Method for source-spoofed IP packet traceback
First Claim
Patent Images
1. A method for tracing source spoofed network communications on a network comprising:
- providing a table, which is configured to include;
a single entry for each of a plurality of distinct sub-blocks of source addresses, wherein each distinct sub-block of source addresses corresponds to a plurality of source addresses on the network capable of sending a network communication; and
a plurality of use bits, each associated with respective ones of the plurality of distinct sub-blocks of source addresses;
when a network communication arrives, modifying the use bit corresponding to at least one sub-block of source addresses associated with the network communication; and
analyzing the use bits to trace the source of a spoofed network communication being forwarded over the network.
5 Assignments
0 Petitions
Accused Products
Abstract
Method for source-spoofed internet protocol packet traceback. This is an IP packet traceback technique for locating the origin of a malicious packet, even if the packet'"'"'s IP source address is incorrect (spoofed). This is done by having routers lookup the source address in their routing tables, and mark the relevant entry.
-
Citations
35 Claims
-
1. A method for tracing source spoofed network communications on a network comprising:
-
providing a table, which is configured to include; a single entry for each of a plurality of distinct sub-blocks of source addresses, wherein each distinct sub-block of source addresses corresponds to a plurality of source addresses on the network capable of sending a network communication; and a plurality of use bits, each associated with respective ones of the plurality of distinct sub-blocks of source addresses; when a network communication arrives, modifying the use bit corresponding to at least one sub-block of source addresses associated with the network communication; and analyzing the use bits to trace the source of a spoofed network communication being forwarded over the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
-
26. A method for tracing a source spoofed network communication having a source spoofed prefix over a plurality of routers comprising:
-
providing a plurality of look-up tables associated with respective ones of the plurality of routers configured to include; a single entry for each of a plurality of distinct source prefixes, wherein each distinct source prefix corresponds to a plurality of addresses on a network; and a plurality of use bits, each associated with respective ones of the plurality of distinct source prefixes; upon arrival of a new network communication, looking up a source prefix in a look-up table, the source prefix being contained in the network communication header; if the source prefix is found within the look-up table, writing a first binary value to the use bit associated the found table entry; if the source prefix is not found within the look-up table, writing a new table entry into the look-up table; and collecting at least a partial list of the look-up table from to trace the source of a spoofed network communication being forwarded over the network. - View Dependent Claims (27, 28, 29, 30, 31, 32, 33)
-
-
34. A system for tracing a source spoofed network communication, comprising:
-
a table configured to include a single entry for each of a plurality of distinct sub-blocks of source addresses, wherein each distinct sub-block of source addresses corresponds to a plurality of source addresses on the network capable of sending a network communication, and a plurality of use bits, each associated with respective ones of the plurality of distinct sub-blocks of source addresses, a look up process for, when a network communication arrives, modifying the use bit corresponding to at least one sub-block of source addressed associated with the network communication; and a traceback agent for analyzing the use of bits to trace the source of a spoofed network communication being forwarded over the network.
-
-
35. A method for tracing source spoofed network communications on a network in which nodes on the network maintain tables that are configured to include a single entry for each of a plurality of distinct sub-blocks of source addresses and use bits, wherein each distinct sub-block of source addresses corresponds to a plurality of source addresses, and wherein each use bit is associated with respective ones of the plurality of distinct sub-blocks of source addresses, the method comprising:
-
polling the tables of a first set of neighboring nodes to determine, based on use bits stored in the tables, if any of the nodes in the first set of neighboring nodes received a communication from a node in a sub-block of source addresses associated with a spoofed network communication; receiving at least one response to the poll; in response to a responding node indicating that it had received a communication from the sub-block of source addresses with the spoofed network communication, querying the routing tables of a second set of nodes neighboring the responding node, to trace the source of the spoofed communication.
-
Specification