Detecting and preventing undesirable network traffic from being sourced out of a network domain

US 7,970,886 B1
Filed: 11/02/2000
Issued: 06/28/2011
Est. Priority Date: 11/02/2000
Status: Active Grant

First Claim

Patent Images

1. A network comprising:

a first network domain;

a first routing device at a boundary between the first network domain and public internetworking fabric to route network traffic between the first network domain and the public internetworking fabric;

a second routing device for routing network traffic out of and into the first network domain; and

a monitor/regulator, either integrally disposed in said first routing device or coupled to the first routing device to monitor the network traffic routed by said first routing device and said second routing device by analyzing flow records, each describing a traffic conversation as indicated by a combination of source and destination addresses, received from the first routing device and the second routing device, the monitor/regulator determining if the first network domain is sourcing undesirable network traffic, including network traffic sourced directly out of the first network domain and also including network traffic sourced originally from third parties and subsequently going through the first network domain to the first routing device, the undesirable network traffic comprising a denial of service attack in which the undesirable network traffic is launched against a target network device in order to undermine the operation of that target network device by overwhelming the target network device with network traffic, out of or going through the first network domain based on the network traffic being routed by said first routing device and said second routing device,wherein said monitor/regulator makes said determination based at least in part on differential characteristics between request packets routed out of said first network domain and response packets routed into the first network domain based on aggregated network traffic routed by the first routing device and the second routing device, and wherein said monitor/regulator instructs the first routing device and said second routing device to lower a priority of the undesirable network traffic that is being sourced from or going through the first network domain,wherein said monitor/regulator monitors a second network domain, andwherein said monitor/regulator, upon making said determination, lowers threshold criteria it uses to conclude that undesirable network traffic is being sourced out of the second network domain.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides for a novel approach to protecting a system owner'"'"'s system(s) from being exploited and providing involuntary assistance to a DOS attack. The present invention provides the protection by detecting and preventing undesirable or inappropriate network traffic from being sourced from a network domain. More specifically, a monitor/regulator is provided to monitor network traffic leaving a network domain. The monitor/regulator determines if undesirable/inappropriate network traffics are leaving the network domain based on the observed characteristics of the outbound and inbound network traffics. If it is determined that undesirable/inappropriate network traffics are leaving the network domain, the monitors/regulator, in one embodiment, at least warns system owners of the detection. In another embodiment, the monitors/regulator further issues regulation instruction(s) to boundary routing device(s) of the network domain(s), thereby preventing the network domain(s) from being exploited to source such undesirable/inappropriate network traffics.

57 Citations

View as Search Results

15 Claims

1. A network comprising:
- a first network domain;
  
  a first routing device at a boundary between the first network domain and public internetworking fabric to route network traffic between the first network domain and the public internetworking fabric;
  
  a second routing device for routing network traffic out of and into the first network domain; and
  
