over a computer network comprising a plurality of routers by a monitoring computer system, the method comprising acts of:
- maintaining, by the monitoring computer, at least one peering session with at least one of the plurality of routers, wherein the act of maintaining includes an act of sending messages by the monitoring computer system to the at least one of the plurality of routers;
  
  configuring the at least one of the plurality of routers to direct control signals relating to control of a routing protocol via the at least one peering session maintained to the monitoring computer system, wherein the monitoring computer system is separate from a router network including the plurality of routers;
  
  receiving, by the computer system from the at least one of the plurality of routers via the at least one peering session, at least one control signal communicated to one or more other routers;
  
  storing the at least one control signal in a database of monitoring the computer system;
  
  identifying, by the monitoring computer system based on the at least one control signal, at least one change to a network topology;
  
  generating an alert message identifying the at least one change to the network topology;
  
  sending the alert message to a computer system of a network administrator;
  
  determining, by the computer system of the network administrator based on the alert message received, an anomaly in the computer network; and
  
  displaying, to the network administrator in a display of the computer system of the network administrator, an indication of the anomaly in the computer network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method according to claim 1, wherein the at least one control signal controls forwarding of data in the computer network.
  - 3. The method according to claim 1, wherein the at least one control signal is a route entry stored in a memory of the at least one of the plurality of routers.
  - 4. The method according to claim 1, wherein the at least one control signal is a route update transmitted by the at least one of the plurality of routers.
  - 5. The method according to claim 1, further comprising an act of generating an alert signal based on the determined anomaly.
  - 6. The method according to claim 1, wherein the act of storing further comprises storing a plurality of control signals over time.
  - 7. The method according to claim 1, further comprising an act of performing, in response to the act of determining the anomaly, an administrative act on the computer network.
  - 8. The method according to claim 7, wherein the anomaly includes one or more attributes and the method further comprises an act of tracking the one or more attributes of the anomaly to at least one source.
  - 9. The method according to claim 8, further comprising an act of filtering a control signal produced by the at least one source that relates to anomaly.
  - 10. The method according to claim 9, wherein the act of filtering is performed in one of the plurality of routers.
  - 11. The method according to claim 10, further comprising an act of creating a filter in the one of the plurality of routers to filter control data transmitted by the at least one source.
  - 12. The method of claim 1, wherein the at least one control signal is a route control signal.
  - 13. The method according to claim 1, wherein the computer system is configured to communicate with the plurality of routers using a routing protocol and wherein the method comprises an act of receiving and processing routing updated messages of the routing protocol.
  - 14. The method according to claim 13, wherein the routing protocol includes the Border Gateway Protocol (BGP), and wherein the method comprises an act of communicating, by the computer with the plurality of routers, BGP routing messages.
  - 15. The method according to claim 14, wherein the computer system is configured to maintain one or more BGP peering sessions with one or more of the plurality of routers, and wherein the method further comprises an act of receiving, by the computer system from the one or more routers, BGP messages over the one or more BGP peering sessions.

16. An apparatus for monitoring control signal traffic over a computer network comprising a plurality of network communication systems, the apparatus comprising:
- a monitor that receives, from at least one of the plurality of routers configured to direct control signals relating to control of a routing protocol to the monitor, at least one control signal communicated to one or more other routers, the at least one control signal being received via at least one peering session with the at least one of the plurality of routers, and wherein the monitor actively maintains the at least one peering session with the at least one of the plurality of routers by sending messages to the at least one of the plurality of routers, the monitor being configured to store and the monitor being configured to identify;
  
  the at least one control signal in a database; and
  
  based on the at least one control signal, at least one change to a network topology;
  
  a detector that detects an anomaly based on the at least one control signal; and
  
  a controller that is configured to receive the detected anomaly from the detector, and is configured to communicate the anomaly in an alert message to a computer system of a network administrator.
- View Dependent Claims (17, 18, 19)
- - 17. The apparatus according to claim 16, further comprising a controller that receives, from the monitor, the at least one control signal and stores the at least one control signal in the database.
  - 18. The apparatus according to claim 16, wherein the monitor store the at least one control signal in a persistent archive.
  - 19. The apparatus according to claim 16, further comprising a profiler that generates a profile of at least one of the network communication trends in the computer network and topology of the computer network.

