Systems and methods for identifying sources of network attacks
First Claim
Patent Images
1. A method for identifying a source of an attack in a network, comprising:
- transmitting, to a network device implemented at least partially in hardware, a Border Gateway Protocol (BGP) route that identifies an address of an attack target, and a BGP community tag representing a destination class associated with the attack;
configuring, based on the BGP community tag, the network device with a policy that assigns the route to the destination class associated with the attack;
determining, by the network device and in response to configuring the network device with the policy, if data is destined for the attack target;
monitoring, based on the destination class and for each input interface of a plurality of input interfaces of the network device, data destined for the attack target;
determining, by the network device, a potential source of the attack based on the monitoring, the potential source of the attack being associated with at least one of the plurality of input interfaces;
filtering, by the network device, data received on the at least one of the pluraity of input interfaces that receives the data destined for the attack target; and
not filtering, by the network device, data received on at least one of the plurality of input interfaces that does not receive the data destined for the attack target.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for identifying a source of an attack in a network include transmitting an address associated with the attack target to a number of network devices. Each network device may then determine whether a received packet is destined for the attack target and identify, for each packet destined for the attack target, an input interface upon which the packet arrived. Each network device may also count the amount of data destined for the attack target per input interface. A potential source of the attack may then be identified based on the amount of data destined for the attack target.
34 Citations
20 Claims
-
1. A method for identifying a source of an attack in a network, comprising:
-
transmitting, to a network device implemented at least partially in hardware, a Border Gateway Protocol (BGP) route that identifies an address of an attack target, and a BGP community tag representing a destination class associated with the attack; configuring, based on the BGP community tag, the network device with a policy that assigns the route to the destination class associated with the attack; determining, by the network device and in response to configuring the network device with the policy, if data is destined for the attack target; monitoring, based on the destination class and for each input interface of a plurality of input interfaces of the network device, data destined for the attack target; determining, by the network device, a potential source of the attack based on the monitoring, the potential source of the attack being associated with at least one of the plurality of input interfaces; filtering, by the network device, data received on the at least one of the pluraity of input interfaces that receives the data destined for the attack target; and not filtering, by the network device, data received on at least one of the plurality of input interfaces that does not receive the data destined for the attack target. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A network device implemented at least partially in hardware, the network device comprising:
-
a plurality of input interfaces to receive data; and logic, implemented at least partially in hardware, to; receive address information identifying an attack target, the address information including a Border Gateway Protocol (BGP) route and a BGP community tag associated with the route, where the BGP community tag is used to configure the network device with a policy that assigns the route to a destination class associated with an attack; identify the BGP community tag, assign, based on the BGP community tag, the BGP route identifying the attack target to the destination class associated with the attack, identify data destined for the attack target based on the BGP community tag, and monitor, using the destination class, data destined for the attack target received by at least one input interface of the plurality of input interfaces. - View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. A method for processing data in a network device, implemented at least partially in hardware and having a plurality of input interfaces, the method comprising:
-
receiving address information identifying an attack target, the address information being associated with a Border Gateway Protocol (BGP) route and a BGP community tag, where the BGP community tag represents a destination class associated with an attack; configuring, based on the BGP community tag, the network device with a policy that assigns the BGP route to the destination class associated with the attack; receiving data at the network device; determining, in response to configuring the network device with the policy, whether the data is destined for the attack target; changing a count value when the data is destined for the attack target; identifying a source of an attack based on the count value, the identified source comprising at least one input interface, of the plurality of input interfaces, on the network device; limiting an amount of traffic from the at least one input interface from reaching the attack target; and allowing traffic on at least one other input interface, of the plurality of input interfaces network device, to be forwarded to the attack target.
-
-
18. A network device, comprising:
-
a plurality of input interfaces; and logic, implemented at least partially in harware, to; receive information including an address identifying an attack target, the address being associated with a Border Gateway Protocol (BGP) route and a BGP community tag, where the BGP community tag represents a destination class associated with an attack; configure, based on the BGP community tag, the network device with a policy that assigns the BGP route to the destination class associated with the attack; receive a data packet via one of the plurality of input interfaces; determine, in response to configuring the network device with the policy, whether the data packet is destined for the attack target; change a count value when the data packet is destined for the attack target; filter data received on at least one interface, of the plurality of input interfaces, identified, by the count value, as a source of the attack; and forward information regarding data packets destined for the attack target to an external device, the information regarding data packets identifying an amount of traffic, destined for the attack target, received at the at least one interface, of the plurality of input interfaces. - View Dependent Claims (19)
-
-
20. A network device for identifying a source of an attack in a network, comprising:
-
a plurality of input interfaces; and logic, implemented at least partially in hardware, to; receive a Border Gateway Protocol (BGP) route that identifies an address of an attack target, the route including a BGP community tag representing a destination class associated with the attack; configure, based on the BGP community tag, the network device with a policy that assigns the BGP route to the destination class associated with the attack; determine, in response to configuring the network device with the policy, if data is destined for the attack target; monitor, based on the destination class and for each input interface of a plurality of input interfaces of the network device, data destined for the attack target; determine a potential source of the attack based on the monitoring, the potential source of the attack being associated with at least one input interface, of the plurality of input interfaces; and filter data received on the at least one input interface, of the plurality of input interfaces.
-
Specification