System for finding potential origins of spoofed internet protocol attack traffic
First Claim
1. A system for identifying a set of potential origins of Internet Protocol data packets on a network by a computer, said system comprising:
- a plurality of cooperating locations on said network, said cooperating locations providing accurate and reliable information as to whether an identified data packet did or did not pass through said cooperating locations at an identified point in time;
a plurality of non-cooperating locations on said network, said non-cooperating locations receiving and transmitting data packets yet providing no or false information as to whether said identified data packet did or did not pass through said non-cooperating locations at said identified point in time;
a means for querying each of said cooperating locations as to whether said identified data packet did or did not pass through said cooperating locations at said identified point in time;
a response from each of said cooperating locations;
each response being a first predetermined value if said identified data packet did pass through said cooperating locations at said identified point in time;
each response being a second predetermined value if said identified data packet did not pass through said cooperating locations at said identified point in time;
said first predetermined value being different from said second predetermined value;
a link signature for each of said identified data packets;
said link signature comprising a string of digits including a plurality of said first predetermined values and a plurality of said second predetermined values;
a table of origins, said table of origins comprising identified destination locations, unions of all link signatures matching data packet information available for said identified data packet and origin locations consistent with said link signatures;
a sub-system for dividing said locations into blocks, where such blocks comprise said cooperating locations that have identical link signatures for routing the identified data packet to any location from another identified block at said identified point in time; and
a reverse routing table, said table reverse routing table comprising link signatures identifying at least one valid routing between selected locations in each destination/source pair of blocks in said network for said identified point in time; and
a means for said system to identify the set of possible origins for an identified data packet when a system user supplies a destination location and data packet information for said identified data packet.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention computes approximate origins of data packets transmitted over the Internet. Law enforcement agencies and network operators can use it to assign responsibility for observed Internet activities. The invention uses a small number of cooperative locations (incoming links on routers or switches) to provide link identification data: whether a packet or did or did not traverse that location. The system uses these cooperative places to generate the link signature of a data packet—which cooperative locations observed and did not observe the packet. Potential origin locations are divided into pre-computed blocks that have the same link signatures to given destination locations. The blocks are used to generate reverse routing data, potential source addresses for different link signatures. Variations of the invention store relevant link identification and reverse routing data to find the origins of past packets or to compute the origins of packets from partial information about packets of interest.
41 Citations
16 Claims
-
1. A system for identifying a set of potential origins of Internet Protocol data packets on a network by a computer, said system comprising:
-
a plurality of cooperating locations on said network, said cooperating locations providing accurate and reliable information as to whether an identified data packet did or did not pass through said cooperating locations at an identified point in time; a plurality of non-cooperating locations on said network, said non-cooperating locations receiving and transmitting data packets yet providing no or false information as to whether said identified data packet did or did not pass through said non-cooperating locations at said identified point in time; a means for querying each of said cooperating locations as to whether said identified data packet did or did not pass through said cooperating locations at said identified point in time; a response from each of said cooperating locations; each response being a first predetermined value if said identified data packet did pass through said cooperating locations at said identified point in time; each response being a second predetermined value if said identified data packet did not pass through said cooperating locations at said identified point in time;
said first predetermined value being different from said second predetermined value;a link signature for each of said identified data packets;
said link signature comprising a string of digits including a plurality of said first predetermined values and a plurality of said second predetermined values;a table of origins, said table of origins comprising identified destination locations, unions of all link signatures matching data packet information available for said identified data packet and origin locations consistent with said link signatures; a sub-system for dividing said locations into blocks, where such blocks comprise said cooperating locations that have identical link signatures for routing the identified data packet to any location from another identified block at said identified point in time; and a reverse routing table, said table reverse routing table comprising link signatures identifying at least one valid routing between selected locations in each destination/source pair of blocks in said network for said identified point in time; and a means for said system to identify the set of possible origins for an identified data packet when a system user supplies a destination location and data packet information for said identified data packet. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for identifying a set of potential origins of Internet Protocol data packets on a network having cooperating locations and non-cooperating locations, by a computer said method comprising the steps of:
-
identifying a plurality of cooperating locations and non-cooperating locations in said network, said cooperating locations providing accurate and reliable information as to whether an identified data packet did or did not pass through each cooperating location at an identified point in time;
said non-cooperating locations receiving and transmitting data packets yet providing no or false information as to whether said identified data packet did or did not pass through each non-cooperating location at said identified point in time;querying each of said cooperating locations as to whether said identified data packet did or did not pass through said cooperating locations at an identified point in time; receiving a response from each of said cooperating locations; each response being a first predetermined value if said identified data packet did pass through said cooperating locations at said identified point in time; each said response being a second predetermined value if said identified data packet did not pass through said cooperating locations at said identified point in time;
said first predetermined value being different from said second predetermined value;creating a link signature for each of said identified data packets, said link signature comprising a string of digits including a plurality of said first predetermined values and a plurality of said second predetermined values; developing a table of origins from said link signatures, said table of origins comprising identified destination locations, unions of all link signatures matching data packet information available for said identified data packets and origin locations consistent with said link signatures; dividing said locations into blocks, where such blocks comprise locations that have identical link signatures for routing a packet to any location from another identified block at said identified point in time; creating a reverse routing table, said reverse routing table comprising link signatures identifying at least one valid routing between selected locations in each destination/source pair of blocks in said network for said identified point in time; allowing a system user to supply a destination location and data packet information regarding an identified data packet; and performing computations to identify said set of possible origins for said identified data packet. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
Specification