Protecting networks from cyber attacks and overloading

US 9,094,445 B2
Filed: 03/15/2013
Issued: 07/28/2015
Est. Priority Date: 03/15/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

at each packet-filtering device of a plurality of packet-filtering devices interfacing a plurality of different autonomous system networks;

receiving, via a communication interface of the packet-filtering device, a plurality of packets;

responsive to a determination, by at least one processor of the packet-filtering device, that a network-overload condition impacting effective transmission capacity at a peering point interfacing two of the plurality of different autonomous system networks has occurred, applying, by the packet-filtering device and to at least some of the plurality of packets, a first group of packet-filtering rules stored in a memory of the packet-filtering device, the first group of packet-filtering rules comprising at least one five-tuple indicating a first set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the first group of packet-filtering rules comprises allowing at least a first portion of the plurality of packets, comprising packets that fall within the first set of packets, to continue via the peering point toward their respective destinations;

responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a first degree, applying, by the packet-filtering device and to at least some of the plurality of packets, a second group of packet-filtering rules stored in the memory, the second group of packet-filtering rules comprising at least one five-tuple indicating a second set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the second group of packet-filtering rules comprises allowing at least a second portion of the plurality of packets, comprising packets that fall within the second set of packets, to continue via the peering point toward their respective destinations; and

responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a second degree, applying, by the packet-filtering device and to at least some of the plurality of packets, a third group of packet-filtering rules stored in the memory, the third group of packet-filtering rules comprising at least one five-tuple indicating a third set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the third group of packet-filtering rules comprises allowing at least a third portion of the plurality of packets, comprising packets that fall within the third set of packets, to continue via the peering point toward their respective destinations, the second group of packet-filtering rules being less restrictive than the first group of packet-filtering rules, the third group of packet-filtering rules being less restrictive than the second group of packet-filtering rules, the second portion of the plurality of packets comprising more packets than the first portion of the plurality of packets, the third portion of the plurality of packets comprising more packets than the second portion of the plurality of packets, and the second degree comprising a greater degree of mitigation of the network-overload condition than the first degree.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Packets may be received by a packet security gateway. Responsive to a determination that an overload condition has occurred in one or more networks associated with the packet security gateway, a first group of packet filtering rules may be applied to at least some of the packets. Applying the first group of packet filtering rules may include allowing at least a first portion of the packets to continue toward their respective destinations. Responsive to a determination that the overload condition has been mitigated, a second group of packet filtering rules may be applied to at least some of the packets. Applying the second group of packet filtering rules may include allowing at least a second portion of the packets to continue toward their respective destinations.

120 Citations

View as Search Results

20 Claims

1. A method comprising:
- at each packet-filtering device of a plurality of packet-filtering devices interfacing a plurality of different autonomous system networks;
  
  receiving, via a communication interface of the packet-filtering device, a plurality of packets;
  
  responsive to a determination, by at least one processor of the packet-filtering device, that a network-overload condition impacting effective transmission capacity at a peering point interfacing two of the plurality of different autonomous system networks has occurred, applying, by the packet-filtering device and to at least some of the plurality of packets, a first group of packet-filtering rules stored in a memory of the packet-filtering device, the first group of packet-filtering rules comprising at least one five-tuple indicating a first set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the first group of packet-filtering rules comprises allowing at least a first portion of the plurality of packets, comprising packets that fall within the first set of packets, to continue via the peering point toward their respective destinations;
  
  responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a first degree, applying, by the packet-filtering device and to at least some of the plurality of packets, a second group of packet-filtering rules stored in the memory, the second group of packet-filtering rules comprising at least one five-tuple indicating a second set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the second group of packet-filtering rules comprises allowing at least a second portion of the plurality of packets, comprising packets that fall within the second set of packets, to continue via the peering point toward their respective destinations; and
  
  responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a second degree, applying, by the packet-filtering device and to at least some of the plurality of packets, a third group of packet-filtering rules stored in the memory, the third group of packet-filtering rules comprising at least one five-tuple indicating a third set of packets that should be allowed to continue via the peering point toward their respective destinations, wherein applying the third group of packet-filtering rules comprises allowing at least a third portion of the plurality of packets, comprising packets that fall within the third set of packets, to continue via the peering point toward their respective destinations, the second group of packet-filtering rules being less restrictive than the first group of packet-filtering rules, the third group of packet-filtering rules being less restrictive than the second group of packet-filtering rules, the second portion of the plurality of packets comprising more packets than the first portion of the plurality of packets, the third portion of the plurality of packets comprising more packets than the second portion of the plurality of packets, and the second degree comprising a greater degree of mitigation of the network-overload condition than the first degree.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein:
    - applying the first group of packet-filtering rules comprises identifying, from amongst the plurality of packets, a set of packets comprising gateway protocol data for the two of the plurality of different autonomous system networks;
      
