Methods and systems for mitigating attack traffic directed at a network element

US 9,118,707 B2
Filed: 12/14/2012
Issued: 08/25/2015
Est. Priority Date: 12/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

identifying, by an attack traffic mitigation system, a range of ports left open by a firewall for a network element to receive, by way of the firewall, network traffic provided by a computing device;

designating, by the attack traffic mitigation system, a subset of one or more ports included in the range of open ports as being included in a legitimate port range configured to receive, by way of the firewall, legitimate network traffic provided by the computing device;

removing, by the attack traffic mitigation system after a predetermined amount of time subsequent to the subset of one or more ports being designated as being included in the legitimate port range, the subset of one or more ports from being included in the legitimate port range;

designating, by the attack traffic mitigation system, a new subset of one or more ports included in the range of open ports as being included in the legitimate port range, wherein the new subset of one or more ports includes at least one port not included in the subset of one or more ports; and

directing, by the attack traffic mitigation system, the network element to drop network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range at a time that the network traffic is received,wherein the designating of the subset of one or more ports as being included in the legitimate port range and the designating of the new subset of one or more ports as being included in the legitimate port range each comprises negotiating with the computing device to select the one or more ports for inclusion in the legitimate port range.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An exemplary method includes an attack traffic mitigation system 1) identifying a range of ports left open by a firewall for a network element to receive network traffic provided by a computing device, 2) designating a subset of one or more ports included in the range of open ports as being included in a legitimate port range configured to receive legitimate network traffic provided by the computing device, and 3) directing the network element to drop network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range. Corresponding methods and systems are also disclosed.

26 Citations

View as Search Results

17 Claims

1. A method comprising:
- identifying, by an attack traffic mitigation system, a range of ports left open by a firewall for a network element to receive, by way of the firewall, network traffic provided by a computing device;
  
  designating, by the attack traffic mitigation system, a subset of one or more ports included in the range of open ports as being included in a legitimate port range configured to receive, by way of the firewall, legitimate network traffic provided by the computing device;
  
  removing, by the attack traffic mitigation system after a predetermined amount of time subsequent to the subset of one or more ports being designated as being included in the legitimate port range, the subset of one or more ports from being included in the legitimate port range;
  
  designating, by the attack traffic mitigation system, a new subset of one or more ports included in the range of open ports as being included in the legitimate port range, wherein the new subset of one or more ports includes at least one port not included in the subset of one or more ports; and
  
  directing, by the attack traffic mitigation system, the network element to drop network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range at a time that the network traffic is received,wherein the designating of the subset of one or more ports as being included in the legitimate port range and the designating of the new subset of one or more ports as being included in the legitimate port range each comprises negotiating with the computing device to select the one or more ports for inclusion in the legitimate port range.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein the negotiating comprises:
    - selecting the one or more ports for inclusion in the legitimate port range;
      
      transmitting a message comprising data representative of the selected one or more ports to the computing device; and
      
      receiving, in response to the message, an acknowledgement of the selected one or more ports from the computing device.
  - 3. The method of claim 2, wherein:
    - the transmitting comprises transmitting the message by way of a call session control function element; and
      
      the receiving comprises receiving the acknowledgement by way of the call session control function element.
  - 4. The method of claim 2, wherein the negotiating further comprises:
    - transmitting, in response to the acknowledgement, an additional message comprising data representative of the selected one or more ports and data representative of the acknowledgement to the network element;
      
      receiving, in response to the additional message, an acknowledgement from the network element; and
      
      transmitting data representative of the acknowledgement received from the network element to the computing device.
  - 5. The method of claim 1, wherein the designating of the subset of one or more ports as being included in the legitimate port range and the designating of the new subset of one or more ports as being included in the legitimate port range each comprises randomly selecting the one or more ports for inclusion in the legitimate port range in accordance with a randomized port selection heuristic.
  - 6. The method of claim 1, wherein the designating of the subset of one or more ports as being included in the legitimate port range and the designating of the new subset of one or more ports as being included in the legitimate port range each comprises directing the computing device to route the legitimate network traffic to the subset of one or more ports.
  - 7. The method of claim 1, further comprising directing, by the attack traffic mitigation system, the network element to transmit the legitimate network traffic to an additional computing device.
  - 8. The method of claim 1, wherein:
    - the legitimate network traffic is generated by a legitimate application residing on the computing device; and
      
      the network traffic received by each port included in the range of open ports that is not included in the legitimate port range comprises attack traffic generated by malware residing on the computing device.
  - 9. The method of claim 8, wherein the attack traffic comprises distributed denial-of-service attack traffic.
  - 10. The method of claim 8, wherein the directing of the network element to drop network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range comprises directing the network element to drop all network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range.
  - 11. The method of claim 1, wherein the subset of one or more ports included in the range of open ports and designated as being included in the legitimate port range comprises less than all of the ports included in the range of open ports.

12. A method comprising:
- identifying, by an attack traffic mitigation system, a range of ports left open by a firewall for a network element to receive, by way of the firewall, network traffic provided by a computing device;
  
  periodically designating, by the attack traffic mitigation system over a period of time, a plurality of different subsets of one or ports included in the range of open ports as being included in a legitimate port range configured to receive, by way of the firewall, legitimate network traffic provided by the computing device in accordance with a randomized port selection heuristic, wherein only one subset of one or more ports included in the plurality of subsets of one or more ports is included in the legitimate port range at any given time; and
  
  directing, by the attack traffic mitigation system, the network element to drop network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range at a time that the network traffic is received;
  
  wherein the periodically designating comprisesdesignating a first subset of one or more ports included in the plurality of subsets of one or more ports as being included in the legitimate port range for a first predetermined amount of time,removing, in response to a completion of the first predetermined amount of time, the first subset of one or more ports from the legitimate port range, anddesignating, in response to the removing, a second subset of one or more ports included in the plurality of subsets of one or more ports as being included in the legitimate port range for a second predetermined amount of time, wherein the second subset of one or more ports includes at least one port not included in the first subset of one or more ports; and
  
  wherein the periodically designating of the plurality of different subsets of one or more ports as being included in the legitimate port range comprises negotiating with the computing device to select the one or more ports for inclusion in the legitimate port range.

