Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks

US 8,234,707 B2
Filed: 03/13/2006
Issued: 07/31/2012
Est. Priority Date: 12/22/1999
Status: Active Grant

First Claim

Patent Images

1. A method for tracking malicious packets, the method comprising:

establishing a tunnel to each of a plurality of routers to form an overlay network, each of the routers being configured to detect a malicious packet;

receiving the detected malicious packet from one of the routers;

determining an egress edge router based on adjacency to a victim;

rerouting, through the overlay network, via routers other than the egress edge router, traffic intended for the victim; and

determining a source of the malicious packet in response to the received detected malicious packet.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An approach for tracking denial-of-service (DoS) flood attacks using an overlay IP (Internet Protocol) network is disclosed. One or more tracking routers form an overlay tracking network over the network of an Internet Service Provider (ISP). The ISP network includes numerous transit routers and edge routers. The tracking routers communicate directly with all the edge routers using IP tunnels. The edge routers within the ISP network perform security diagnostic functions, in part, to identify a DoS flood attack that has been launched by one or more attackers. To track down an attacker, an egress edge router identifies the DoS flood attack datagrams, rerouting these datagrams to the overlay tracking network. The tracking routers perform hop-by-hop input debugging to identify the ingress edge router associated with the source of the DoS flood attack.

48 Citations

View as Search Results

31 Claims

1. A method for tracking malicious packets, the method comprising:
- establishing a tunnel to each of a plurality of routers to form an overlay network, each of the routers being configured to detect a malicious packet;
  
  receiving the detected malicious packet from one of the routers;
  
  determining an egress edge router based on adjacency to a victim;
  
  rerouting, through the overlay network, via routers other than the egress edge router, traffic intended for the victim; and
  
  determining a source of the malicious packet in response to the received detected malicious packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. A method according to claim 1, further comprising:
    - performing hop-by-hop tracking to locate the source.
  - 3. A method according to claim 1, further comprising:
    - receiving another detected malicious packet from the one router or another one of the routers; and
      
      determining another source of the malicious packets.
  - 4. A method according to claim 1, wherein the one router utilizes a signature to determine that a received packet is malicious.
  - 5. A method according to claim 1, wherein the overlay tracking network is within an autonomous system that is different from another autonomous system corresponding to the plurality of routers.
  - 6. A method according to claim 1, wherein the tunnels are either physical connections or logical connections.
  - 7. A method according to claim 1, wherein the malicious packet is an Internet Protocol (IP) packet.
  - 8. A method according to claim 1, further comprising:
    - establishing, via a loop back interface, a connection with a tracking router configured to determine the source of the malicious packet, wherein the connection to the tracking router forms an overlay tracking network with respect to the plurality of routers.

9. An apparatus for tracking malicious packets, the apparatus comprising:
- one or more interfaces configured to establish a tunnel to each of a plurality of routers to form an overlay network, each of the routers being configured to detect a malicious packet, wherein a detected malicious packet is received from one of the routers;
  
  wherein, one of the plurality of routers is designated an egress edge router based on adjacency to a victim, and wherein traffic intended for the victim is rerouted through the overlay network via routers other than the egress edge router; and
  
  a processor configured to determine a source of the malicious packet in response to the received detected malicious packet.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. An apparatus according to claim 9, wherein the processor is further configured to perform hop-by-hop tracking to locate the source.
  - 11. An apparatus according to claim 9, wherein another detected malicious packet is received from the one router or another one of the routers, and the processor determines another source of the malicious packets.
  - 12. An apparatus according to claim 9, wherein the one router utilizes a signature to determine that a received packet is malicious.
  - 13. An apparatus according to claim 9, wherein the overlay tracking network is within an autonomous system that is different from another autonomous system corresponding to the plurality of routers.
  - 14. An apparatus according to claim 9, wherein the tunnels are either physical connections or logical connections.
  - 15. An apparatus according to claim 9, wherein the malicious packet is an Internet Protocol (IP) packet.
  - 16. An apparatus according to claim 9, further comprising:
    - a loop back interface configured to support establishment of a connection with a tracking router configured to determine the source of the malicious packet, wherein termination addresses of the tunnels are prevented from being announced over the connection to the tracking router.

