Protection against reflection distributed denial of service attacks
First Claim
1. A method comprising:
- monitoring outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network;
monitoring incoming response packets that originate in the external network and are destined for transmission to the node;
responsively to monitoring the outgoing request packets and the incoming response packets, identifying one or more of the incoming response packets that were not solicited by any of the outgoing request packets;
determining a characteristic that differentiates between the identified incoming response packets and the incoming response packets that were solicited by the outgoing request packets; and
instructing a guard device in the external network to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic.
1 Assignment
0 Petitions
Accused Products
Abstract
A method includes monitoring outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network. Incoming response packets that originate in the external network and are destined for transmission to the node are also monitored. One or more of the incoming response packets that were not solicited by any of the outgoing request packets are identified responsively to monitoring the outgoing request packets and the incoming response packets. A characteristic that differentiates between the identified incoming response packets and the incoming response packets that were solicited by the outgoing request packets is determined. A guard device in the external network is instructed to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic.
66 Citations
20 Claims
-
1. A method comprising:
-
monitoring outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network; monitoring incoming response packets that originate in the external network and are destined for transmission to the node; responsively to monitoring the outgoing request packets and the incoming response packets, identifying one or more of the incoming response packets that were not solicited by any of the outgoing request packets; determining a characteristic that differentiates between the identified incoming response packets and the incoming response packets that were solicited by the outgoing request packets; and instructing a guard device in the external network to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. An apparatus comprising:
-
a network interface, which is arranged to monitor outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network, and to monitor incoming response packets that originate in the external network and are destined for transmission to the node; and a processor, which is arranged to identify, responsively to monitoring the outgoing request packets and the incoming response packets, one or more of the incoming response packets that were not solicited by any of the outgoing request packets, to determine a characteristic that differentiates between the identified incoming response packets and incoming response packets that were solicited by the outgoing request packets, and to instruct a guard device in the external network to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic. - View Dependent Claims (12, 13, 14, 15, 16)
-
-
17. A system comprising:
-
a detector device, which is arranged to monitor outgoing request packets transmitted by a node in a protected network over a link connecting the protected network to an external network, to monitor incoming response packets that originate in the external network and are destined for transmission to the node, to identify, responsively to monitoring the outgoing request packets and the incoming response packets, one or more of the incoming response packets that were not solicited by any of the outgoing request packets, to determine a characteristic that differentiates between the identified incoming response packets and incoming response packets that were solicited by the outgoing request packets, and to send an alert comprising the characteristic; and a guard device, which is located in the external network and is arranged to accept the alert from the detector device, and to inhibit the transmission over the link of subsequent unsolicited response packets based on the characteristic. - View Dependent Claims (18, 19, 20)
-
Specification