Host trust report based filtering mechanism in a reverse firewall

US 8,375,435 B2
Filed: 12/19/2008
Issued: 02/12/2013
Est. Priority Date: 12/19/2008
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method to throttle traffic from a source internet protocol address, the method comprising:

inspecting payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host;

responsive to detecting purported good content within at least one of the plurality of packets, forwarding packets having the source address;

determining whether a count of packets having the source address exceeds a safe threshold;

responsive to a determination that the count of packets having the source address exceeds the safe threshold, requesting a demanded positive trust report from the receiver host;

determining whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good;

responsive to a determination that the positive trust report is received from the receiver host, analyzing a header of a packet having the source address without analyzing a payload of the packet; and

determining if the source internet protocol address lacks an association with a good host profile, wherein the step of inspecting payloads is responsive to the determination that the source internet protocol address lacks association with the good host profile.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a computer implemented method and computer program product to throttle traffic from a source internet protocol address. The reverse firewall inspects payloads of a plurality of packets each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host. Responsive to detecting purported good content within at least one of the plurality of packets, the reverse firewall forwards packets having the source address. The reverse firewall determines whether a count of packets having the source address exceeds a safe threshold. The reverse firewall requests a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold. The reverse firewall determines whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good. The reverse firewall analyzes a header of packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host.

22 Citations

View as Search Results

12 Claims

1. A computer implemented method to throttle traffic from a source internet protocol address, the method comprising:
- inspecting payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host;
  
  responsive to detecting purported good content within at least one of the plurality of packets, forwarding packets having the source address;
  
  determining whether a count of packets having the source address exceeds a safe threshold;
  
  responsive to a determination that the count of packets having the source address exceeds the safe threshold, requesting a demanded positive trust report from the receiver host;
  
  determining whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good;
  
  responsive to a determination that the positive trust report is received from the receiver host, analyzing a header of a packet having the source address without analyzing a payload of the packet; and
  
  determining if the source internet protocol address lacks an association with a good host profile, wherein the step of inspecting payloads is responsive to the determination that the source internet protocol address lacks association with the good host profile.

2. A computer program product for throttling traffic from a source internet protocol address, the computer program product comprising:
- one or more computer-readable, tangible storage devices having computer usable program code embodied therewith, the computer program product comprising;
  
  computer usable program code configured to inspect payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host;
  
  computer usable program code configured to forward packets having the source address, responsive to detecting purported good content within at least one of the plurality of packets;
  
  computer usable program code configured to determine whether a count of packets having the source address exceeds a safe threshold;
  
  computer usable program code configured to request a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold;
  
  computer usable program code configured to determine whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good;
  
  computer usable program code configured to analyze a header of a packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host; and
  
  computer usable program code configured to determine if the source internet protocol address lacks an association with a good host profile, wherein the step of inspecting payloads is responsive to the determination that the source internet protocol address lacks association with the good host profile.

3. A computer implemented method to throttle traffic from a source internet protocol address, the method comprising:
- inspecting payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address corresponding to a receiver host;
  
  responsive to detecting purported good content within at least one of the plurality of packets, forwarding packets having the source address;
  
  determining whether a count of packets having the source address exceeds a safe threshold;
  
  responsive to a determination that the count of packets having the source address exceeds the safe threshold, requesting a demanded positive trust report from the receiver host;
  
  determining whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good; and
  
  responsive to a determination that the positive trust report is received from the receiver host, analyzing a header of a packet having the source address without analyzing a payload of the packet;
  
  responsive to a determination that the positive trust report is received from the receiver host, counting packets having the source internet protocol address to form a repose count;
  
  determining whether the repose count exceeds a repose threshold;
  
  responsive to a determination that the repose count exceeds the repose threshold, determining whether a negative trust report is received by the receiver host concerning the source internet protocol address; and
  
  responsive to a determination that the negative trust report is received by the receiver host concerning the source internet protocol address, determining whether a packet from the source internet protocol address was sent to receiver host in a recent period.
- View Dependent Claims (4, 5, 6, 7)
- - 4. The computer implemented method of claim 3, further comprising:
    - resetting the count of packets from the source internet protocol address in response the determination that the packet from the source internet protocol address was sent to the receiver host in the recent period; and
      
      determining whether the count of packets from the source internet protocol address exceeds the safe threshold.
  - 5. The computer implemented method of claim 4, wherein the trust report is received within a timeout period and is unexpired.
  - 6. The computer implemented method of claim 4, wherein the trust report is valid and positive.
  - 7. The computer implemented method of claim 4, wherein the recent period is during a prior two second interval.

8. A computer program product for throttling traffic from a source internet protocol address, the computer program product comprising:
- one or more computer-readable, tangible storage devices having computer usable program code embodied therewith, the computer program product comprising;
  
  computer usable program code configured to inspect payloads of a plurality of packets, each packet having a source address identical to the source internet protocol address and a target address cones corresponding to a receiver host;
  
  computer usable program code configured to forward packets having the source address, responsive to detecting purported good content within at least one of the plurality of packets;
  
  computer usable program code configured to determine whether a count of packets having the source address exceeds a safe threshold;
  
  computer usable program code configured to request a demanded positive trust report from the receiver host, responsive to a determination that the count of packets having the source address exceeds the safe threshold;
  
  computer usable program code configured to determine whether a positive trust report is received from the receiver host that indicates that the source internet protocol address is good;
  
  computer usable program code configured to analyze a header of packet having the source address without analyzing a payload of the packet, responsive to a determination that the positive trust report is received from the receiver host;
  
  computer usable program code configured to count packets having the source internet protocol address to form a repose count, responsive to a determination that the positive trust report is received from the receiver host;
  
  computer usable program code configured to determine whether the repose count exceeds a repose threshold;
  
  computer usable program code configured to determine whether a negative trust report is received by the receiver host concerning the source internet protocol address, responsive to a determination that the repose count exceeds the repose threshold; and
  
  computer usable program code configured to determine whether a packet from the source internet protocol address was sent to receiver host in a recent period, responsive to a determination that the negative trust report is received by the receiver host concerning the source internet protocol address.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The computer program product of claim 8, further comprising:
    - computer usable program code configured to reset the count of packets from the source internet protocol address in response the determination that the packet from the source internet protocol address was sent to the receiver host in the recent period; and
      
      computer usable program code configured to determine whether the count of packets from the source internet protocol address exceeds the safe threshold.
  - 10. The computer program product of claim 9, wherein the trust report is received within a timeout period and is unexpired.
  - 11. The computer program product of claim 9, wherein the trust report is valid and positive.
  - 12. The computer program product of claim 9, wherein the recent period is during a prior two second interval.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Fried, Eric P., Goyal, Anand, Kosanam, Silpa, Sabarathinam, Suresh
Primary Examiner(s)
Flynn, Nathan
Assistant Examiner(s)
Vaughan, Michael R

Application Number

US12/339,542
Publication Number

US 20100162381A1
Time in Patent Office

1,516 Days
Field of Search

None
US Class Current

726/14
CPC Class Codes

H04L 63/02 for separating internal fro...

H04L 63/0227 Filtering policies mail mes...

Host trust report based filtering mechanism in a reverse firewall

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

22 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Host trust report based filtering mechanism in a reverse firewall

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

22 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links