Systems and methods for identifying sources of network attacks

US 8,281,400 B1
Filed: 09/05/2002
Issued: 10/02/2012
Est. Priority Date: 07/23/2002
Status: Active Grant

First Claim

Patent Images

1. A method for identifying a source of an attack in a network, comprising:

transmitting, to a network device implemented at least partially in hardware, a Border Gateway Protocol (BGP) route that identifies an address of an attack target, and a BGP community tag representing a destination class associated with the attack;

configuring, based on the BGP community tag, the network device with a policy that assigns the route to the destination class associated with the attack;

determining, by the network device and in response to configuring the network device with the policy, if data is destined for the attack target;

monitoring, based on the destination class and for each input interface of a plurality of input interfaces of the network device, data destined for the attack target;

determining, by the network device, a potential source of the attack based on the monitoring, the potential source of the attack being associated with at least one of the plurality of input interfaces;

filtering, by the network device, data received on the at least one of the pluraity of input interfaces that receives the data destined for the attack target; and

not filtering, by the network device, data received on at least one of the plurality of input interfaces that does not receive the data destined for the attack target.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for identifying a source of an attack in a network include transmitting an address associated with the attack target to a number of network devices. Each network device may then determine whether a received packet is destined for the attack target and identify, for each packet destined for the attack target, an input interface upon which the packet arrived. Each network device may also count the amount of data destined for the attack target per input interface. A potential source of the attack may then be identified based on the amount of data destined for the attack target.

34 Citations

View as Search Results

20 Claims

1. A method for identifying a source of an attack in a network, comprising:
- transmitting, to a network device implemented at least partially in hardware, a Border Gateway Protocol (BGP) route that identifies an address of an attack target, and a BGP community tag representing a destination class associated with the attack;
  
  configuring, based on the BGP community tag, the network device with a policy that assigns the route to the destination class associated with the attack;
  
  determining, by the network device and in response to configuring the network device with the policy, if data is destined for the attack target;
  
  monitoring, based on the destination class and for each input interface of a plurality of input interfaces of the network device, data destined for the attack target;
  
  determining, by the network device, a potential source of the attack based on the monitoring, the potential source of the attack being associated with at least one of the plurality of input interfaces;
  
  filtering, by the network device, data received on the at least one of the pluraity of input interfaces that receives the data destined for the attack target; and
  
  not filtering, by the network device, data received on at least one of the plurality of input interfaces that does not receive the data destined for the attack target.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, where the identifying a potential source of the attack comprises:
    - identifying the at least one input interface, of the plurality of input interfaces.
  - 3. The method of claim 1, further comprising:
    - polling the network device to obtain results of the monitoring; and
      
      generating a user interface that includes information associated with the results of the monitoring.
  - 4. The method of claim 1, where the filtering comprises:
    - preventing data received on the at least one of the plurality of input interfaces from reaching the attack target.
  - 5. The method of claim 1, where the filtering comprises:
    - limiting an amount of traffic received on the at least one of the plurality of input interfaces that receives the data from reaching the attack target.
  - 6. The method of claim 1, further comprising:
    - applying the policy to a forwarding table in the network device.
  - 7. The method of claim 1, further comprising:
    - sending attack-related information to the network device, the attack-related information identifying at least the at least one of the plurality of input interfaces on the network device; and
      
      filtering, by the network device, data received on the at least one of the plurality of input interfaces in response to the attack-related information.

8. A network device implemented at least partially in hardware, the network device comprising:
- a plurality of input interfaces to receive data; and
  
  logic, implemented at least partially in hardware, to;
  
  receive address information identifying an attack target, the address information including a Border Gateway Protocol (BGP) route and a BGP community tag associated with the route, where the BGP community tag is used to configure the network device with a policy that assigns the route to a destination class associated with an attack;
  