      the at least one five-tuple indicating the first set of packets that should be allowed to continue via the peering point toward their respective destinations indicates that the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks should be allowed to continue via the peering point toward their respective destinations; and
      
      applying the first group of packet-filtering rules comprises allowing the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks to continue via the peering point toward their respective destinations.
  - 3. The method of claim 2, wherein identifying the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks comprises identifying one or more packets comprising border gateway protocol (BGP) data associated with the peering point.
  - 4. The method of claim 1, wherein:
    - applying the first group of packet-filtering rules comprises identifying, from amongst the plurality of packets, a set of packets comprising at least one of domain name system (DNS) data or network time protocol (NTP) data;
      
      the at least one five-tuple indicating the first set of packets that should be allowed to continue via the peering point toward their respective destinations indicates that the set of packets comprising the at least one of the DNS data or the NTP data should be allowed to continue via the peering point toward their respective destinations; and
      
      applying the first group of packet-filtering rules comprises allowing the set of packets comprising the at least one of the DNS data or the NTP data to continue via the peering point toward their respective destinations.
  - 5. The method of claim 1, wherein:
    - applying the second group of packet-filtering rules comprises identifying, from amongst the plurality of packets, a set of packets comprising at least one of telephony data, web-based-service data, or text-messaging data associated with at least one of a first-responder network address, a government network address, a military network address, or a critical-infrastructure network address;
      
      the at least one five-tuple indicating the second set of packets that should be allowed to continue via the peering point toward their respective destinations indicates that the set of packets comprising the at least one of the telephony data, the web-based-service data, or the text-messaging data associated with the at least one of the first-responder network address, the government network address, the military network address, or the critical-infrastructure network address should be allowed to continue via the peering point toward their respective destinations; and
      
      applying the second group of packet-filtering rules comprises allowing the set of packets comprising the at least one of the telephony data, the web-based-service data, or the text-messaging data associated with the at least one of the first-responder network address, the government network address, the military network address, or the critical-infrastructure network address to continue via the peering point toward their respective destinations.
  - 6. The method of claim 1, further comprising provisioning, by a computing system associated with at least one of the two of the plurality of different autonomous system networks, each of the plurality of packet-filtering devices with a packet-filtering policy comprising the first group of packet-filtering rules, the second group of packet-filtering rules, and the third group of packet-filtering rules.
  - 7. The method of claim 6, further comprising determining, by each of the plurality of packet-filtering devices and based on data received from the computing system associated with the at least one of the two of the plurality of different autonomous system networks, that the network-overload condition has occurred, that the network-overload condition has been mitigated to the first degree, and that the network-overload condition has been mitigated to the second degree.

8. A system comprising:
- a plurality of packet-filtering devices configured to interface a plurality of different autonomous system networks, wherein each packet-filtering device of the plurality of packet-filtering devices comprises;
  
  at least one processor;
  
  a communication interface; and
  
  a memory comprising instructions that when executed by the at least one processor cause the packet-filtering device to;
  
  receive, via the communication interface, a plurality of packets;
  
  responsive to a determination, by the at least one processor, that a network-overload condition impacting effective transmission capacity at a peering point interfacing two of the plurality of different autonomous systems networks has occurred;
  
  apply, to at least some of the plurality of packets, a first group of packet-filtering rules stored in the memory, the first group of packet-filtering rules comprising at least one five-tuple indicating a first set of packets that should be allowed to continue via the peering point toward their respective destinations; and
  
  allow at least a first portion of the plurality of packets, comprising packets that fall within the first set of packets, to continue via the peering point toward their respective destinations;
  
  responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a first degree;
  
  apply, to at least some of the plurality of packets, a second group of packet-filtering rules stored in the memory, the second group of packet-filtering rules comprising at least one five-tuple indicating a second set of packets that should be allowed to continue via the peering point toward their respective destinations; and
  
  allow at least a second portion of the plurality of packets, comprising packets that fall within the second set of packets, to continue via the peering point toward their respective destinations; and
  
  responsive to a determination, by the at least one processor, that the network-overload condition has been mitigated to a second degree;
  
  apply, to at least some of the plurality of packets, a third group of packet-filtering rules stored in the memory, the third group of packet-filtering rules comprising at least one five-tuple indicating a third set of packets that should be allowed to continue via the peering point toward their respective destinations; and
  
