Automatic filtering to prevent network attacks

US 8,949,458 B1
Filed: 05/23/2008
Issued: 02/03/2015
Est. Priority Date: 02/07/2003
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, in a network router, a packet via an interface having an interface designation that indicates the interface is connected to a device not within a local network to which the router belongs;

accessing a data structure to identify a type of route associated with the packet, wherein the type of the route specifies an interior or exterior type of a routing protocol by which the route was learned by the network router; and

automatically dropping the packet when the route associated with the packet is an internal route to a destination within the local network that was learned by the network router using an interior routing protocol.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are described for preventing network attacks. More specifically, the techniques involve classification of routes based on the network protocol from which the routes were learned, and filtering of packets based on the classification. A network device, for example, is described that includes interface cards to receive routing information via one or more routing protocols, wherein the routing information defines network routes. The network device further includes a control unit to classify the routes based the routing protocol by which the routes were received, and selectively forward packets associated with the routes based on the classification of the routes. Edge routers within a service provider network, for example, may classify routes as either “internal” or “external” based on the protocols from which the routes were learned, and automatically filter packets to prevent network attacks using the techniques.

Citations

19 Claims

1. A method comprising:
- receiving, in a network router, a packet via an interface having an interface designation that indicates the interface is connected to a device not within a local network to which the router belongs;
  
  accessing a data structure to identify a type of route associated with the packet, wherein the type of the route specifies an interior or exterior type of a routing protocol by which the route was learned by the network router; and
  
  automatically dropping the packet when the route associated with the packet is an internal route to a destination within the local network that was learned by the network router using an interior routing protocol.
- View Dependent Claims (2, 3, 4, 5, 6, 13, 14)
- - 2. The method of claim 1, further comprising:
    - receiving, in a network router, routing information communicated by one or more routing protocols, wherein the routing information defines network routes;
      
      designating, within the data structure, network routes learned via the interior routing protocol for the local network to which the network router belongs as internal routes and network routes learned via an exterior routing protocol as external routes.
  - 3. The method of claim 2, further comprising designating at least one network route learned via the interior routing protocol as an external route.
  - 4. The method of claim 1, further comprising forwarding the packet via the route associated with the packet when the route associated with the packet is an external route learned using an exterior routing protocol.
  - 5. The method of claim 1, wherein the packet comprises a first packet and the interface comprises a first interface, the method further comprising:
    - receiving, in the network router, a second packet via a second interface having an interface designation that indicates the second interface is connected to a device within the local network to which the router belongs; and
      
      forwarding the second packet via a route associated with the second packet.
  - 6. The method of claim 1, further comprising automatically dropping the packet without requiring manual configuration of one or more filters.
  - 13. The non-transitory computer-readable storage medium of claim 1, wherein the packet comprises a first packet and the interface comprises a first interface, the computer-readable storage medium further comprising instructions that cause the processor to:
    - receive a second packet via a second interface having an interface designation that indicates the second interface is connected to a device within the local network to which the router belongs; and
      
      forward the second packet via a route associated with the second packet.
  - 14. The method of claim 1, further comprising automatically dropping the packet without requiring application of complex, destination-specific filters.

7. A network router comprising:
- an interface card that is connected to a device not within a local network to which the router belongs, wherein the interface card receives a packet from the device not within the local network;
  
  a control unit that accesses a data structure to identify a type of route associated with the received packet, wherein the type of the route specifies whether the route was learned by the network router by an interior routing protocol or an exterior, and wherein the control unit automatically drops the packet when the route associated with the packet is an internal route to a destination within the local network that was learned by the network router using an interior routing protocol.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The router of claim 7, wherein the control unit receives routing information that defines network routes communicated by one or more routing protocols and designates network routes learned via the interior routing protocol for the local network to which the network router belongs as internal routes and network routes learned via an exterior routing protocol as external routes.
  - 9. The router of claim 8, wherein the control unit designates at least one network route learned via the interior routing protocol as an external route.
  - 10. The router of claim 7, wherein the control unit forwards the packet via the route associated with the packet when the route associated with the packet is an external route learned using an exterior routing protocol.
  - 11. The router of claim 7, wherein the packet comprises a first packet and the interface card comprises a first interface card, the router further comprising a second interface card that is connected to a device within the local network, wherein:
    - the second interface card receives a second packet from the device within the local network; and
      
      the control unit forwards the second packet via a route associated with the second packet.
  - 12. The router of claim 7, wherein the control unit automatically drops the packet without requiring manual configuration of one or more filters.

15. A non-transitory computer-readable storage medium comprising instructions that cause a programmable processor to:
- receive a packet via an interface having an interface designation that indicates the interface is connected to a device not within a local network to which the router belongs;
  
  access a data structure to identify a type of route associated with the packet, wherein the type of the route specifies an interior or exterior type of a routing protocol by which the route was learned by the network router; and
  
  automatically drop the packet when the route associated with the packet is an internal route to a destination within the local network that is learned using an interior iif4eia1 routing protocol.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The non-transitory computer-readable storage medium of claim 15, further comprising instructions that cause the processor to:
    - receive routing information communicated by one or more routing protocols, wherein the routing information defines network routes;
      
      designate, within the data structure, network routes learned via the interior routing protocol for the local network to which the network router belongs as internal routes and network routes learned via an exterior routing protocol as external routes.
  - 17. The non-transitory computer-readable storage medium of claim 16, further comprising instructions that cause the processor to designate at least one network route learned via the interior routing protocol as an external route.
  - 18. The non-transitory computer-readable storage medium of claim 15, further comprising instructions that cause the processor to forward the packet via the route associated with the packet when the route associated with the packet is an external route learned using an exterior routing protocol.
  - 19. The non-transitory computer-readable storage medium of claim 15, further comprising instructions that cause the processor to automatically drop fi4ef the packet without requiring manual configuration of one or more filters.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Rijsman, Bruno
Primary Examiner(s)
Ibrahim, Mohamed

Application Number

US12/125,997
Time in Patent Office

2,447 Days
Field of Search

709/224, 709/229, 709/238
US Class Current

709/238
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1441 Countermeasures against mal...

Automatic filtering to prevent network attacks

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic filtering to prevent network attacks

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links