Denial-of-service attack defense system, denial-of-service attack defense method, and computer product

US 8,479,282 B2
Filed: 08/19/2005
Issued: 07/02/2013
Est. Priority Date: 10/12/2004
Status: Active Grant

First Claim

Patent Images

1. A system for protecting a communication device against a denial-of-service attack, the system comprising:

a monitoring device provided on a local area network including the communication device, the monitoring device being configured to monitor a packet transmitted to the communication device via an internet-service-provider network; and

a restricting device provided on the internet-service-provider network, the restricting device being configured to restrict a packet to the local area network,wherein the monitoring device includesan attack detecting unit configured to detect an attack by the packet on the communication device based on an attack detection condition including a destination address and a port number of the packet, anda protection-request-information transmitting unit configured to transmit to the restricting device protection request information indicating a request for protection against the attack, the protection request information including a certificate authenticating the monitoring device, a signature indicating a feature including the destination address and the port number of a packet that attacks the communication device, the protection-request-information transmitting unit being configured to update the protection request information to remove packets not included in the attack from restriction based on a report of received packets transmitted from the restricting device, andthe restricting device includes a packet restricting unit configured to restrict a packet transmitted to the communication device via the internet-service-provider network based on the protection request information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A monitoring device is provided on a LAN to which a communication device that is a target of a denial-of-service attack is connected, and monitors a packet transmitted to the communication device via an ISP network. A restricting device is provided on the ISP network, and restricts a packet to the LAN. The monitoring device detects an attack by the packet on the communication device, and transmits protection request information indicating a request for protection against the attack to the restricting device. The restricting device restricts a packet transmitted to the communication device via the ISP network based on the protection request information.

18 Citations

View as Search Results

14 Claims

1. A system for protecting a communication device against a denial-of-service attack, the system comprising:
- a monitoring device provided on a local area network including the communication device, the monitoring device being configured to monitor a packet transmitted to the communication device via an internet-service-provider network; and
  
  a restricting device provided on the internet-service-provider network, the restricting device being configured to restrict a packet to the local area network,wherein the monitoring device includesan attack detecting unit configured to detect an attack by the packet on the communication device based on an attack detection condition including a destination address and a port number of the packet, anda protection-request-information transmitting unit configured to transmit to the restricting device protection request information indicating a request for protection against the attack, the protection request information including a certificate authenticating the monitoring device, a signature indicating a feature including the destination address and the port number of a packet that attacks the communication device, the protection-request-information transmitting unit being configured to update the protection request information to remove packets not included in the attack from restriction based on a report of received packets transmitted from the restricting device, andthe restricting device includes a packet restricting unit configured to restrict a packet transmitted to the communication device via the internet-service-provider network based on the protection request information.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, whereinthe monitoring device further includes a signature generating unit configured to generate the signature,the protection-request-information transmitting unit transmits the protection request information including the signature to the restricting device, andthe packet restricting unit restricts a packet corresponding to the signature.
  - 3. The system according to claim 2, whereinthe restricting device further includes a signature determining unit configured to determine whether the protection request information including the signature is appropriate based on the certificate, andthe packet restricting unit restricts a packet corresponding to a signature determined to be appropriate, and does not restrict a packet corresponding to a signature determined to be inappropriate.
  - 4. The system according to claim 3, whereinthe restricting device further includes a determination-result transmitting unit configured to transmit a determination result of the signature determining unit to the monitoring device, the signature generating unit of the monitoring device generating a new signature indicating the feature of the packet that attacks the communication device when the determination result indicates that the signature is inappropriate.
  - 5. The system according to claim 2, whereinthe restricting device further includesa report generating unit configured to generate a report including a feature and an amount of packets corresponding to the signature, and a report transmitting unit configured to transmit the report to the monitoring device,the signature generating unit generates a new signature based on the report,the protection-request-information transmitting unit transmits the protection request information including the new signature to the restricting device, andthe packet restricting unit restricts a packet corresponding to the new signature.
  - 6. The system according to claim 5, whereinthe restricting device further includes a forwarding unit configured to forward the protection request information to other restricting devices provided on the internet-service-provider network, the forwarding unit being configured to determine whether to forward the protection request information based on the report generated by the report generating unit.