  allow at least a third portion of the plurality of packets, comprising packets that fall within the third set of packets, to continue via the peering point toward their respective destinations, the second group of packet-filtering rules being less restrictive than the first group of packet-filtering rules, the third group of packet-filtering rules being less restrictive than the second group of packet-filtering rules, the second portion of the plurality of packets comprising more packets than the first portion of the plurality of packets, the third portion of the plurality of packets comprising more packets than the second portion of the plurality of packets, and the second degree comprising a greater degree of mitigation of the network-overload condition than the first degree.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the at least one five-tuple indicating the first set of packets that should be allowed to continue via the peering point toward their respective destinations indicates that a set of packets comprising gateway protocol data for the two of the plurality of different autonomous system networks should be allowed to continue via the peering point toward their respective destinations, and wherein the instructions, when executed by the at least one processor, cause the packet-filtering device to:
    - identify, from amongst the plurality of packets, the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks; and
      
      allow the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks to continue via the peering point toward their respective destinations.
  - 10. The system of claim 9, wherein the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks comprises border gateway protocol (BGP) data associated with the peering point, and wherein the instructions, when executed by the at least one processor, cause the packet-filtering device to identify, based on the BGP data associated with the peering point, the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks.
  - 11. The system of claim 8, wherein the at least one five-tuple indicating the first set of packets that should be allowed to continue via the peering point toward their respective destinations indicates that a set of packets comprising at least one of domain name system (DNS) data or network time protocol (NTP) data should be allowed to continue via the peering point toward their respective destinations, and wherein the instructions, when executed by the at least one processor, cause the packet-filtering device to:
    - identify, from amongst the plurality of packets, the set of packets comprising the at least one of the DNS data or the NTP data; and
      
      allow the set of packets comprising the at least one of the DNS data or the NTP data to continue via the peering point toward their respective destinations.
  - 12. The system of claim 8, wherein the at least one five-tuple indicating the second set of packets that should be allowed to continue via the peering point toward their respective destinations indicates that a set of packets comprising at least one of telephony data, web-based-service data, or text-messaging data associated with at least one of a first-responder network address, a government network address, a military network address, or a critical-infrastructure network address should be allowed to continue via the peering point toward their respective destinations, and wherein the instructions, when executed by the at least one processor, cause the packet-filtering device to:
    - identify, from amongst the plurality of packets, the set of packets comprising the at least one of the telephony data, the web-based-service data, or the text-messaging data associated with the at least one of the first-responder network address, the government network address, the military network address, or the critical-infrastructure network address; and
      
      allow the set of packets comprising the at least one of the telephony data, the web-based-service data, or the text-messaging data associated with the at least one of the first-responder network address, the government network address, the military network address, or the critical-infrastructure network address to continue via the peering point toward their respective destinations.
  - 13. The system of claim 8, further comprising a computing system associated with at least one of the two of the plurality of different autonomous system networks and configured to provision each of the plurality of packet-filtering devices with a packet-filtering policy comprising the first group of packet-filtering rules, the second group of packet-filtering rules, and the third group of packet-filtering rules.
  - 14. The system of claim 13, wherein the instructions, when executed by the at least one processor, cause the packet-filtering device to determine, based on data received from the computing system associated with the at least one of the two of the plurality of different autonomous system networks, that the network-overload condition has occurred, that the network-overload condition has been mitigated to the first degree, and that the network-overload condition has been mitigated to the second degree.

15. One or more non-transitory computer-readable media comprising instructions that when executed by each packet-filtering device of a plurality of packet-filtering devices interfacing a plurality of different autonomous system networks cause the packet-filtering device to:
- receive a plurality of packets;
  
  responsive to a determination that a network-overload condition impacting effective transmission capacity at a peering point interfacing two of the plurality of different autonomous systems networks has occurred;
  
  apply, to at least some of the plurality of packets, a first group of packet-filtering rules, the first group of packet-filtering rules comprising at least one five-tuple indicating a first set of packets that should be allowed to continue via the peering point toward their respective destinations; and
  
  allow at least a first portion of the plurality of packets, comprising packets that fall within the first set of packets, to continue via the peering point toward their respective destinations;
  
  responsive to a determination that the network-overload condition has been mitigated to a first degree;
  
  apply, to at least some of the plurality of packets, a second group of packet-filtering rules, the second group of packet-filtering rules comprising at least one five-tuple indicating a second set of packets that should be allowed to continue via the peering point toward their respective destinations; and
  
  allow at least a second portion of the plurality of packets, comprising packets that fall within the second set of packets, to continue via the peering point toward their respective destinations; and
  
  responsive to a determination that the network-overload condition has been mitigated to a second degree;
  