13. A system comprising:
- at least one computing device including a processor and comprising;
  
  a detection facility circuitry configured to identify a range of ports left open by a firewall for a network element to receive, by way of the firewall, network traffic provided by a computing device; and
  
  a port management facility circuitry communicatively coupled to the detection facility circuitry and configured todesignate a subset of one or more ports included in the range of open ports as being included in a legitimate port range configured to receive, by way of the firewall, legitimate network traffic provided by the computing device,remove, after a predetermined amount of time subsequent to the subset of one or more ports being designated as being included in the legitimate port range, the subset of one or more ports from being included in the legitimate port range,designate a new subset of one or more ports included in the range of open ports as being included in the legitimate port range, wherein the new subset of one or more ports includes at least one port not included in the subset of one or more ports, anddirect the network element to drop network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range at a time that the network traffic is received,wherein the port management facility circuitry designates the subset of one or more ports as being included in the legitimate port range and designates the new subset of one or more ports as being included in the legitimate port range by negotiating with the computing device to select the one or more ports for inclusion in the legitimate port range.
- View Dependent Claims (14, 15)
- - 14. The system of claim 13, wherein the port management facility circuitry is configured to designate the subset of one or more ports as being included in the legitimate port range by randomly selecting the one or more ports for inclusion in the legitimate port range in accordance with a randomized port selection heuristic.
  - 15. The system of claim 13, wherein the port management facility circuitry is configured to designate the subset of one or more ports as being included in the legitimate port range by directing the computing device to route the legitimate network traffic to the subset of one or more ports.

16. A non-transitory computer-readable medium comprising computer-executable instructions configured to direct at least one computing device to:
- identify a range of ports left open by a firewall for a network element to receive, by way of the firewall, network traffic provided by a computing device;
  
  designate a subset of one or more ports included in the range of open ports as being included in a legitimate port range configured to receive, by way of the firewall, legitimate network traffic provided by the computing device;
  
  remove, after a predetermined amount of time subsequent to the subset of one or more ports being designated as being included in the legitimate port range, the subset of one or more ports from being included in the legitimate port range;
  
  designate a new subset of one or more ports included in the range of open ports as being included in the legitimate port range, wherein the new subset of one or more ports includes at least one port not included in the subset of one or more ports; and
  
  direct the network element to drop network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range at a time that the network traffic is received,wherein the designation of the subset of one or more ports as being included in the legitimate port range and the designation of the new subset of one or more ports as being included in the legitimate port range each comprises negotiating with the computing device to select the one or more ports for inclusion in the legitimate port range.

17. A non-transitory computer-readable medium comprising computer-executable instructions configured to direct at least one computing device to:
- identify a range of ports left open by a firewall for a network element to receive, by way of the firewall, network traffic provided by a computing device;
  
  periodically designate, over a period of time, a plurality of different subsets of one or more ports included in the range of open ports as being included in a legitimate port range configured to receive, by way of the firewall, legitimate network traffic provided by the computing device in accordance with a randomized port selection heuristic, wherein only one subset of one or more ports included in the plurality of subsets of one or more ports is included in the legitimate port range at any given time; and
  
  direct the network element to drop network traffic provided by the computing device and received by each port included in the range of open ports that is not included in the legitimate port range at a time that the network traffic is received;
  
  wherein the periodic designation comprises designating a first subset of one or more ports included in the plurality of subsets of one or more ports as being included in the legitimate port range for a first predetermined amount of time, removing, in response to a completion of the first predetermined amount of time, the first subset of one or more ports from the legitimate port range, anddesignating, in response to the removing, a second subset of one or more ports included in the plurality of subsets of one or more ports as being included in the legitimate port range for a second predetermined amount of time, wherein the second subset of one or more ports includes at least one port not included in the first subset of one or more ports; and
  
  wherein the periodic designation of the plurality of different subsets of one or more ports as being included in the legitimate port range comprises negotiating with the computing device to select the one or more ports for inclusion in the legitimate port range.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Original Assignee
Verizon Patent and Licensing Incorporated (Verizon Communications Inc.)
Inventors
Sun, Lin, Chan, Yee Sin
Primary Examiner(s)
Rashid, Harunur
Assistant Examiner(s)
KHAN, SHER A

Application Number

US13/715,651
Publication Number

US 20140173722A1
Time in Patent Office

984 Days
Field of Search

726/11, 726/12, 726/22, 726/23, 726/24, 726/25, 726/13
US Class Current

1/1
CPC Class Codes

H04L 63/0227   Filtering policies mail mes...

H04L 63/0236   Filtering by address, proto...

H04L 63/1433   Vulnerability analysis

H04L 63/1441   Countermeasures against mal...

H04L 63/1458   Denial of Service

Methods and systems for mitigating attack traffic directed at a network element

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

26 Citations

17 Claims

Specification

Use Cases

Quick Links

Others

Methods and systems for mitigating attack traffic directed at a network element

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

17 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others