7. A method of causing a monitoring device and a restricting device to protect a communication device against a denial-of-service attack, the monitoring device being provided on a local area network including the communication device and being configured to monitor a packet transmitted to the communication device via an internet-service-provider network, the restricting device being provided on the internet-service-provider network and being configured to restrict a packet to the local area network, the method comprising:
- detecting, at the monitoring device, an attack by the packet on the communication device based on an attack detection condition including a destination address and a port number of the packet;
  
  transmitting, from the monitoring device to the restricting device, a protection request information indicating a request for protection against the attack, the protection request information including a certificate authenticating the monitoring device, a signature indicating a feature including the destination address and the port number of a packet that attacks the communication device;
  
  restricting, at the restricting device, packets transmitted to the communication device via the internet-service-provider network based on the protection request information;
  
  transmitting, from the restricting device to the monitoring device, a report including information on packets included in the attack; and
  
  transmitting, from the monitoring device to the restricting device, an updated protection request information removing packets not included in the attack from restriction based on the report.
- View Dependent Claims (8, 9, 10)
- - 8. The method according to claim 7, further comprising:
    - generating, at the monitoring device, the signature, whereinprotection request information transmitted to the restricting device includes the signature, anda packet corresponding to the signature is restricted.
  - 9. The method according to claim 8, further comprising:
    - determining, at the restricting device, whether the protection request information including the signature is appropriate based on the certificate,wherein a packet corresponding to a signature determined to be appropriate is restricted, and a packet corresponding to a signature determined to be inappropriate is not restricted.
  - 10. The method according to claim 8, further comprising:
    - generating, at the restricting device, a report on a feature and an amount of packets corresponding to the signature; and
      
      transmitting the report from the restricting device to the monitoring device,wherein a new signature is generated at the monitoring device based on the report, protection request information including the new signature is transmitted to the restricting device, and a packet corresponding to the new signature is restricted.

11. A non-transitory computer-readable medium storing thereon computer-readable instructions for protecting a communication device against a denial-of-service attack using a monitoring device and a restricting device, the monitoring device being provided on a local area network including the communication device and being configured to monitor a packet transmitted to the communication device via an internet-service-provider network, the restricting device being provided on the internet-service-provider network and being configured to restrict a packet to the local area network, the computer-readable instructions when executed by a computer cause the computer to perform the method comprising:
- detecting, at the monitoring device, an attack by the packet on the communication device based on an attack detection condition including an address and a port number of the packet;
  
  transmitting, from the monitoring device to the restricting device, protection request information indicating a request for protection against the attack, the protection request information including a certificate authenticating the monitoring device, a signature indicating a feature including the destination address and the port number of a packet that attacks the communication device;
  
  restricting, at the restricting device, a packet transmitted to the communication device via the internet-service-provider network based on the protection request information;
  
  transmitting, from the restricting device to the monitoring device, a report including information on packets included in the attack; and
  
  transmitting, from the monitoring device to the restricting device, an updated protection request information removing packets not included in the attack from restriction based on the report.
- View Dependent Claims (12, 13, 14)
- - 12. The non-transitory computer-readable medium according to claim 11, further comprising:
    - generating, at the monitoring device, the signature;
      
      transmitting, from the monitoring device to the restricting device, the protection request information including the signature; and
      
      restricting, at the restricting device, a packet corresponding to the signature.
  - 13. The non-transitory computer-readable medium according to claim 12, further comprising:
    - determining, at the restricting device, whether the protection request information including the signature is appropriate based on the certificate;
      
      restricting a packet corresponding to a signature determined to be appropriate; and
      
      not restricting a packet corresponding to a signature determined to be inappropriate.
  - 14. The non-transitory computer-readable medium according to claim 12, further comprising:
    - generating, at the restricting device, a report on a feature and an amount of packets corresponding to the signature; and
      
      transmitting the report from the restricting device to the monitoring device;
      
      generating, at the monitoring device, a new signature based on the report;
      
      transmitting, from the monitoring device to the restricting device, the protection request information including the new signature; and
      
      restricting, at the restricting device, a packet corresponding to the new signature.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
Hamada, Masaki
Primary Examiner(s)
Khoshnoodi, Nadia

Application Number

US10/579,891
Publication Number

US 20070101428A1
Time in Patent Office

2,874 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 12/46 Interconnection of networks

H04L 63/1458 Denial of Service

Denial-of-service attack defense system, denial-of-service attack defense method, and computer product

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

18 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Denial-of-service attack defense system, denial-of-service attack defense method, and computer product

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

18 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links