Automatic Adjusting of Reputation Thresholds in Order to Change the Processing of Certain Packets

US 20110199902A1
Filed: 02/12/2010
Published: 08/18/2011
Est. Priority Date: 02/12/2010
Status: Active Grant

First Claim

Patent Images

1. A method performed by a particular networked machine, the method comprising:

rate limiting, by the particular networked machine, of a first plurality of packets of a greater plurality of packets, wherein packets received by the particular networked machine are identified as being in the first plurality of packets when their source has a worse reputation score than a predetermined reputation score threshold; and

wherein packets received by the particular networked machine are not identified as being in the first plurality of packets when their source has a better reputation score than the predetermined reputation score threshold; and

in response to measured traffic of the greater plurality of packets equaling or exceeding one or more predetermined traffic measurement thresholds;

automatically adjusting, by the particular networked machine, the reputation score threshold to a better reputation score thus expanding the first plurality of packets to now include packets associated with a higher reputation score on which the particular networked machines performs said rate limiting.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A firewall, intrusion prevention or other device automatically and dynamically adjusts packets subjected to certain rate limiting based on the reputation level associated with their source. When measured traffic increases beyond a desired amount, the range of reputation scores causing their associated packets to be subjected to this rate limiting is adjusted to throttle the measured traffic to fall within desired limits. In this manner, packet traffic with a worse reputation can be singled out for this rate limiting during a period of increased traffic. When the measured traffic subsides, the range of reputation scores can be correspondingly changed to allow more measured traffic.

68 Citations

View as Search Results

20 Claims

1. A method performed by a particular networked machine, the method comprising:
- rate limiting, by the particular networked machine, of a first plurality of packets of a greater plurality of packets, wherein packets received by the particular networked machine are identified as being in the first plurality of packets when their source has a worse reputation score than a predetermined reputation score threshold; and
  
  wherein packets received by the particular networked machine are not identified as being in the first plurality of packets when their source has a better reputation score than the predetermined reputation score threshold; and
  
  in response to measured traffic of the greater plurality of packets equaling or exceeding one or more predetermined traffic measurement thresholds;
  
  automatically adjusting, by the particular networked machine, the reputation score threshold to a better reputation score thus expanding the first plurality of packets to now include packets associated with a higher reputation score on which the particular networked machines performs said rate limiting.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein said measured traffic is based on one or more from the group consisting of:
    - a rate of a number of packets in the greater plurality of packets, a rate of connection attempts by the greater plurality of packets; and
      
      a data rate of the greater plurality of packets.
  - 3. The method of claim 1, including determining a particular reputation score for a particular packet of the first plurality of packets based on a source address of the particular packet.
  - 4. The method of claim 1, including determining a particular reputation score for a particular packet of the first plurality of packets based on a source address of the particular packet and operating system fingerprinting of the particular packet.
  - 5. The method of claim 1, including determining a particular reputation score for a particular packet of the first plurality of packets based on a domain associated with a source address of the particular packet.
  - 6. The method of claim 5, wherein said determining the particular reputation score for the particular packet of the first plurality of packets based on the domain associated with the source address of the particular packet includes:
    - performing a reverse domain name service lookup operation on the source address of the particular packet.
  - 7. The method of claim 1, wherein the particular networked machine is a firewall.
  - 8. The method of claim 1, wherein said rate limiting by the particular networked machine of an identified packet includes one or more rate limiting operations from a group consisting of:
    - dropping the identified packet, diverting the identified packet for further processing to determine how to rate limit, performing Quality of Service (QoS) rate limiting of the identified packet based on its type of service.
  - 9. The method of claim 1, wherein said measured traffic of the greater plurality of packets is made after said rate limiting of the first plurality of packets such that packets in the greater plurality of packets dropped prior to said measurement of traffic are not included in said measured traffic.
  - 10. The method of claim 1, in response to said measured traffic of the greater plurality of packets equaling or dropping below a second predetermined traffic measurement threshold:
    - automatically adjusting, by the particular networked machine, the reputation score threshold to a worse reputation score thus contracting the first plurality of packets on which the particular networked machines performs said rate limiting.

