Means of mitigating denial of service attacks on IP fragmentation in high performance IPSEC gateways
First Claim
Patent Images
1. A method, comprising:
- supplementing, in a computing device having a processor and a memory, an identification field of a header of an IP datagram with at least one bit from another field of the IP header, whereby probability of random collisions is reduced, thereby reducing a security threat in connection with a transmission of the IP datagram; and
after supplementing the identification field of the header with the at least one bit, inserting remaining bits of identification information into at least one other field of the header.
6 Assignments
0 Petitions
Accused Products
Abstract
Embodiments of the invention reduce the probability of success of a DOS attack on a node receiving packets by decreasing the probability of random collisions of packets sent by a malicious user with those sent by honest users. The probability of random collisions may be reduced in one class of embodiments of the invention by supplementing the identification field of the IP header of each transmitted packet with at least one bit from another field of the header. The probability of random collisions may be reduced in another class of embodiments of the invention by ensuring that packets sent from a transmitting IPsec node to a receiving IPsec node are not fragmented.
-
Citations
16 Claims
-
1. A method, comprising:
-
supplementing, in a computing device having a processor and a memory, an identification field of a header of an IP datagram with at least one bit from another field of the IP header, whereby probability of random collisions is reduced, thereby reducing a security threat in connection with a transmission of the IP datagram; and after supplementing the identification field of the header with the at least one bit, inserting remaining bits of identification information into at least one other field of the header. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A system, comprising:
-
a computing device including a processor and a memory, the memory including instructions executable by the processor for; supplementing an identification field of a header of an IP datagram with at least one bit from another field of the IP header, whereby probability of random collisions is reduced, thereby reducing a security threat in connection with a transmission of the IP datagram; and the instructions further executable by the processor for, after supplementing the identification field of the header with the at least one bit, inserting remaining bits of identification information into at least one other field of the header. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A method, comprising:
-
assembling, in a computing device having a processor and a memory, a plurality of received IP datagrams that each has an IP header based on identification information contained in an identification field and at least one other field of the header of each of the received IP datagrams, wherein the identification information for each received IP datagram does not include source address information, destination address information or protocol information for that received IP datagram; and wherein the at least one other field comprises at least one field selected from the group consisting of the sub-net subfield of at least one of the source address field and the destination address field of the header of each received IP datagram, the protocol field of the header for each received IP datagram, and the fragment offset field of the header for each received IP datagram.
-
-
16. A system, comprising:
-
a computing device including a processor and a memory, the memory including instructions executable by the processor for; assembling a plurality of received IP datagrams that each has an IP header based on identification information contained in an identification field and at least one other field of the header of each of the received IP datagrams, wherein the identification information for each received IP datagram does not include source address information, destination address information or protocol information for that received IP datagram; and wherein the at least one other field comprises at least one field selected from the group consisting of the sub-net subfield of at least one of the source address field and the destination address field of the header of each received IP datagram, the protocol field of the header for each received IP datagram, and the fragment offset field of the header for each received IP datagram.
-
Specification