17. A method for tracking malicious packets, the method comprising:
- establishing a tunnel with a tracking router configured to form an overlay network with a plurality of routers;
  
  receiving a packet that originated externally from the overlay network;
  
  determining that the received packet is a malicious packet;
  
  determining an egress edge router based on adjacency to a victim;
  
  rerouting traffic intended for the victim through the overlay network via routers other than the egress edge router;
  
  andtransmitting the detected malicious packet to the tracking router, wherein the tracking router is further configured to determine a source of the malicious packet in response to the received detected malicious packet.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. A method according to claim 17, wherein the tracking router is further configured to perform hop-by-hop tracking to locate the source.
  - 19. A method according to claim 17, further comprising:
    - comparing a signature of the received packet with a predetermined signature to determine that the received packet is malicious.
  - 20. A method according to claim 17, wherein the overlay tracking network is within an autonomous system that is different from another autonomous system corresponding to the plurality of routers.
  - 21. A method according to claim 17, wherein the tunnels are either physical connections or logical connections.
  - 22. A method according to claim 17, wherein the malicious packet is an Internet Protocol (IP) packet.

23. An apparatus for tracking malicious packets, the apparatus comprising:
- a first communication interface configured to establish a tunnel with a tracking router configured to form an overlay network with a plurality of routers;
  
  a second communication interface configured to receive a packet that originated externally from the overlay network; and
  
  a processor configured to determine that the received packet is a malicious packet, wherein one of the plurality of routers is designated an egress edge router based on adjacency to a victim of the malicious packet, and wherein traffic intended for the victim is rerouted through the overlay network, via routers other than the egress edge route, and through the tracking router to the egress edge router,wherein the tracking router is further configured to determine a source of the malicious packet in response to the received detected malicious packet.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. An apparatus according to claim 23, wherein the tracking router is further configured to perform hop-by-hop tracking to locate the source.
  - 25. An apparatus according to claim 23, wherein the process is further configured to compare a signature of the received packet with a predetermined signature to determine that the received packet is malicious.
  - 26. An apparatus according to claim 23, wherein the overlay tracking network is within an autonomous system that is different from another autonomous system corresponding to the plurality of routers.
  - 27. An apparatus according to claim 23, wherein the tunnels are either physical connections or logical connections.
  - 28. An apparatus according to claim 23, wherein the malicious packet is an Internet Protocol (IP) packet.

29. A system for tracking malicious packets, the system comprising:
- a first tracking router configured to establish a tunnel to each of a first set of routers; and
  
  a second tracking router configured to establish a tunnel to each of a second set of routers, wherein each of the routers in the first set and the second set is configured to detect a malicious packet,wherein the first tracking router and the second tracking router form an overlay network with the routers to determine one or more sources of the malicious packets; and
  
  an egress edge router, wherein a static route having the egress edge router as a destination is added on to the one of the first tracking router and the second tracking router closest to a victim of the malicious packets, and wherein a debugging operation is applied beginning with the tracking router closest to the victim.
- View Dependent Claims (30)
- - 30. A system according to claim 29, wherein the first tracking router includes a loop back interface for establishing a tunnel to a loop back interface of the second tracking router, wherein the tunnel is prevented from transmitting information about addresses of loop back interfaces over the tunnel.

31. A method for tracking malicious packets, the method comprising:
- determining an egress edge router from a plurality of routers based on adjacency to a victim of malicious packets;
  
  rerouting traffic intended for the victim through a tracking router in an overlay network to the egress edge router, via the plurality of routers except for the egress edge router;
  
  determining, by the tracking router, whether any malicious packets exist in tunnels established to each of the plurality of routers forming the overlay network;
  
  if no malicious packets are determined to exist in the tunnels, a determination is made that the malicious packets originated in the egress edge router and input debugging is performed on the egress edge router to determine the source of the malicious packets; and
  
  if malicious packets are determined to exist in one or more of the tunnels, a corresponding adjacency is identified as the source of the malicious packets, and an adjacent one of the plurality of routers associated with the identified adjacency is selected as a current router for purposes of hop-by-hop tracking, wherein subsequent steps are repeated until an ingress router originating the malicious packets is located.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Palo Alto Networks Incorporated
Original Assignee
MCI International, Inc. (Verizon Communications Inc.)
Inventors
Sibley, Matthew J., Stone, Robert J.
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/374,240
Publication Number

US 20060156402A1
Time in Patent Office

2,332 Days
Field of Search

726 22- 24, 713/151, 713/153, 709/224
US Class Current

726/23
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 45/00   Routing or path finding of ...

H04L 45/22   Alternate routing

H04L 45/28   using route fault recovery

H04L 45/32   Flooding denial of service ...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

48 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Overlay network for tracking denial-of-service floods in unreliable datagram delivery networks

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

48 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links