Leveraging active firewalls for network intrusion detection and retardation of attack
First Claim
1. A standalone network filter coupled to a computer system, the filter comprising:
- a network interface supporting a plurality of ports;
a controller operable to route traffic originating from a sender that is received at an inactive port of the plurality of ports; and
a processing unit operable to;
receive the traffic routed from the controller;
obtain, from the traffic, traffic data including routing information for the traffic, source information about the sender, and payload information of the traffic;
based at least in part on the traffic data obtained from the traffic, categorize the traffic on the inactive port as a threat;
categorize the traffic on the inactive port as having a predetermined attack profile;
determine that the traffic meets a threshold number of communication attempts by the sender at the inactive port;
responsive to determining that the traffic meets a threshold number of communication attempts at the inactive port, perform protective measures comprising;
using the traffic data obtained from the traffic to provide a delayed response with an inflated error rate on the inactive port, wherein the delayed response communicates to the sender that a vulnerability exists on the computer system and causes the sender to allocate additional resources to continue attacking the computer system via the inactive port;
manipulating a payload size of the traffic from the sender on the inactive port to reduce communication bandwidth; and
notifying a neighboring server and a clearinghouse of at least a portion of the traffic data obtained from the traffic.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer network firewall or network filter functions normally to pass data on open ports to a respective service or data source associated with an open port. In addition, traffic arriving on closed ports may be directed to a handler for analysis and response. The handler may analyze and catalog the source and type of traffic arriving on the closed ports. The handler may then send a response with either a fixed response or data tailored to the type and nature of the traffic. The handler may respond slowly to cause the source of the traffic to wait for the response, thereby slowing the speed at which a potential attacker can identify valid targets and proceed past non-valid targets.
-
Citations
12 Claims
-
1. A standalone network filter coupled to a computer system, the filter comprising:
-
a network interface supporting a plurality of ports; a controller operable to route traffic originating from a sender that is received at an inactive port of the plurality of ports; and a processing unit operable to; receive the traffic routed from the controller; obtain, from the traffic, traffic data including routing information for the traffic, source information about the sender, and payload information of the traffic; based at least in part on the traffic data obtained from the traffic, categorize the traffic on the inactive port as a threat; categorize the traffic on the inactive port as having a predetermined attack profile; determine that the traffic meets a threshold number of communication attempts by the sender at the inactive port; responsive to determining that the traffic meets a threshold number of communication attempts at the inactive port, perform protective measures comprising; using the traffic data obtained from the traffic to provide a delayed response with an inflated error rate on the inactive port, wherein the delayed response communicates to the sender that a vulnerability exists on the computer system and causes the sender to allocate additional resources to continue attacking the computer system via the inactive port; manipulating a payload size of the traffic from the sender on the inactive port to reduce communication bandwidth; and notifying a neighboring server and a clearinghouse of at least a portion of the traffic data obtained from the traffic. - View Dependent Claims (2, 3)
-
-
4. A standalone network firewall associated with a computer system, the firewall comprising:
-
a network interface supporting a plurality of ports associated with one or more services, including a closed port that is inactive and not associated with the one or more services; a controller; a processing unit separate from the controller or the one or more services, the controller configured to route traffic received at the closed port to the processing unit, the traffic originating from a sender, the processing unit configured to; receive the traffic routed from the controller; obtain, from the traffic, traffic data including routing information for the traffic, source information about the sender, and payload information of the traffic; responsive to receiving the traffic routed from the controller and based on the traffic data obtained from the traffic, determine that the traffic is a threat; determine that the traffic meets a threshold number of communication attempts by the sender at the closed port; and responsive to determining that the traffic meets the threshold number of communication attempts at the closed port, perform protective measures comprising; modifying an operation profile of the firewall; over a secure session or secure tunnel, notifying at least one associated entity of the threat and providing the at least one entity with some or all of the traffic data obtained from the traffic, the at least one associated entity comprising a neighboring server or a clearinghouse; using the traffic data obtained from the traffic to provide a response to the sender that has an inflated error rate associated with the closed port, the response providing an indication to the sender that a vulnerability exists and delaying the sender'"'"'s discovery that the closed port is inactive, to provide the response comprising; generating the response using the traffic data obtained from the traffic; delaying communication of the response to the sender; and reducing a packet size of the response to reduce communication bandwidth between the sender and the firewall. - View Dependent Claims (5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
supporting a plurality of ports including a closed port that is inactive and not associated with a respective service; routing, by a controller associated with a computer system, traffic that is received at the closed port to a processing unit associated with the computer system and separate from the controller, the traffic originating from a sender; receiving the traffic routed from the controller; obtaining, from the traffic, traffic data including routing information for the traffic, source information about the sender, and payload information of the traffic; responsive to receiving the traffic routed from the controller and based on the traffic data obtained from the traffic, determining that the traffic is a threat; determining that the traffic meets a threshold number of communication attempts by the sender at the closed port; responsive to determining that the traffic meets the threshold number of communication attempts, performing protective measures comprising; modifying an operation profile of the firewall; over a secure session or secure tunnel, notifying an associated entity of the threat and providing the associated entity with some or all of the traffic data obtained from the traffic; using the traffic data obtained from the traffic to provide a response with an inflated error rate on the closed port that indicates to the sender that a vulnerability exists and that delays discovery by the sender that the closed port is inactive, to provide the response comprising; generating the response using the traffic data obtained from the traffic; delaying communication of the response to the sender; reducing a packet size of the response to reduce communication bandwidth between the sender and the firewall. - View Dependent Claims (11, 12)
-
Specification