Host trust report based filtering mechanism in a reverse firewall
First Claim
1. A computer implemented method to throttle traffic from a source internet protocol address, the method comprising:
- inspecting payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host;
responsive to detecting purported good content within at least one of the plurality of packets, forwarding packets having the source address;
determining whether a count of packets having the source address exceeds a safe threshold;
responsive to a determination that the count of packets having the source address exceeds the safe threshold, requesting a demanded positive trust report from the receiver host;
determining whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good;
responsive to a determination that the positive trust report is received from the receiver host, analyzing a header of a packet having the source address without analyzing a payload of the packet; and
determining if the source internet protocol address lacks an association with a good host profile, wherein the step of inspecting payloads is responsive to the determination that the source internet protocol address lacks association with the good host profile.
1 Assignment
0 Petitions
Accused Products
Abstract
Disclosed is a computer implemented method and computer program product to throttle traffic from a source internet protocol address. The reverse firewall inspects payloads of a plurality of packets each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host. Responsive to detecting purported good content within at least one of the plurality of packets, the reverse firewall forwards packets having the source address. The reverse firewall determines whether a count of packets having the source address exceeds a safe threshold. The reverse firewall requests a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold. The reverse firewall determines whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good. The reverse firewall analyzes a header of packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host.
22 Citations
12 Claims
-
1. A computer implemented method to throttle traffic from a source internet protocol address, the method comprising:
-
inspecting payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host; responsive to detecting purported good content within at least one of the plurality of packets, forwarding packets having the source address; determining whether a count of packets having the source address exceeds a safe threshold; responsive to a determination that the count of packets having the source address exceeds the safe threshold, requesting a demanded positive trust report from the receiver host; determining whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good; responsive to a determination that the positive trust report is received from the receiver host, analyzing a header of a packet having the source address without analyzing a payload of the packet; and determining if the source internet protocol address lacks an association with a good host profile, wherein the step of inspecting payloads is responsive to the determination that the source internet protocol address lacks association with the good host profile.
-
-
2. A computer program product for throttling traffic from a source internet protocol address, the computer program product comprising:
-
one or more computer-readable, tangible storage devices having computer usable program code embodied therewith, the computer program product comprising; computer usable program code configured to inspect payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host; computer usable program code configured to forward packets having the source address, responsive to detecting purported good content within at least one of the plurality of packets; computer usable program code configured to determine whether a count of packets having the source address exceeds a safe threshold; computer usable program code configured to request a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold; computer usable program code configured to determine whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good; computer usable program code configured to analyze a header of a packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host; and computer usable program code configured to determine if the source internet protocol address lacks an association with a good host profile, wherein the step of inspecting payloads is responsive to the determination that the source internet protocol address lacks association with the good host profile.
-
-
3. A computer implemented method to throttle traffic from a source internet protocol address, the method comprising:
-
inspecting payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host; responsive to detecting purported good content within at least one of the plurality of packets, forwarding packets having the source address; determining whether a count of packets having the source address exceeds a safe threshold; responsive to a determination that the count of packets having the source address exceeds the safe threshold, requesting a demanded positive trust report from the receiver host; determining whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good; and responsive to a determination that the positive trust report is received from the receiver host, analyzing a header of a packet having the source address without analyzing a payload of the packet; responsive to a determination that the positive trust report is received from the receiver host, counting packets having the source internet protocol address to form a repose count; determining whether the repose count exceeds a repose threshold; responsive to a determination that the repose count exceeds the repose threshold, determining whether a negative trust report is received by the receiver host concerning the source internet protocol address; and responsive to a determination that the negative trust report is received by the receiver host concerning the source internet protocol address, determining whether a packet from the source internet protocol address was sent to receiver host in a recent period. - View Dependent Claims (4, 5, 6, 7)
-
-
8. A computer program product for throttling traffic from a source internet protocol address, the computer program product comprising:
-
one or more computer-readable, tangible storage devices having computer usable program code embodied therewith, the computer program product comprising; computer usable program code configured to inspect payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address cones corresponding to a receiver host; computer usable program code configured to forward packets having the source address, responsive to detecting purported good content within at least one of the plurality of packets; computer usable program code configured to determine whether a count of packets having the source address exceeds a safe threshold; computer usable program code configured to request a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold; computer usable program code configured to determine whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good; computer usable program code configured to analyze a header of packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host; computer usable program code configured to count packets having the source internet protocol address to form a repose count, responsive to a determination that the positive trust report is received from the receiver host; computer usable program code configured to determine whether the repose count exceeds a repose threshold; computer usable program code configured to determine whether a negative trust report is received by the receiver host concerning the source internet protocol address, responsive to a determination that the repose count exceeds the repose threshold; and computer usable program code configured to determine whether a packet from the source internet protocol address was sent to receiver host in a recent period, responsive to a determination that the negative trust report is received by the receiver host concerning the source internet protocol address. - View Dependent Claims (9, 10, 11, 12)
-
Specification