Protecting against spoofed DNS messages

US 20030070096A1
Filed: 09/20/2002
Published: 04/10/2003
Est. Priority Date: 08/14/2001
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating communication traffic, comprising:

receiving a first request, sent over a network from a source address, to provide network information regarding a given domain name;

sending a response to the source address in reply to the first request;

receiving a second request from the source address in reply to the response; and

assessing authenticity of the first request based on the second request.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.

215 Citations

82 Claims

1. A method for authenticating communication traffic, comprising:
- receiving a first request, sent over a network from a source address, to provide network information regarding a given domain name;
  
  sending a response to the source address in reply to the first request;
  
  receiving a second request from the source address in reply to the response; and
  
  assessing authenticity of the first request based on the second request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method according to claim 1, and comprising, if the first request is assessed to be authentic, sending a further response to the source address containing the network information corresponding to the given domain name.
  - 3. A method according to claim 2, wherein assessing the authenticity comprises discarding the first request if the first request is not assessed to be authentic.
  - 4. A method according to claim 2, wherein the network information comprises a network address associated with the domain name.
  - 5. A method according to claim 1, wherein sending the response comprises encoding information in the response, and wherein assessing the authenticity comprises checking the second request for the encoded information.
  - 6. A method according to claim 5, wherein encoding the information comprises encoding the information in an artificial domain name, and wherein receiving the second request comprises receiving a query for the network information corresponding to the artificial domain name.
  - 7. A method according to claim 1, wherein receiving the first request comprises intercepting the first request prior to delivery of the first request to a destination address of the first request, and comprising submitting the first request to the destination address responsively to the assessed authenticity of the first request.
  - 8. A method according to claim 7, wherein assessing the authenticity comprises making a record of the source address as an authentic address, and wherein submitting the first request comprises verifying the source address based on the record, and allowing the network information to be furnished to the verified source address.
  - 9. A method according to claim 1, wherein first and second requests and the response comprises data packets, and wherein the source address comprises an Internet protocol (IP) address.
  - 10. A method according to claim 9, wherein the first and second requests respectively comprise first and second Domain Name System (DNS) requests, and wherein the response comprises a DNS response.
  - 11. A method according to claim 9, wherein receiving the first request comprises receiving a Domain Name System (DNS) request in a User Datagram Protocol (UDP) packet, and wherein sending the response comprises configuring the response so as to require that the first request be resent in a Transmission Control Protocol (TCP) packet, and wherein receiving the second request comprises receiving a TCP SYN packet.
  - 12. A method according to claim 11, and comprising opening a TCP connection responsive to the TCP SYN packet, and providing the network information regarding the given domain name over the connection.

13. A method for authenticating communication traffic, comprising:
- receiving a data packet sent over a network from a source address to a destination address;
  
  sending an outgoing Domain Name System (DNS) message to the source address;
  
  receiving an incoming DNS message in response to the outgoing DNS message; and
  
  processing the incoming DNS message so as to assess authenticity of the received data packet.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. A method according to claim 13, wherein receiving the data packet comprises receiving a first DNS request directed to a DNS server, and wherein sending the outgoing DNS message comprises sending a DNS response, and wherein receiving the incoming DNS message comprises receiving a second DNS request.
  - 15. A method according to claim 14, and comprising, if the received data packet is assessed to be authentic, sending a further DNS response to the source address so as to provide a resource record from the DNS server as requested by the first DNS request.
  - 16. A method according to claim 15, wherein receiving the first DNS request comprises intercepting the first DNS request prior to delivery of the first DNS request to the DNS server, and comprising allowing the DNS server to provide the resource record to the source address responsively to the assessed authenticity of the of the received data packet.
  - 17. A method according to claim 14, wherein receiving the first DNS request comprises receiving a request from a client for network information regarding a first domain name, and wherein sending the DNS response comprises sending a first DNS response redirecting the client to submit the second DNS request with regard to a second domain name.
  - 18. A method according to claim 17, wherein redirecting the client comprises encoding information in the second domain name, and wherein processing the incoming DNS message comprises checking for the encoded information in the second DNS request.
  - 19. A method according to claim 18, and comprising, if the encoded information in the second DNS request is correct, sending a second DNS response redirecting the client to submit a third DNS request in order to receive the network information requested by the first DNS request.
  - 20. A method according to claim 13, wherein sending the outgoing DNS message comprises sending a first DNS packet containing encoded information, and wherein receiving the incoming DNS message comprises receiving a second DNS packet, and wherein processing the incoming DNS message comprises checking the second DNS packet for the encoded information.
  - 21. A method according to claim 20, wherein sending the first DNS packet comprises inserting the encoded information in an artificial domain name in the first DNS packet, and wherein checking the second DNS packet comprises examining the artificial domain name in the second DNS packet.

