Automatic filtering to prevent network attacks
First Claim
1. A method comprising:
- receiving, in a network router, a packet via an interface having an interface designation that indicates the interface is connected to a device not within a local network to which the router belongs;
accessing a data structure to identify a type of route associated with the packet, wherein the type of the route specifies an interior or exterior type of a routing protocol by which the route was learned by the network router; and
automatically dropping the packet when the route associated with the packet is an internal route to a destination within the local network that was learned by the network router using an interior routing protocol.
0 Assignments
0 Petitions
Accused Products
Abstract
Techniques are described for preventing network attacks. More specifically, the techniques involve classification of routes based on the network protocol from which the routes were learned, and filtering of packets based on the classification. A network device, for example, is described that includes interface cards to receive routing information via one or more routing protocols, wherein the routing information defines network routes. The network device further includes a control unit to classify the routes based the routing protocol by which the routes were received, and selectively forward packets associated with the routes based on the classification of the routes. Edge routers within a service provider network, for example, may classify routes as either “internal” or “external” based on the protocols from which the routes were learned, and automatically filter packets to prevent network attacks using the techniques.
-
Citations
19 Claims
-
1. A method comprising:
-
receiving, in a network router, a packet via an interface having an interface designation that indicates the interface is connected to a device not within a local network to which the router belongs; accessing a data structure to identify a type of route associated with the packet, wherein the type of the route specifies an interior or exterior type of a routing protocol by which the route was learned by the network router; and automatically dropping the packet when the route associated with the packet is an internal route to a destination within the local network that was learned by the network router using an interior routing protocol. - View Dependent Claims (2, 3, 4, 5, 6, 13, 14)
-
-
7. A network router comprising:
-
an interface card that is connected to a device not within a local network to which the router belongs, wherein the interface card receives a packet from the device not within the local network; a control unit that accesses a data structure to identify a type of route associated with the received packet, wherein the type of the route specifies whether the route was learned by the network router by an interior routing protocol or an exterior, and wherein the control unit automatically drops the packet when the route associated with the packet is an internal route to a destination within the local network that was learned by the network router using an interior routing protocol. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
15. A non-transitory computer-readable storage medium comprising instructions that cause a programmable processor to:
-
receive a packet via an interface having an interface designation that indicates the interface is connected to a device not within a local network to which the router belongs; access a data structure to identify a type of route associated with the packet, wherein the type of the route specifies an interior or exterior type of a routing protocol by which the route was learned by the network router; and automatically drop the packet when the route associated with the packet is an internal route to a destination within the local network that is learned using an interior iif4eia1 routing protocol. - View Dependent Claims (16, 17, 18, 19)
-
Specification