  a monitor/regulator, either integrally disposed in said first routing device or coupled to the first routing device to monitor the network traffic routed by said first routing device and said second routing device by analyzing flow records, each describing a traffic conversation as indicated by a combination of source and destination addresses, received from the first routing device and the second routing device, the monitor/regulator determining if the first network domain is sourcing undesirable network traffic, including network traffic sourced directly out of the first network domain and also including network traffic sourced originally from third parties and subsequently going through the first network domain to the first routing device, the undesirable network traffic comprising a denial of service attack in which the undesirable network traffic is launched against a target network device in order to undermine the operation of that target network device by overwhelming the target network device with network traffic, out of or going through the first network domain based on the network traffic being routed by said first routing device and said second routing device,wherein said monitor/regulator makes said determination based at least in part on differential characteristics between request packets routed out of said first network domain and response packets routed into the first network domain based on aggregated network traffic routed by the first routing device and the second routing device, and wherein said monitor/regulator instructs the first routing device and said second routing device to lower a priority of the undesirable network traffic that is being sourced from or going through the first network domain,wherein said monitor/regulator monitors a second network domain, andwherein said monitor/regulator, upon making said determination, lowers threshold criteria it uses to conclude that undesirable network traffic is being sourced out of the second network domain.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network of claim 1, wherein said monitor/regulator infers said differential characteristics based on aggregated statistics of said network traffic routed out of said first network domain by said first routing device and said second routing device, and aggregated statistics of said network traffic routed into the first network domain by said first routing device and said second routing device.
  - 3. The network of claim 1, wherein said monitor/regulator generates statistics concerning destination addresses and determines whether the first network domain is sourcing or passing through undesirable network traffic based on said statistics.
  - 4. The network of claim 1, wherein said monitor/regulator generates statistics concerning lengths of packets and determines whether the first network domain is sourcing or passing through undesirable network traffic based on said statistics.
  - 5. The network of claim 1, wherein said monitor/regulator generates statistics concerning distributions of time to live values and determines whether the first network domain is sourcing or passing through undesirable network traffic based on said statistics.
  - 6. The network of claim 1, wherein said monitor/regulator tracks differences between outbound transmission control protocol (TCP) synchronize (SYN) and finish (FIN) packets and inbound response packets and determines whether the first network domain is sourcing or passing through undesirable network traffic based on said differences.
  - 7. The network of claim 1, wherein said monitor/regulator instructs said first routing device and said second routing device to slow the undesirable network traffic.

8. A network traffic regulation method comprising:
- monitoring, by a monitor/regulator, network traffic routed by a first routing device of a first network domain;
  
  monitoring, by the monitor/regulator, network traffic routed by a second routing device of said first network domain;
  
  determining, by the monitor/regulator, if the undesirable network traffic is being sourced directly out of the first network domain or is sourced originally from third parties and subsequently passing through the first network domain to the first routing device, the undesirable network traffic comprising a denial of service attack in which the undesirable network traffic is launched against a target network device in order to undermine the operation of that target network device by overwhelming the target network device with network traffic, wherein the first network domain is determined to be sourcing or passing through undesirable network traffic by analysis of flow records describing traffic conversation, as indicated by a combination of source and destination addresses, received from the first routing device and the second routing device, which are positioned at a boundary between the first network domain and public internetworking fabric to route network traffic between the first network domain and the public internetworking fabric;
  
  wherein said determining comprises determining based at least in part on differential characteristics between request packets routed out of said network domain and response packets routed into the network domain based on aggregated network traffic routed by the first routing device and the second routing device;
  
  wherein said monitor/regulator instructs the first routing device and the second routing device to lower a priority of the undesirable network traffic that is being sourced from or passing through the first network domain and routed by said first network device and said second network device,wherein said monitor/regulator monitors a second network domain, andwherein said monitor/regulator, upon making said determination, lowers threshold criteria it uses to conclude that undesirable network traffic is being sourced out of the second network domain.
- View Dependent Claims (9, 10, 11, 12, 13)
- - 9. The method of claim 8, wherein said determining comprises inferring said differential characteristics based on aggregated statistics of said network traffic routed out of said first network domain by said first routing device and said second routing device, and aggregated statistics of said network traffic routed into the first network domain by said first routing device and said second routing device.
  - 10. The method of claim 8, further comprising generating statistics concerning destination addresses and determining whether the first network domain is sourcing or passing through undesirable network traffic based on said statistics.
  - 11. The method of claim 8, further comprising generating statistics concerning lengths of packets and determining whether the first network domain is sourcing or passing through undesirable network traffic based on said statistics.
  - 12. The method of claim 8, further comprising generating statistics concerning distributions of time to live values and determining whether the first network domain is sourcing or passing through undesirable network traffic based on said statistics.
  - 13. The method of claim 8, further comprising tracking differences between outbound TCP SYN and FIN packets and inbound response packets and determining whether the first network domain is sourcing or passing through undesirable network traffic based on said differences.