22. Apparatus for authenticating communication traffic, comprising a guard device, which is adapted to receive a first request, sent over a network from a source address, to provide network information regarding a given domain name, to send a response to the source address in reply to the first request, to receive a second request from the source address in reply to the response, and to assess authenticity of the first request based on the second request.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 23. Apparatus according to claim 22, wherein the guard device is adapted to intercept the first request prior to delivery of the first request to a server holding the network information, and upon assessing the first request to be authentic, to submit the first request to the server, so as to provide a further response to the source address containing the network information corresponding to the given domain name.
  - 24. Apparatus according to claim 23, wherein the guard device is adapted to retrieve the network information from the server and to send the further response containing the retrieved network information.
  - 25. Apparatus according to claim 23, wherein the guard device is adapted to discard the first request if the first request is not assessed to be authentic.
  - 26. Apparatus according to claim 23, and comprising a memory, wherein the guard device is adapted, upon assessing the first request to be authentic, to make a record of the source address in the memory as an authentic address, and upon receiving a further request from the source address, to verify the source address of the further request based on the record, so as to allow the server to furnish the network information to the verified source address.
  - 27. Apparatus according to claim 22, wherein the network information comprises a network address associated with the domain name.
  - 28. Apparatus according to claim 22, wherein the guard device is adapted to encode information in the response, and to assess the authenticity of the first request by checking the second request for the encoded information.
  - 29. Apparatus according to claim 28, wherein the guard device is adapted to encode the information in an artificial domain name, and to generate the response so as to cause a client at the source address to submit in the second request a query for the network information corresponding to the artificial domain name.
  - 30. Apparatus according to claim 22, wherein the first and second requests and the response comprises data packets, and wherein the source address comprises an Internet Protocol (IP) address.
  - 31. Apparatus according to claim 30, wherein the first and second requests respectively comprise first and second Domain Name System (DNS) requests, and wherein the response comprises a DNS response.
  - 32. Apparatus according to claim 30, wherein the first request comprises a Domain Name System (DNS) request contained in a User Datagram Protocol (UDP) packet, and wherein the guard device is adapted to send the response so as to require that the first request be resent in a Transmission Control Protocol (TCP) packet, so that the second request comprises a TCP SYN packet.
  - 33. Apparatus according to claim 32, wherein the guard device is adapted to open a TCP connection responsive to the TCP SYN packet, and to provide the network information regarding the given domain name over the connection.

34. Apparatus for authenticating communication traffic, comprising a guard device, which is adapted to receive a data packet sent over a network from a source address to a destination address, to send an outgoing Domain Name System (DNS) message to the source address, to receive an incoming DNS message in response to the outgoing DNS message, and to process the incoming DNS message so as to assess authenticity of the received data packet.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41)
- - 35. Apparatus according to claim 34, wherein the data packet comprises a first DNS request directed to a DNS server, and wherein the outgoing DNS message comprises a DNS response, and the incoming DNS message comprises a second DNS request.
  - 36. Apparatus according to claim 35, wherein the guard device is adapted to intercept the first DNS request prior to delivery of the first DNS request to the DNS server, and upon assessing the first DNS request to be authentic, to submit the first DNS request to the DNS server, so as to provide to the source address a resource record from the DNS server as requested by the first DNS request.
  - 37. Apparatus according to claim 35, wherein the first DNS request comprises a request from a client for network information regarding a first domain name, and wherein the DNS response comprises a first DNS response redirecting the client to submit the second DNS request with regard to a second domain name.
  - 38. Apparatus according to claim 37, wherein the guard device is adapted to encode information in the second domain name, and to check for the encoded information in the second DNS request so as to assess the authenticity of the first DNS request.
  - 39. Apparatus according to claim 38, wherein the guard device is adapted, if the encoded information in the second DNS request is correct, to send a second DNS response redirecting the client to submit a third DNS request in order to receive the requested network information.
  - 40. Apparatus according to claim 34, wherein the outgoing DNS message comprises a first DNS packet containing encoded information, and wherein the incoming DNS message comprises a second DNS packet, and wherein the guard device is adapted to check the second DNS packet for the encoded information so as to assess the authenticity of the received data packet.
  - 41. Apparatus according to claim 40, wherein the guard device is adapted to insert the encoded information in an artificial domain name in the first DNS packet, and to check the second DNS packet by examining the artificial domain name in the second DNS packet.

