Distributed denial of service congestion recovery using split horizon DNS

US 7,987,255 B2
Filed: 11/07/2008
Issued: 07/26/2011
Est. Priority Date: 11/07/2008
Status: Active Grant

First Claim

Patent Images

1. A method for congestion recovery of a local network during a denial of service attack, comprising:

creating a split horizon zone on a hardware server, wherein the split horizon zone comprises a fictitious zone, and wherein the fictitious zone maps Internet Protocol (IP) addresses of a host to an address outside of the local network;

creating a general split horizon zone for non-malicious clients;

receiving and investigating a plurality of requests from a plurality of clients;

designating a malicious client from the plurality of clients based on investigating the plurality of requests, wherein the malicious client is associated with a client address;

assigning the client address to the fictitious zone;

altering the general split horizon zone to further limit malicious client access; and

routing network traffic from the malicious client to the address outside of the local network.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for congestion recovery during a denial of service attack involves creating a split horizon zone on a server, where the split horizon zone includes a fictitious zone mapped to a fictitious address, receiving and investigating requests from clients, designating a malicious client based on investigating the requests, where the malicious client is associated with a client address, assigning the client address to the fictitious zone, and routing network traffic from the malicious client to the fictitious address.

Citations

18 Claims

1. A method for congestion recovery of a local network during a denial of service attack, comprising:
- creating a split horizon zone on a hardware server, wherein the split horizon zone comprises a fictitious zone, and wherein the fictitious zone maps Internet Protocol (IP) addresses of a host to an address outside of the local network;
  
  creating a general split horizon zone for non-malicious clients;
  
  receiving and investigating a plurality of requests from a plurality of clients;
  
  designating a malicious client from the plurality of clients based on investigating the plurality of requests, wherein the malicious client is associated with a client address;
  
  assigning the client address to the fictitious zone;
  
  altering the general split horizon zone to further limit malicious client access; and
  
  routing network traffic from the malicious client to the address outside of the local network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - updating the split horizon zones dynamically.
  - 3. The method of claim 1, wherein designating the malicious client is handled by an Intrusion Detection System (IDS).
  - 4. The method of claim 1, wherein assigning the client address comprises assigning a unique IP address of the malicious client to the fictitious zone.
  - 5. The method of claim 1, wherein assigning the client address comprises assigning an entire sub-network of the malicious client to the fictitious zone.
  - 6. The method of claim 1, wherein the malicious client is sent to the address outside of the local network by rewriting portions of a response sent to the malicious client.
  - 7. The method of claim 1, wherein the address outside of the local network is a non-routable address.
  - 8. The method of claim 1, wherein the address outside of the local network is an address of the malicious client.

9. A system for denial of service attack congestion recovery of a local network, comprising:
- a plurality of clients with a processor comprising functionality to execute software instructions for sending a plurality of requests, wherein the plurality of requests comprise requests for a plurality of Internet Protocol (IP) addresses;
  
  a domain name system (DNS) server comprising a processor, and communicatively coupled to the plurality of clients and configured for;
  
  creating a split horizon zone, wherein the split horizon zone comprises a fictitious zone, and wherein the fictitious zone maps IP addresses of a host to an address outside of the local network,creating a general split horizon zone for non-malicious clients;
  
  receiving and investigating a plurality of requests from the plurality of clients,designating a malicious client from the plurality of clients based on investigating the plurality of requests, wherein the malicious client is associated with a client address,assigning the client address to the fictitious zone,altering the general split horizon zone to further limit malicious client access; and
  
  routing network traffic from the malicious client to the address outside of the local network;
  
  an intrusion detection system (IDS) communicatively coupled to the plurality of clients and the DNS server.
- View Dependent Claims (10)
- - 10. The system of claim 9, wherein the DNS server and the IDS reside on the same machine.

11. A non-transitory computer readable medium storing instructions for congestion recovery during a denial of service attack, the instructions comprising functionality to:
- create a split horizon zone on a server, wherein the split horizon zone comprises a fictitious zone, and wherein the fictitious zone maps Internet Protocol (IP) addresses of a host to an address outside of the local network;
  
  create a general split horizon zone for non-malicious clients;
  
  receive and investigate a plurality of requests from a plurality of clients;
  
  designate a malicious client from the plurality of clients based on investigating the plurality of requests;
  
  assign the address of the malicious client to the fictitious zone;
  
  alter the general split horizon zone to further limit malicious client access; and
  
  route network traffic from the malicious client to the address outside of the local network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The non-transitory computer readable medium of claim 11, further comprising instructions comprising functionality to:
    - update the split horizon zones dynamically.
  - 13. The non-transitory computer readable medium of claim 11, wherein designating the malicious client is handled by an Intrusion Detection System (IDS).
  - 14. The non-transitory computer readable medium of claim 11, wherein assigning the client address comprises assigning a unique IP address of the malicious client to the fictitious zone.
  - 15. The non-transitory computer readable medium of claim 11, wherein assigning the client address comprises assigning an entire sub-network of the malicious client to the fictitious zone.
  - 16. The non-transitory computer readable medium of claim 11, wherein the malicious client is sent to the address outside of the local network by rewriting portions of a response sent to the malicious client.
  - 17. The non-transitory computer readable medium of claim 11, wherein the address outside of the local network is a non-routable address.
  - 18. The non-transitory computer readable medium of claim 11, wherein the address outside of the local network is the address of the malicious client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Oracle America, Inc. (Oracle Corporation)
Inventors
St. Pierre, Robert Paul
Primary Examiner(s)
Shingles; Kristie D

Application Number

US12/267,475
Publication Number

US 20100121979A1
Time in Patent Office

991 Days
Field of Search

709/223, 709/224, 709/225, 709/235
US Class Current

709/223
CPC Class Codes

H04L 63/1458 Denial of Service

H04L 63/1491 using deception as counterm...

Distributed denial of service congestion recovery using split horizon DNS

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed denial of service congestion recovery using split horizon DNS

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links