Independent detection and filtering of undesirable packets
First Claim
Patent Images
1. In a routing device, a method of operation comprising:
- receiving a packet sent by a client device;
determining if the packet is destined for a server of interest by reference to a destination address of the packet;
if the packet is not destined for the server of interest, routing the packet to its destination;
if the packet is determined to be destined for the server of interest, independently determining whether said packet is a part of a conversation between the client device and the server of interest based at least in part on persistent information included in said packet; and
handling the packet based at least in part on the result of said independent determination by forwarding the packet to the server of interest if the packet is deemed to be a part of a conversation between the client device and the server and dropping the packet if the packet is deemed to be an undesirable packet;
wherein said independent determination comprises independently verifying a conversation identifier included in said packet based at least in part on other information included in said packet, in which said independent verification comprises independently regenerating the conversation identifier using at least said other information included in said packet and comparing the independently re-generated conversation identifier with the included conversation identifier;
said conversation identifier being a nonce, and said independent re-generation comprising independently re-generating the nonce using a deterministic function with a sequence number of the nonce and a plurality of persistent field values extracted from the packet, and a pre-provided secret value as inputs to the deterministic function;
recording a time of first observation for the nonce if the nonce is a newly observed nonce; and
determining if time has elapsed more than a predetermined threshold since a time of first observation was recorded for the nonce, if the extracted nonce and the independently generated nonce are deemed to be the same and dropping the packet if the time has elapsed more than the predetermined threshold even though the extracted nonce and the independently generated nonce are deemed to be the same.
3 Assignments
0 Petitions
Accused Products
Abstract
A server, using a deterministic function, a secret value and persistent information of a packet, destined for a client device, generates and includes a conversation identifier for inclusion with the packet. The client device in turn includes the conversation identifier in a subsequent packet sent by the client device destined for the server. An intermediate routing device having knowledge of the deterministic function and the secret value, upon receiving the packet en-route from the client device to the server, would independently determine whether the packet is a part of a conversation between the client and the server, by independently verifying the included conversation identifier, and forward or not forward the packet accordingly. As result, undesirable packets may be independently detected and filtered for the server.
33 Citations
4 Claims
-
1. In a routing device, a method of operation comprising:
-
receiving a packet sent by a client device; determining if the packet is destined for a server of interest by reference to a destination address of the packet; if the packet is not destined for the server of interest, routing the packet to its destination; if the packet is determined to be destined for the server of interest, independently determining whether said packet is a part of a conversation between the client device and the server of interest based at least in part on persistent information included in said packet; and handling the packet based at least in part on the result of said independent determination by forwarding the packet to the server of interest if the packet is deemed to be a part of a conversation between the client device and the server and dropping the packet if the packet is deemed to be an undesirable packet;
wherein said independent determination comprises independently verifying a conversation identifier included in said packet based at least in part on other information included in said packet, in which said independent verification comprises independently regenerating the conversation identifier using at least said other information included in said packet and comparing the independently re-generated conversation identifier with the included conversation identifier;
said conversation identifier being a nonce, and said independent re-generation comprising independently re-generating the nonce using a deterministic function with a sequence number of the nonce and a plurality of persistent field values extracted from the packet, and a pre-provided secret value as inputs to the deterministic function;recording a time of first observation for the nonce if the nonce is a newly observed nonce; and determining if time has elapsed more than a predetermined threshold since a time of first observation was recorded for the nonce, if the extracted nonce and the independently generated nonce are deemed to be the same and dropping the packet if the time has elapsed more than the predetermined threshold even though the extracted nonce and the independently generated nonce are deemed to be the same. - View Dependent Claims (2, 3, 4)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeArbor Networks Incorporated (NetScout Systems Incorporated)
-
Original AssigneeArbor Networks Incorporated (NetScout Systems Incorporated)
-
InventorsWetherall, David J., Savage, Stefan R., Anderson, Thomas E.
-
Primary Examiner(s)BARQADLE, YASIN M
-
Application NumberUS09/825,139Publication NumberTime in Patent Office4,186 DaysField of Search709/200, 709/224, 709/232, 709201-203, 709217-219, 709227-229, 713/201US Class Current709/232CPC Class CodesH04L 63/0227 Filtering policies mail mes...H04L 63/1416 Event detection, e.g. attac...