42. A computer software product for authenticating communication traffic, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive a first request, sent over a network from a source address, to provide network information regarding a given domain name, to send a response to the source address in reply to the first request, to receive a second request from the source address in reply to the response, and to assess authenticity of the first request based on the second request.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53)
- - 43. A product according to claim 42, wherein the instructions cause the computer to intercept the first request prior to delivery of the first request to a server holding the network information, and upon assessing the first request to be authentic, to submit the first request to the server, so as to provide a further response to the source address containing the network information corresponding to the given domain name.
  - 44. A product according to claim 43, wherein the instructions cause the computer to retrieve the network information from the server and to send the further response containing the retrieved network information.
  - 45. A product according to claim 43, wherein the instructions cause the computer to discard the first request if the first request is not assessed to be authentic.
  - 46. A product according to claim 43, wherein the instructions cause the computer, upon assessing the first request to be authentic, to make a record of the source address in a memory of the computer as an authentic address, and upon receiving a further request from the source address, to verify the source address of the further request based on the record, so as to allow the server to furnish the network information to the verified source address.
  - 47. A product according to claim 42, wherein the network information comprises a network address associated with the domain name.
  - 48. A product according to claim 42, wherein the instructions cause the computer to encode information in the response, and to assess the authenticity of the first request by checking the second request for the encoded information.
  - 49. A product according to claim 48, wherein the instructions cause the computer to encode the information in an artificial domain name, and to generate the response so as to cause a client at the source address to submit in the second request a query for the network information corresponding to the artificial domain name.
  - 50. A product according to claim 42, wherein first and second requests and the response comprises data packets, and wherein the source address comprises an Internet Protocol (IP) address.
  - 51. A product according to claim 50, wherein the first and second requests respectively comprise first and second Domain Name System (DNS) requests, and wherein the response comprises a DNS response.
  - 52. A product according to claim 50, wherein the first request comprises a Domain Name System (DNS) request contained in a User Datagram Protocol (UDP) packet, and wherein the instructions cause the computer to send the response so as to require that the first request be resent in a Transmission Control Protocol (TCP) packet, so that the second request comprises a TCP SYN packet.
  - 53. A product according to claim 52, wherein the instructions cause the computer to open a TCP connection responsive to the TCP SYN packet, and to provide the network information regarding the given domain name over the connection.

54. A computer software product for authenticating communication traffic, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive a data packet sent over a network from a source address to a destination address, to send an outgoing Domain Name System (DNS) message to the source address, to receive an incoming DNS message in response to the outgoing DNS message, and to process the incoming DNS message so as to assess authenticity of the received data packet.
- View Dependent Claims (55, 56, 57, 58, 59, 60, 61)
- - 55. A product according to claim 54, wherein the data packet comprises a first DNS request directed to a DNS server, and wherein the outgoing DNS message comprises a DNS response, and the incoming DNS message comprises a second DNS request.
  - 56. A product according to claim 55, wherein the instructions cause the computer to intercept the first DNS request prior to delivery of the first DNS request to the DNS server, and upon assessing the first DNS request to be authentic, to submit the first DNS request to the DNS server, so as to provide to the source address a resource record from the DNS server as requested by the first DNS request.
  - 57. A product according to claim 55, wherein the first DNS request comprises a request from a client for network information regarding a first domain name, and wherein the DNS response comprises a first DNS response redirecting the client to submit the second DNS request with regard to a second domain name.
  - 58. A product according to claim 57, wherein the instructions cause the computer to encode information in the second domain name, and to check for the encoded information in the second DNS request so as to assess the authenticity of the first DNS request.
  - 59. A product according to claim 58, wherein the instructions cause the computer, if the encoded information in the second DNS request is correct, to send a second DNS response redirecting the client to submit a third DNS request in order to receive the requested network information.
  - 60. A product according to claim 54, wherein the outgoing DNS message comprises a first DNS packet containing encoded information, and wherein the incoming DNS message comprises a second DNS packet, and wherein the instructions cause the computer to check the second DNS packet for the encoded information so as to assess the authenticity of the received data packet.
  - 61. A product according to claim 60, wherein the instructions cause the computer to insert the encoded information in an artificial domain name in the first DNS packet, and to check the second DNS packet by examining the artificial domain name in the second DNS packet.

