Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks
First Claim
1. A method for tracking malicious packets, the method comprising:
- establishing a tunnel to each of a plurality of routers to form an overlay network, each of the routers being configured to detect a malicious packet;
receiving the detected malicious packet from one of the routers;
determining an egress edge router based on adjacency to a victim;
rerouting, through the overlay network, via routers other than the egress edge router, traffic intended for the victim; and
determining a source of the malicious packet in response to the received detected malicious packet.
4 Assignments
0 Petitions
Accused Products
Abstract
An approach for tracking denial-of-service (DoS) flood attacks using an overlay IP (Internet Protocol) network is disclosed. One or more tracking routers form an overlay tracking network over the network of an Internet Service Provider (ISP). The ISP network includes numerous transit routers and edge routers. The tracking routers communicate directly with all the edge routers using IP tunnels. The edge routers within the ISP network perform security diagnostic functions, in part, to identify a DoS flood attack that has been launched by one or more attackers. To track down an attacker, an egress edge router identifies the DoS flood attack datagrams, rerouting these datagrams to the overlay tracking network. The tracking routers perform hop-by-hop input debugging to identify the ingress edge router associated with the source of the DoS flood attack.
48 Citations
31 Claims
-
1. A method for tracking malicious packets, the method comprising:
-
establishing a tunnel to each of a plurality of routers to form an overlay network, each of the routers being configured to detect a malicious packet; receiving the detected malicious packet from one of the routers; determining an egress edge router based on adjacency to a victim; rerouting, through the overlay network, via routers other than the egress edge router, traffic intended for the victim; and determining a source of the malicious packet in response to the received detected malicious packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. An apparatus for tracking malicious packets, the apparatus comprising:
-
one or more interfaces configured to establish a tunnel to each of a plurality of routers to form an overlay network, each of the routers being configured to detect a malicious packet, wherein a detected malicious packet is received from one of the routers; wherein, one of the plurality of routers is designated an egress edge router based on adjacency to a victim, and wherein traffic intended for the victim is rerouted through the overlay network via routers other than the egress edge router; and a processor configured to determine a source of the malicious packet in response to the received detected malicious packet. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for tracking malicious packets, the method comprising:
-
establishing a tunnel with a tracking router configured to form an overlay network with a plurality of routers; receiving a packet that originated externally from the overlay network; determining that the received packet is a malicious packet; determining an egress edge router based on adjacency to a victim; rerouting traffic intended for the victim through the overlay network via routers other than the egress edge router; and transmitting the detected malicious packet to the tracking router, wherein the tracking router is further configured to determine a source of the malicious packet in response to the received detected malicious packet. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. An apparatus for tracking malicious packets, the apparatus comprising:
-
a first communication interface configured to establish a tunnel with a tracking router configured to form an overlay network with a plurality of routers; a second communication interface configured to receive a packet that originated externally from the overlay network; and a processor configured to determine that the received packet is a malicious packet, wherein one of the plurality of routers is designated an egress edge router based on adjacency to a victim of the malicious packet, and wherein traffic intended for the victim is rerouted through the overlay network, via routers other than the egress edge route, and through the tracking router to the egress edge router, wherein the tracking router is further configured to determine a source of the malicious packet in response to the received detected malicious packet. - View Dependent Claims (24, 25, 26, 27, 28)
-
-
29. A system for tracking malicious packets, the system comprising:
-
a first tracking router configured to establish a tunnel to each of a first set of routers; and a second tracking router configured to establish a tunnel to each of a second set of routers, wherein each of the routers in the first set and the second set is configured to detect a malicious packet, wherein the first tracking router and the second tracking router form an overlay network with the routers to determine one or more sources of the malicious packets; and an egress edge router, wherein a static route having the egress edge router as a destination is added on to the one of the first tracking router and the second tracking router closest to a victim of the malicious packets, and wherein a debugging operation is applied beginning with the tracking router closest to the victim. - View Dependent Claims (30)
-
-
31. A method for tracking malicious packets, the method comprising:
-
determining an egress edge router from a plurality of routers based on adjacency to a victim of malicious packets; rerouting traffic intended for the victim through a tracking router in an overlay network to the egress edge router, via the plurality of routers except for the egress edge router; determining, by the tracking router, whether any malicious packets exist in tunnels established to each of the plurality of routers forming the overlay network; if no malicious packets are determined to exist in the tunnels, a determination is made that the malicious packets originated in the egress edge router and input debugging is performed on the egress edge router to determine the source of the malicious packets; and if malicious packets are determined to exist in one or more of the tunnels, a corresponding adjacency is identified as the source of the malicious packets, and an adjacent one of the plurality of routers associated with the identified adjacency is selected as a current router for purposes of hop-by-hop tracking, wherein subsequent steps are repeated until an ingress router originating the malicious packets is located.
-
Specification