14. A network comprising:
- a first network domain;
  
  a second network domain;
  
  a first routing device at a boundary between the first network domain and public internetworking fabric to route network traffic between the first network domain and the public internetworking fabric; and
  
  said second network domain including a second routing device for routing network traffic out of and into the second network domain;
  
  a monitor/regulator that monitors the network traffic routed by said first routing device and said second routing device by analyzing flow records describing traffic conversation as indicated by a combination of source and destination addresses received from the first routing device and the second routing device, and determines if undesirable network traffic is being sourced out of the first or the second network domains or is sourced originally from third parties and subsequently passes through the first or the second network domains, based on network traffic characteristics observed of network traffic routed through said first and second routing devices;
  
  the undesirable network traffic comprising a denial of service attack in which the undesirable network traffic is launched against a target network device in order to undermine the operation of that target network device by overwhelming the target network device with network traffic, out of or going through the first network domain or the second network domain, based on the network traffic being routed by said first routing device and said second routing device,wherein said monitor/regulator makes said determination based at least in part on differential characteristics between request packets routed out of each network domain and response packets routed into each network domain based on aggregated network traffic routed by the first routing device and the second routing device, and wherein said monitor/regulator instructs one of said first routing device and said second routing device to lower a priority of the undesirable network traffic that is being sourced from or going through the first network domain or the second network domain; and
  
  wherein said monitor/regulator, upon determining that one of said first and second network domains is sourcing undesirable traffic, lowers threshold criteria it uses to conclude that undesirable network traffic are being sourced out of an other one of the first or the second network domains including being sourced originally from third parties and subsequently passing through the first or the second network domains.

15. A network comprising:
- a network domain which is a local area network;
  
  a routing device in the local area network at a boundary between the local area network and public internetworking fabric to route network traffic between the network domain and the public internetworking fabric; and
  
  a monitor/regulator, either integrally disposed in said routing device or coupled to the routing device, to monitor the network traffic routed by said routing device by analyzing flow records describing traffic conversation as indicated by a combination of source and destination addresses received from the routing device, the monitor/regulator determining if the network domain is sourcing undesirable network traffic, including network traffic sourced out of the network domain and also including network traffic sourced originally from third parties and subsequently going through the network domain to the routing device, the monitor/regulator generating statistics concerning destination addresses to determine whether the network domain is sourcing or passing through the undesirable network traffic, wherein said monitor/regulator instructs the routing device to lower a priority of the undesirable network traffic and/or slow the undesirable network traffic;
  
  wherein the undesirable network traffic comprises a denial of service attack in which the undesirable network traffic is launched against a target network device in order to undermine the operation of that target network device by overwhelming the target network device with network traffic, out of the network domain,wherein said monitor/regulator makes said determination based on differential characteristics of network traffic routed out of or passing through said network domain relative to network traffic routed into said network domain and aggregates said differential characteristics based on differential characteristics between request packets routed out of said network domain, and response packets routed into the network domain and wherein said monitor/regulator instructs the routing device to lower a priority of the undesirable network traffic that is being sourced from or passing through the network domain,wherein said monitor/regulator monitors a second network domain, andwherein said monitor/regulator, upon making said determination, lowers threshold criteria it uses to conclude that undesirable network traffic is being sourced out of the second network domain.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Original Assignee
Arbor Networks Incorporated (NetScout Systems Incorporated)
Inventors
Anderson, Thomas E., Wetherall, David J., Savage, Stefan R.
Primary Examiner(s)
Caldwell; Andrew
Assistant Examiner(s)
Biagini; Christopher D

Application Number

US09/706,503
Time in Patent Office

3,890 Days
Field of Search

709/224, 709/225, 709/229, 713/201, 707/10, 707/2, 707/20, 726/23
US Class Current

709/224
CPC Class Codes

H04L 41/28   Restricting access to netwo...

H04L 43/00   Arrangements for monitoring...

H04L 43/06   Generation of reports

H04L 43/16   Threshold monitoring

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Detecting and preventing undesirable network traffic from being sourced out of a network domain

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

57 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting and preventing undesirable network traffic from being sourced out of a network domain

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links