62. A method for authenticating communication traffic, comprising:
- receiving a message, sent over a network from a source entity to a first destination entity;
  
  sending a response to the source address, in answer to the message, redirecting the source address to communicate with a second destination entity; and
  
  communicating with the source entity using the second destination entity in order to assess authenticity of the message.
- View Dependent Claims (63, 64, 65, 66, 67)
- - 63. A method according to claim 62, wherein receiving the message comprises receiving the message in accordance with a predetermined communication protocol, and wherein sending the response comprises using a redirection mechanism provided by the communication protocol.
  - 64. A method according to claim 63, wherein communicating with the source entity comprises receiving a further message submitted by the source entity to the second destination entity in reply to the response.
  - 65. A method according to claim 63, wherein the communication protocol comprises a Domain Name System (DNS) protocol.
  - 66. A method according to claim 63, wherein the communication protocol comprises a Hypertext Transfer Protocol (HTTP).
  - 67. A method according to claim 62, wherein the first and second destination entities comprise first and second domain names, respectively.

68. A method for providing information from a database maintained by a server, comprising:
- holding a cache of entries from the database on a proxy device separate from the server;
  
  intercepting at the proxy device a request conveyed by a requester over a communication network to the server to receive information from the database; and
  
  if the information is present in the cache, conveying the information from the proxy device to the requester, without submitting the request to the server.

69. Apparatus for authenticating communication traffic, comprising a guard device, which is adapted to receive a message, sent over a network from a source entity to a first destination entity, and to send a response to the source address, in answer to the message, redirecting the source address to communicate with a second destination entity, and to communicate with the source entity using the second destination entity in order to assess authenticity of the message.
- View Dependent Claims (70, 71, 72, 73, 74)
- - 70. Apparatus according to claim 69, wherein the message is sent in accordance with a predetermined communication protocol, and wherein the guard device is adapted to send the response using a redirection mechanism provided by the communication protocol.
  - 71. Apparatus according to claim 70, wherein the guard device is adapted to receive a further message submitted by the source entity to the second destination entity in reply to the response, and to process the further message in order to assess the authenticity.
  - 72. Apparatus according to claim 70, wherein the communication protocol comprises a Domain Name System (DNS) protocol.
  - 73. Apparatus according to claim 70, wherein the communication protocol comprises a Hypertext Transfer Protocol (HTTP).
  - 74. Apparatus according to claim 69, wherein the first and second destination entities comprise first and second domain names, respectively.

75. Apparatus for providing information from a database maintained by a server, comprising a proxy device, separate from the server, wherein the proxy device is adapted to hold a cache of entries from the database, and to intercept a request conveyed by a requester over a communication network to the server to receive information from the database, and if the information is present in the cache, to convey the information from the proxy device to the requester, without submitting the request to the server.

76. A computer software product for authenticating communication traffic, comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer, cause the computer to receive a message, sent over a network from a source entity to a first destination entity, and to send a response to the source address, in answer to the message, redirecting the source address to communicate with a second destination entity, and to communicate with the source entity using the second destination entity in order to assess authenticity of the message.
- View Dependent Claims (77, 78, 79, 80, 81)
- - 77. A product according to claim 76, wherein the message is sent in accordance with a predetermined communication protocol, and wherein the instructions cause the computer to send the response using a redirection mechanism provided by the communication protocol.
  - 78. A product according to claim 77, wherein the instructions cause the computer to receive a further message submitted by the source entity to the second destination entity in reply to the response, and to process the further message in order to assess the authenticity.
  - 79. A product according to claim 77, wherein the communication protocol comprises a Domain Name System (DNS) protocol.
  - 80. A product according to claim 77, wherein the communication protocol comprises a Hypertext Transfer Protocol (HTTP).
  - 81. A product according to claim 76, wherein the first and second destination entities comprise first and second domain names, respectively.

82. A computer software product for providing information from a database maintained by a server, the product comprising a computer-readable medium in which program instructions are stored, which instructions, when read by a computer separate from the server, cause the computer to hold a cache of entries from the database, and to intercept a request conveyed by a requester over a communication network to the server to receive information from the database, and if the information is present in the cache, to convey the information from the proxy device to the requester, without submitting the request to the server.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Riverhead Networks, Inc.
Inventors
Pazi, Guy, Golan, Alon, Touitou, Dan, Afek, Yehuda

Granted Patent

US 6,907,525 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/123   received data contents, e.g...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/1491   using deception as counterm...

Protecting against spoofed DNS messages

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

215 Citations

82 Claims

Specification

Use Cases

Quick Links

Others

Protecting against spoofed DNS messages

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

215 Citations

82 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others