20. A non-transitory computer-readable medium encoded with instructions for execution on a monitoring computer system, the instructions when executed, perform a method comprising acts of:
- configuring a plurality of routers to forward control signals relating to control of a routing protocol to the monitoring computer system;
  
  receiving, by the monitoring computer system from at least one of the plurality of routers, at least one control signal communicated to one or more other routers, the at least one control signal being received via at least one peering session with the at least one of the plurality of routers, and wherein the monitoring computer system actively maintains the at least one peering session with the at least one of the plurality of routers by sending messages to the at least one of the plurality of routers;
  
  storing the at least one control signal in a database of the computer system; and
  
  identifying, by the computer system based on the at least one control signal, at least one change to a network topology;
  
  determining, based on the at least one control signal, an anomaly in the computer network;
  
  generating an alert signal based on the determined anomaly;
  
  sending an alert message comprising the alert signal to a computer system of a network administrator;
  
  determining, by the computer system of the network administrator based on the alert message received, an anomaly in the computer network; and
  
  displaying, to the network administrator in a display of the computer system of the network administrator, an indication of the anomaly in the computer network.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 21. The non-transitory computer-readable medium according to claim 20, wherein the at least one control signal controls forwarding of data in the computer network.
  - 22. The non-transitory computer-readable medium according to claim 20, wherein the at least one control signal is a route entry stored in a memory of the at least one of the plurality of routers.
  - 23. The non-transitory computer-readable medium according to claim 20, wherein the at least one control signal is a route update transmitted by the at least one of the plurality of routers.
  - 24. The non-transitory computer-readable medium according to claim 20, wherein the act of storing further comprises storing a plurality of control signals over time.
  - 25. The non-transitory computer-readable medium according to claim 20, the method further comprising an act of performing, in response to the act of determining the anomaly, an administrative act on the computer network.
  - 26. The non-transitory computer-readable medium according to claim 25, wherein the anomaly includes one or more attributes and the method further comprises an act of tracking the one or more attributes of the anomaly to at least one source.
  - 27. The non-transitory computer-readable medium according to claim 26, the method further comprising an act of filtering a control signal produced by the at least one source that relates to anomaly.
  - 28. The non-transitory computer-readable medium according to claim 26, wherein the act of filtering is performed in one of the plurality of routers.
  - 29. The non-transitory computer-readable medium according to claim 28, the method further comprising an act of creating a filter in the one of the plurality of routers to filter control data transmitted by the at least one source.

30. A method for monitoring control signal traffic over a computer network comprising a plurality of routers by a monitoring computer system, the method comprising acts of:
- configuring the plurality of routers to forward control signals relating to control of a routing protocol to the monitoring computer system;
  
  receiving, by the monitoring computer system from at least one of the plurality of routers, at least one route control signal communicated to one or more other routers, each of which storing a respective routing table, the at least one route control signal affecting at least one routing table entry within the respective routing table of the one or more other routers, the at least one route control signal being received via at least one peering session with the at least one of the plurality of routers, and wherein the monitoring computer system actively maintains the at least one peering session with the at least one of the plurality of routers by sending messages to the at least one of the plurality of routers;
  
  storing the at least one route control signal in a database of the monitoring computer system; and
  
  identifying, by the computer system based on the at least one route control signal, at least one change to a network topology among the plurality of routers;
  
  generating an alert message identifying the at least one change to the network topology;
  
  sending the alert message to a computer system of a network administrator;
  
  determining, by the computer system of the network administrator based on the alert message received, an anomaly in the computer network; and
  
  displaying, to the network administrator in a display of the computer system of the network administrator, an indication of the anomaly in the computer network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Iekel-Johnson, Scott, Labovitz, Craig H.
Primary Examiner(s)
Dalencourt; Yves

Application Number

US10/186,194
Publication Number

US 20030037136A1
Time in Patent Office

3,078 Days
Field of Search

709/202, 709/223, 709/224, 709/225, 709/229, 709/231, 709/237, 709/247, 709/239, 709/240, 713/200, 713/201, 370/252, 370/254
US Class Current

709/224
CPC Class Codes

H04L 41/0604   using filtering, e.g. reduc...

H04L 41/0618   based on the physical or lo...

H04L 41/22   comprising specially adapte...

H04L 43/00   Arrangements for monitoring...

H04L 43/106   using time related informat...

H04L 43/16   Threshold monitoring

H04L 63/102   Entity profiles

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

Method and system for monitoring control signal traffic over a computer network

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

132 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for monitoring control signal traffic over a computer network

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

132 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links