  identify the BGP community tag,assign, based on the BGP community tag, the BGP route identifying the attack target to the destination class associated with the attack,identify data destined for the attack target based on the BGP community tag, andmonitor, using the destination class, data destined for the attack target received by at least one input interface of the plurality of input interfaces.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16)
- - 9. The network device of claim 8, where, when monitoring data destined for the attack target, the logic is to:
    - identify the at least one input interface, of the plurality of input interfaces, that receives the data destined for the attack target, andcount at least one of a number of packets or a number of bytes of data destined for the attack target received by the at least one input interface.
  - 10. The network device of claim 9, where the logic is further to:
    - identify at least one potential source of an attack based on at least one of the counted number of packets or the counted number of bytes of data.
  - 11. The network device of claim 8, where the logic is further to:
    - transmit information regarding the data destined for the attack target to an external device.
  - 12. The network device of claim 8, where the logic is further to:
    - receive a request from an external device for traffic-related data associated with the attack target, andtransmit information regarding the data destined for the attack target to the external device in response to the request.
  - 13. The network device of claim 12, where the logic is further to:
    - receive attack information from the external device, the attack information identifying the at least one input interface, of the plurality of input interfaces, associated with a potential source of attack, andfilter data received on the at least one input interface in response to the attack information.
  - 14. The network device of claim 8, where the logic is further to:
    - identify the at least one input interface, of the plurality of input interfaces, as a potential source of an attack based on at least one of a counted number of packets or a counted number of bytes of data, andfilter packets received on the at least one input interface.
  - 15. The network device of claim 14, where when filtering packets, the logic is to:
    - prevent data received on the at least one input interface, of the plurality of input interfaces, from reaching the attack target.
  - 16. The network device of claim 14, where when filtering packets, the logic is to:
    - limit an amount of traffic from the at least one input interface, of the plurality of input interfaces, from reaching the attack target.

17. A method for processing data in a network device, implemented at least partially in hardware and having a plurality of input interfaces, the method comprising:
- receiving address information identifying an attack target, the address information being associated with a Border Gateway Protocol (BGP) route and a BGP community tag, where the BGP community tag represents a destination class associated with an attack;
  
  configuring, based on the BGP community tag, the network device with a policy that assigns the BGP route to the destination class associated with the attack;
  
  receiving data at the network device;
  
  determining, in response to configuring the network device with the policy, whether the data is destined for the attack target;
  
  changing a count value when the data is destined for the attack target;
  
  identifying a source of an attack based on the count value, the identified source comprising at least one input interface, of the plurality of input interfaces, on the network device;
  
  limiting an amount of traffic from the at least one input interface from reaching the attack target; and
  
  allowing traffic on at least one other input interface, of the plurality of input interfaces network device, to be forwarded to the attack target.

18. A network device, comprising:
- a plurality of input interfaces; and
  
  logic, implemented at least partially in harware, to;
  
  receive information including an address identifying an attack target, the address being associated with a Border Gateway Protocol (BGP) route and a BGP community tag, where the BGP community tag represents a destination class associated with an attack;
  
  configure, based on the BGP community tag, the network device with a policy that assigns the BGP route to the destination class associated with the attack;
  
  receive a data packet via one of the plurality of input interfaces;
  
  determine, in response to configuring the network device with the policy, whether the data packet is destined for the attack target;
  
  change a count value when the data packet is destined for the attack target;
  
  filter data received on at least one interface, of the plurality of input interfaces, identified, by the count value, as a source of the attack; and
  
  forward information regarding data packets destined for the attack target to an external device, the information regarding data packets identifying an amount of traffic, destined for the attack target, received at the at least one interface, of the plurality of input interfaces.
- View Dependent Claims (19)
- - 19. The network device of claim 18, where logic is further to:
    - identify the source of the attack based on the count value.

20. A network device for identifying a source of an attack in a network, comprising:
- a plurality of input interfaces; and
  
  logic, implemented at least partially in hardware, to;
  
  receive a Border Gateway Protocol (BGP) route that identifies an address of an attack target, the route including a BGP community tag representing a destination class associated with the attack;
  
  configure, based on the BGP community tag, the network device with a policy that assigns the BGP route to the destination class associated with the attack;
  
  determine, in response to configuring the network device with the policy, if data is destined for the attack target;
  
  monitor, based on the destination class and for each input interface of a plurality of input interfaces of the network device, data destined for the attack target;
  
  determine a potential source of the attack based on the monitoring, the potential source of the attack being associated with at least one input interface, of the plurality of input interfaces; and
  
  filter data received on the at least one input interface, of the plurality of input interfaces.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Jaeger, Robert F., Eater, Benjamin C.
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
Tolentino, Roderick

Application Number

US10/234,455
Time in Patent Office

3,680 Days
Field of Search

726/11, 726 22- 25, 713/181, 713189-191, 705 51- 54, 717174-178
US Class Current

726/25
CPC Class Codes

H04L 2463/146   Tracing the source of attacks

H04L 43/04   Processing captured monitor...

H04L 45/04   Interdomain routing, e.g. h...

H04L 63/1408   by monitoring network traff...

H04L 63/1458   Denial of Service

Systems and methods for identifying sources of network attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

34 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for identifying sources of network attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

34 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links