Method, apparatus and program for detecting spoofed network traffic

US 8,925,079 B2
Filed: 11/14/2011
Issued: 12/30/2014
Est. Priority Date: 11/14/2011
Status: Active Grant

First Claim

Patent Images

1. A method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS), comprising:

said network;

receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address;

acquiring a corresponding source and destination IP address prefixes from the source IP address and destination IP address, respectively;

converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number;

determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information;

generating an alert indicating that the incoming packet is not allowed to enter the network;

generating the unexpected pair tuple table;

generating a list of all paths for each available IP prefix that do not traverse through a protected AS, each AS having a plurality of available IP prefixes, each available IP prefix defining a path;

creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic;

appending a corresponding IP prefix from the destination AS to the source AS number and the destination AS number creating a preliminary unexpected tuple;

generating a list of expected paths through the protected AS for each available IP prefix each AS having a plurality of available IP prefixes, each available IP prefix defining a path;

creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic;

appending a corresponding IP prefix from the destination AS, to the source AS number and the destination number, creating an expected tuple;

comparing the expected tuple with the preliminary unexpected tuple; and

removing the expected tuple from the preliminary unexpected tuple based upon the comparison, wherein remaining entries in the preliminary unexpected tuple are stored in the unexpected pair tuple.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network.

Citations

12 Claims

1. A method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS), comprising:
- said network;
  
  receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address;
  
  acquiring a corresponding source and destination IP address prefixes from the source IP address and destination IP address, respectively;
  
  converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number;
  
  determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information;
  
  generating an alert indicating that the incoming packet is not allowed to enter the network;
  
  generating the unexpected pair tuple table;
  
  generating a list of all paths for each available IP prefix that do not traverse through a protected AS, each AS having a plurality of available IP prefixes, each available IP prefix defining a path;
  
  creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic;
  
  appending a corresponding IP prefix from the destination AS to the source AS number and the destination AS number creating a preliminary unexpected tuple;
  
  generating a list of expected paths through the protected AS for each available IP prefix each AS having a plurality of available IP prefixes, each available IP prefix defining a path;
  
  creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic;
  
  appending a corresponding IP prefix from the destination AS, to the source AS number and the destination number, creating an expected tuple;
  
  comparing the expected tuple with the preliminary unexpected tuple; and
  
  removing the expected tuple from the preliminary unexpected tuple based upon the comparison, wherein remaining entries in the preliminary unexpected tuple are stored in the unexpected pair tuple.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 1, wherein the unexpected pair tuple table contains entries of unexpected sources.
  - 3. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 1, wherein the unexpected pair tuple table includes an advertised IP prefix for an AS, an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic.
  - 4. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 3, wherein determining comprises:
    - comparing a destination IP address in the incoming packet with an advertised IP prefix for an AS for each unexpected pair tuple in the unexpected pair tuple table;
      
      comparing the converted source AS number with the source AS number for a source AS for each unexpected pair tuple in the unexpected pair tuple table; and
      
      comparing the converted destination AS number with the destination AS number for a destination AS for each unexpected pair tuple in the unexpected pair tuple table, wherein if all three match, the alert is generated.
  - 5. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 1, wherein the network routing information is information from a border gateway protocol and is based upon available routing paths between ASes.
  - 6. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 1, wherein the converting is based upon a mapping table.
  - 7. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 6, further comprising:
    - creating the mapping table indicating correlations between IP address prefixes and AS numbers by using information from a plurality of data sources.
  - 8. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 7, further comprising:
    - determining if there is a conflict between information from the plurality of data sources.
  - 9. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 8, whereinif there is no conflict between the information from the plurality of data sources, combining the information from the data sources;
    - andif there is a conflict between the information from the plurality of data sources, each of the plurality of data sources is assigning a priority, and the mapping table is created using the information from the data source of the plurality of data sources having a higher priority.
  - 10. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 6, further comprising:
    - updating periodically the mapping table using the information from the plurality of data sources.
  - 11. The method of detecting spoofed Internet Protocol (IP) traffic according to claim 1, further comprising:
    - updating periodically the unexpected pair tuple table using network routing information.

12. A non-transitory computer readable storage medium having a program of instructions which cause a computer to execute a method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS), comprisingacquiring source and destination IP address prefixes from a source IP address and destination IP address, respectively, from a received incoming packet through an AS;
- converting the source and destination IP address prefixes into a source AS number and a destination AS number;
  
  determining if the incoming packet arrived from an unexpected source based upon the destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information;
  
  generating an alert indicating that the incoming packet is not allowed to enter the network;
  
  generating the unexpected pair tuple table;
  
  generating a list of all paths for each available IP prefix that do not traverse through a protected AS, each AS having a plurality of available IP prefixes, each available IP prefix defining a path;
  
  creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic;
  
  appending a corresponding IP prefix from the destination AS to the source AS number and the destination AS number creating a preliminary unexpected tuple;
  
  generating a list of expected paths through the protected AS for each available IP prefix each AS having a plurality of available IP prefixes, each available IP prefix defining a path;
  
  creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic;
  
  appending a corresponding IP prefix from the destination AS, to the source AS number and the destination number, creating an expected tuple;
  
  comparing the expected tuple with the preliminary unexpected tuple; and
  
  removing the expected tuple from the preliminary unexpected tuple based upon the comparison, wherein remaining entries in the preliminary unexpected tuple are stored in the unexpected pair tuple.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KDDI Corporation, Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson)
Original Assignee
KDDI Corporation, Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson)
Inventors
Vaidyanathan, Ravichander, Ghosh, Abhrajit, Naidu, Aditya, Yamada, Akira, Kubota, Ayumu, Sawaya, Yukiko, Miyake, Yutaka
Primary Examiner(s)
KIM, TAE K

Application Number

US13/295,553
Publication Number

US 20130125235A1
Time in Patent Office

1,142 Days
Field of Search

726 22- 23, 709223-225
US Class Current

726/23
CPC Class Codes

G06F 21/00 Security arrangements for p...

H04L 63/1466 Active attacks involving in...

Method, apparatus and program for detecting spoofed network traffic

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus and program for detecting spoofed network traffic

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links