11. An apparatus, comprising:
- a rate limiter configured for rate limiting of a first plurality of packets of a greater plurality of packets, wherein packets received by the apparatus are identified as being in the first plurality of packets when their source has a worse reputation score than a predetermined reputation score threshold; and
  
  wherein packets received by the apparatus are not identified as being in the first plurality of packets when their source has a better reputation score than the predetermined reputation score threshold;
  
  a controller responsive to measured traffic of the greater plurality of packets equaling or exceeding a predetermined traffic measurement threshold, with said response including;
  
  automatically adjusting the reputation score threshold to a better reputation score thus expanding the first plurality of packets to now include packets associated with a higher reputation score on which the particular networked machines performs said rate limiting; and
  
  one or more rate monitors configured for determining said measured traffic.
- View Dependent Claims (12, 13, 14, 15, 16)
- - 12. The apparatus of claim 11, wherein said measured traffic is based on one or more from the group consisting of:
    - a rate of a number of packets in the greater plurality of packets, a rate of connection attempts by the greater plurality of packets; and
      
      a data rate of the greater plurality of packets.
  - 13. The apparatus of claim 11, wherein the apparatus networked machine is a firewall.
  - 14. The apparatus of claim 11, wherein said rate limiting by the particular networked machine of an identified packet includes one or more rate limiting operations from a group consisting of:
    - dropping the identified packet, diverting the identified packet for further processing to determine how to rate limit, performing Quality of Service (QoS) rate limiting of the identified packet based on its type of service.
  - 15. The apparatus of claim 11, wherein said one or more rate monitors are communicatively coupled to receive packets after passing through the rate limiter such that packets in the greater plurality of packets dropped prior to reaching said one or more rate monitors are not included in said measured traffic.
  - 16. The apparatus of claim 11, wherein the controller is configured to automatically adjust the reputation score threshold to a worse reputation score thus contracting the first plurality of packets in response to said measured traffic equaling or dropping below a second predetermined traffic measurement threshold.

17. A method performed by a particular networked machine, the method comprising:
- repeatedly;
  
  receiving a particular packet;
  
  applying firewall functionality to said received particular packet, said firewall functionality including rate limiting of particular packets having a source with a reputation score worse than a current reputation score threshold; and
  
  forwarding non-dropped said received particular packet from the particular networked machine; and
  
  repeatedly;
  
  measuring at least a portion of outbound traffic from the particular networked machine;
  
  in response to determining that said measured outbound traffic exceeds a corresponding predetermined rate threshold value;
  
  dynamically adjusting the current reputation score threshold to a reputation score level better than that current of the current reputation score threshold in order to cause said measured outbound traffic to no longer exceed the corresponding predetermined rate threshold value.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, wherein said received particular packets belong to a particular client;
    - and wherein said measured outbound traffic is that of the particular client.
  - 19. The method of claim 17, wherein said firewall functionality includes identifying the reputation score for the particular packet based on one or more from the group consisting of:
    - a source address of the particular packet;
      
      the source address of the particular packet and operating system fingerprinting of the particular packet; and
      
      a domain associated with the source address of the particular packet.
  - 20. The method of claim 17, wherein said rate limiting of the particular packet includes one or more rate limiting operations from a group consisting of:
    - dropping the particular packet, diverting the particular packet for further processing to determine how to rate limit, performing Quality of Service (QoS) rate limiting of the particular packet based on its type of service.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Heary, James William, Leavy, Nicholas Read

Granted Patent

US 8,797,866 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/232
CPC Class Codes

H04L 43/0876   Network utilisation, e.g. v...

H04L 43/16   Threshold monitoring

H04L 47/10   Flow control; Congestion co...

H04L 47/22   Traffic shaping

H04L 47/29   using a combination of thre...

H04L 47/32   by discarding or delaying d...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Automatic Adjusting of Reputation Thresholds in Order to Change the Processing of Certain Packets

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

68 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Automatic Adjusting of Reputation Thresholds in Order to Change the Processing of Certain Packets

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links