Coordinated detection of a grey-hole attack in a communication network

US 8,806,633 B2
Filed: 08/22/2011
Issued: 08/12/2014
Est. Priority Date: 08/22/2011
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

receiving, at a security device in a communication network, a first set of one or more unique identifications of packets sent by a first device to a second device for which a corresponding acknowledgment was purportedly returned by the second device to the first device;

receiving, at the security device, a second set of one or more unique identifications of packets received by the second device from the first device and acknowledged by the second device to the first device;

comparing the first and second sets of unique identifications; and

determining whether acknowledgments received by the first device were truly returned from the second device based on whether the unique identifications in the first and second sets exactly match and the sets include an equal number of unique identifications, wherein the unique identifications are hashes of the packets.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one embodiment, a security device receives one or more first unique identifications of packets sent by a first device to a second device for which a corresponding acknowledgment was purportedly returned by the second device to the first device. The security device also receives one or more second unique identifications of packets received by the second device from the first device and acknowledged by the second device to the first device. By comparing the first and second unique identifications, the security device may then determine whether acknowledgments received by the first device were truly returned from the second device based on whether the first and second unique identifications exactly match.

Citations

13 Claims

1. A method, comprising:
- receiving, at a security device in a communication network, a first set of one or more unique identifications of packets sent by a first device to a second device for which a corresponding acknowledgment was purportedly returned by the second device to the first device;
  
  receiving, at the security device, a second set of one or more unique identifications of packets received by the second device from the first device and acknowledged by the second device to the first device;
  
  comparing the first and second sets of unique identifications; and
  
  determining whether acknowledgments received by the first device were truly returned from the second device based on whether the unique identifications in the first and second sets exactly match and the sets include an equal number of unique identifications, wherein the unique identifications are hashes of the packets.
- View Dependent Claims (2)
- - 2. The method as in claim 1, further comprising:
    - determining that no matching unique identification in the second set exists for a particular unique identification in the first set; and
      
      in response, generating an alarm.

3. A method, comprising:
- sending one or more packets from a first device in a communication network to a second device;
  
  receiving a corresponding acknowledgment purportedly returned by the second device to the first device for the one or more packets;
  
  in response to receiving the corresponding acknowledgment, storing a unique identification of one or more correspondingly acknowledged packets; and
  
  sending the unique identification to a security device that compares a first set of one or more unique identifications from the first device to a second set of one or more unique identifications from the second device for packets received by the second device from the first device and acknowledged by the second device to the first device to determine whether the acknowledgments received by the first device were truly returned from the second device based on whether the unique identifications in the first and second sets exactly match and the sets include an equal number of unique identifications, wherein the unique identifications are hashes of the packets.
- View Dependent Claims (4, 5)
- - 4. The method as in claim 3, wherein sending comprises:
    - periodically sending a plurality of unique identifications for a plurality of corresponding packets to the security device.
  - 5. The method as in claim 3, wherein storing and sending the unique identification of the correspondingly acknowledged packet is in response to the correspondingly acknowledged packet being a particular type of packet.

6. A method, comprising:
- receiving one or more packets at a second device in a communication network from a first device;
  
  in response, returning a corresponding acknowledgment to the first device for the one or more packets;
  
  in response to returning the corresponding acknowledgment, storing a unique identification for each of the correspondingly acknowledged packets; and
  
  sending the one or more unique identifications to a security device that compares a second set of one or more unique identifications from the second device to a first set of one or more unique identifications of packets sent by the first device to the second device, for which a corresponding acknowledgment was purportedly returned by the second device to the first device, to determine whether the acknowledgments received by the first device were truly returned from the second device based on whether the unique identifications in the first and second sets exactly match and the sets include an equal number of unique identifications, wherein the unique identifications are hashes of the packets.
- View Dependent Claims (7, 8, 9)
- - 7. The method as in claim 6, wherein sending comprises:
    - periodically sending a plurality of unique identifications for a plurality of corresponding packets to the security device.
  - 8. The method as in claim 6, wherein storing and sending the unique identification of the correspondingly acknowledged packet is in response to the correspondingly acknowledged packet being a particular type of packet.
  - 9. The method as in claim 6, wherein the second device is a head-end device.

10. An apparatus, comprising:
- one or more network interfaces to communicate within a communication network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive a first set of one or more first unique identifications of packets sent by a first device to a second device for which a corresponding acknowledgment was purportedly returned by the second device to the first device;
  
  receive a second set of one or more second unique identifications of packets received by the second device from the first device and acknowledged by the second device to the first device;
  
  compare the first and second sets of unique identifications; and
  
  determine whether acknowledgments received by the first device were truly returned from the second device based on whether the unique identifications in the first and second sets exactly match and the sets include an equal number of unique identifications, wherein the unique identifications are hashes of the packets.
- View Dependent Claims (11)
- - 11. The apparatus as in claim 10, wherein the process when executed is further operable to:
    - determine that no matching unique identification in the second set exists for a particular unique identification in the first set; and
      
      in response, generate an alarm.

12. An apparatus, comprising:
- one or more network interfaces to communicate within a communication network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  send one or more packets to a second device;
  
  receive a corresponding acknowledgment purportedly returned by the second device to the apparatus for the one or more packets;
  
  in response to receiving the corresponding acknowledgment, store a unique identification of one or more correspondingly acknowledged packets; and
  
  send the unique identification to a security device that compares a first set of the one or more unique identifications from the apparatus to a second set of one or more unique identifications from the second device for packets received by the second device from the apparatus and acknowledged by the second device to the apparatus to determine whether the acknowledgments received by the apparatus were truly returned from the second device based on whether the unique identifications in the first and second sets exactly match and the sets include an equal number of unique identifications, wherein the unique identifications are hashes of the packets.

13. An apparatus, comprising:
- one or more network interfaces to communicate within a communication network;
  
  a processor coupled to the network interfaces and adapted to execute one or more processes; and
  
  a memory configured to store a process executable by the processor, the process when executed operable to;
  
  receive one or more packets from a first device;
  
  in response, return a corresponding acknowledgment to the first device for the one or more packets;
  
  in response to returning the corresponding acknowledgment, store a unique identification for each of the correspondingly acknowledged packets; and
  
  send the one or more unique identifications to a security device that compares a second set of the one or more unique identifications from the apparatus to a first set of one or more unique identifications of packets sent by the first device to the apparatus, for which a corresponding acknowledgment was purportedly returned by the apparatus to the first device, to determine whether the acknowledgments received by the first device were truly returned from the apparatus based on whether the unique identifications in the first and second sets exactly match and the sets include an equal number of unique identifications, wherein the unique identifications are hashes of the packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Shaffer, Shmuel, Vasseur, Jean-Philippe, Hui, Jonathan W.
Primary Examiner(s)
Cervetti, David Garcia
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US13/214,874
Publication Number

US 20130055383A1
Time in Patent Office

1,086 Days
Field of Search

726 22- 25, 726/11, 726/14, 709/224, 709/238, 709/237, 709/244, 713/151, 713/160, 713/170, 713/161
US Class Current

726/23
CPC Class Codes

H04L 2463/143 Denial of service attacks i...

H04L 63/1441 Countermeasures against mal...

Coordinated detection of a grey-hole attack in a communication network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Coordinated detection of a grey-hole attack in a communication network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links