  apply, to at least some of the plurality of packets, a third group of packet-filtering rules, the third group of packet-filtering rules comprising at least one five-tuple indicating a third set of packets that should be allowed to continue via the peering point toward their respective destinations; and
  
  allow at least a third portion of the plurality of packets, comprising packets that fall within the third set of packets, to continue via the peering point toward their respective destinations, the second group of packet-filtering rules being less restrictive than the first group of packet-filtering rules, the third group of packet-filtering rules being less restrictive than the second group of packet-filtering rules, the second portion of the plurality of packets comprising more packets than the first portion of the plurality of packets, the third portion of the plurality of packets comprising more packets than the second portion of the plurality of packets, and the second degree comprising a greater degree of mitigation of the network-overload condition than the first degree.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The one or more non-transitory computer-readable media of claim 15, wherein the at least one five-tuple indicating the first set of packets that should be allowed to continue via the peering point toward their respective destinations indicates that a set of packets comprising gateway protocol data for the two of the plurality of different autonomous system networks should be allowed to continue via the peering point toward their respective destinations, and wherein the instructions, when executed by the packet-filtering device, cause the packet-filtering device to:
    - identify, from amongst the plurality of packets, the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks; and
      
      allow the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks to continue via the peering point toward their respective destinations.
  - 17. The one or more non-transitory computer-readable media of claim 16, wherein the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks comprises border gateway protocol (BGP) data associated with the peering point, and wherein the instructions, when executed by the packet-filtering device, cause the packet-filtering device to identify, based on the BGP data associated with the peering point, the set of packets comprising the gateway protocol data for the two of the plurality of different autonomous system networks.
  - 18. The one or more non-transitory computer-readable media of claim 15, wherein the at least one five-tuple indicating the first set of packets that should be allowed to continue via the peering point toward their respective destinations indicates that a set of packets comprising at least one of domain name system (DNS) data or network time protocol (NTP) data should be allowed to continue via the peering point toward their respective destinations, and wherein the instructions, when executed by the packet-filtering device, cause the packet-filtering device to:
    - identify, from amongst the plurality of packets, the set of packets comprising the at least one of the DNS data or the NTP data; and
      
      allow the set of packets comprising the at least one of the DNS data or the NTP data to continue via the peering point toward their respective destinations.
  - 19. The one or more non-transitory computer-readable media of claim 15, wherein the at least one five-tuple indicating the second set of packets that should be allowed to continue via the peering point toward their respective destinations indicates that a set of packets comprising at least one of telephony data, web-based-service data, or text-messaging data associated with at least one of a first-responder network address, a government network address, a military network address, or a critical-infrastructure network address should be allowed to continue via the peering point toward their respective destinations, and wherein the instructions, when executed by the packet-filtering device, cause the packet-filtering device to:
    - identify, from amongst the plurality of packets, the set of packets comprising the at least one of the telephony data, the web-based-service data, or the text-messaging data associated with the at least one of the first-responder network address, the government network address, the military network address, or the critical-infrastructure network address; and
      
      allow the set of packets comprising the at least one of the telephony data, the web-based-service data, or the text-messaging data associated with the at least one of the first-responder network address, the government network address, the military network address, or the critical-infrastructure network address to continue via the peering point toward their respective destinations.
  - 20. The one or more non-transitory computer-readable media of claim 15, wherein the instructions, when executed by the packet-filtering device, cause the packet-filtering device to:
    - receive, from a computing system associated with at least one of the two of the plurality of different autonomous system networks, a packet-filtering policy comprising the first group of packet-filtering rules, the second group of packet-filtering rules, and the third group of packet-filtering rules; and
      
      determine, based on data received from the computing system associated with the at least one of the two of the plurality of different autonomous system networks, that the network-overload condition has occurred, that the network-overload condition has been mitigated to the first degree, and that the network-overload condition has been mitigated to the second degree.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Centripetal Networks, Inc.
Original Assignee
Centripetal Networks, Inc.
Inventors
Moore, Sean, Rogers, Steven, Scoggins, John Daniel Sr.
Primary Examiner(s)
Patel, Ashok
Assistant Examiner(s)
POTRATZ, DANIEL B

Application Number

US13/838,471
Publication Number

US 20140283030A1
Time in Patent Office

865 Days
Field of Search

726/11, 726/13
US Class Current

1/1
CPC Class Codes

H04L 47/11   Identifying congestion

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/0263   Rule management

H04L 63/14   for detecting or protecting...

H04L 63/1408   by monitoring network traff...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Protecting networks from cyber attacks and overloading

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

120 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting networks from cyber attacks and overloading

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links