Method, apparatus and program for detecting spoofed network traffic
First Claim
1. A method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS), comprising:
- said network;
receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address;
acquiring a corresponding source and destination IP address prefixes from the source IP address and destination IP address, respectively;
converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number;
determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information;
generating an alert indicating that the incoming packet is not allowed to enter the network;
generating the unexpected pair tuple table;
generating a list of all paths for each available IP prefix that do not traverse through a protected AS, each AS having a plurality of available IP prefixes, each available IP prefix defining a path;
creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic;
appending a corresponding IP prefix from the destination AS to the source AS number and the destination AS number creating a preliminary unexpected tuple;
generating a list of expected paths through the protected AS for each available IP prefix each AS having a plurality of available IP prefixes, each available IP prefix defining a path;
creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic;
appending a corresponding IP prefix from the destination AS, to the source AS number and the destination number, creating an expected tuple;
comparing the expected tuple with the preliminary unexpected tuple; and
removing the expected tuple from the preliminary unexpected tuple based upon the comparison, wherein remaining entries in the preliminary unexpected tuple are stored in the unexpected pair tuple.
2 Assignments
0 Petitions
Accused Products
Abstract
A method, an apparatus and a program for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS) is provided. The method comprises receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address, acquiring a corresponding source and destination IP address prefixes, converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number, determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information and generating an alert indicating that the incoming packet is not allowed to enter the network.
-
Citations
12 Claims
-
1. A method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS), comprising:
-
said network; receiving an incoming packet through an AS, the incoming packet containing a source IP address and a destination IP address; acquiring a corresponding source and destination IP address prefixes from the source IP address and destination IP address, respectively; converting the corresponding source and destination IP address prefixes into a source AS number and a destination AS number; determining if the incoming packet arrived from an unexpected source based upon the corresponding destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information; generating an alert indicating that the incoming packet is not allowed to enter the network; generating the unexpected pair tuple table; generating a list of all paths for each available IP prefix that do not traverse through a protected AS, each AS having a plurality of available IP prefixes, each available IP prefix defining a path; creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic; appending a corresponding IP prefix from the destination AS to the source AS number and the destination AS number creating a preliminary unexpected tuple; generating a list of expected paths through the protected AS for each available IP prefix each AS having a plurality of available IP prefixes, each available IP prefix defining a path; creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic; appending a corresponding IP prefix from the destination AS, to the source AS number and the destination number, creating an expected tuple; comparing the expected tuple with the preliminary unexpected tuple; and removing the expected tuple from the preliminary unexpected tuple based upon the comparison, wherein remaining entries in the preliminary unexpected tuple are stored in the unexpected pair tuple. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer readable storage medium having a program of instructions which cause a computer to execute a method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of autonomous systems (AS), comprising
acquiring source and destination IP address prefixes from a source IP address and destination IP address, respectively, from a received incoming packet through an AS; -
converting the source and destination IP address prefixes into a source AS number and a destination AS number; determining if the incoming packet arrived from an unexpected source based upon the destination IP address prefix and the converted source and destination AS number using an unexpected pair tuple table generated from network routing information; generating an alert indicating that the incoming packet is not allowed to enter the network; generating the unexpected pair tuple table; generating a list of all paths for each available IP prefix that do not traverse through a protected AS, each AS having a plurality of available IP prefixes, each available IP prefix defining a path; creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic; appending a corresponding IP prefix from the destination AS to the source AS number and the destination AS number creating a preliminary unexpected tuple; generating a list of expected paths through the protected AS for each available IP prefix each AS having a plurality of available IP prefixes, each available IP prefix defining a path; creating pairs of ASes along each path, each pair including an AS number for a destination AS and a source AS number for a source AS, the destination AS is a potential destination for traffic and the source AS is a potential source for traffic; appending a corresponding IP prefix from the destination AS, to the source AS number and the destination number, creating an expected tuple; comparing the expected tuple with the preliminary unexpected tuple; and removing the expected tuple from the preliminary unexpected tuple based upon the comparison, wherein remaining entries in the preliminary unexpected tuple are stored in the unexpected pair tuple.
-
Specification