Protecting against spoofed DNS messages

US 6,907,525 B2
Filed: 09/20/2002
Issued: 06/14/2005
Est. Priority Date: 08/14/2001
Status: Expired due to Term

First Claim

Patent Images

1. A method for authenticating communication traffic, comprising:

receiving a first request, sent over a network from a source address, to provide network information regarding a given domain name;

sending a response to the source address in reply to the first request;

receiving a second request from the source address in reply to the response; and

assessing authenticity of the first request based on the second request, wherein first and second requests and the response comprises data packets, and wherein the source address comprises an Internet Protocol (IP) address, and wherein receiving the first request comprises receiving a Domain Name System (DNS) request in a User Datagram Protocol (UDP) packet, and wherein sending the response comprises configuring the response so as to require that the first request be resent in a Transmission Control Protocol (TCP) packet, and wherein receiving the second request comprises receiving a TCP SYN packet.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for authenticating communication traffic includes receiving a first request, such as a DNS request, sent over a network from a source address, to provide network information regarding a given domain name. A response is sent to the source address in reply to the first request. When a second request is from the source address in reply to the response, the authenticity of the first request is assessed based on the second request.

90 Citations

View as Search Results

27 Claims

1. A method for authenticating communication traffic, comprising:
- receiving a first request, sent over a network from a source address, to provide network information regarding a given domain name;
  
  sending a response to the source address in reply to the first request;
  
  receiving a second request from the source address in reply to the response; and
  
  assessing authenticity of the first request based on the second request, wherein first and second requests and the response comprises data packets, and wherein the source address comprises an Internet Protocol (IP) address, and wherein receiving the first request comprises receiving a Domain Name System (DNS) request in a User Datagram Protocol (UDP) packet, and wherein sending the response comprises configuring the response so as to require that the first request be resent in a Transmission Control Protocol (TCP) packet, and wherein receiving the second request comprises receiving a TCP SYN packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. A method according to claim 1, and comprising, if the first request is assessed to be authentic, sending a further response to the source address containing the network information corresponding to the given domain name.
  - 3. A method according to claim 2, wherein assessing the authenticity comprises discarding the first request if the first request is not assessed to be authentic.
  - 4. A method according to claim 2, wherein the network information comprises a network address associated with the domain name.
  - 5. A method according to claim 1, wherein sending the response comprises encoding information in the response, and wherein assessing the authenticity comprises checking the second request for the encoded information.
  - 6. A method according to claim 1, wherein receiving the first request comprises intercepting the first request prior to delivery of the first request to a destination address of the first request, and comprising submitting the first request to the destination address responsively to the assessed authenticity of the first request.
  - 7. A method according to claim 6, wherein assessing the authenticity comprises making a record of the source address as an authentic address, and wherein submitting the first request comprises verifying the source address based on the record, and allowing the network information to be furnished to the verified source address.
  - 8. A method according to claim 1, wherein the first and second requests respectively comprise first and second Domain Name System (DNS) requests, and wherein the response comprises a DNS response.
  - 9. A method according to claim 1, and comprising opening a TCP connection responsive to the TCP SYN packet, and providing the network information regarding the given domain name over the connection.

10. An apparatus for authenticating communication traffic, comprising a guard device, which is adapted to receive a first request, sent over a network from a source address, to provide network information regarding a given domain name, to send a response to the source address in reply to the first request, to receive a second request from the source address in reply to the response, and to assess authenticity of the first request based on the second request,wherein the first and second requests and the response comprises data packets, and wherein the source address comprises an Internet Protocol (IP) address and wherein the first request comprises a Domain Name System (DNS) request contained in a User Datagram Protocol (UDP) packet and wherein the guard device is adapted to send the response so as to require that the first request be resent in a Transmission Control Protocol (TCP) packet, so that the second request comprises a TCP SYN packet.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. An apparatus according to claim 10, wherein the guard device is adapted to intercept the first request prior to delivery of the first request to a server holding the network information, and upon assessing the first request to be authentic, to submit the first request to the server, so as to provide a further response to the source address containing the network information corresponding to the given domain name.
  - 12. An apparatus according to claim 11, wherein the guard device is adapted to retrieve the network information from the server and to send the further response containing the retrieved network information.
  - 13. An apparatus according to claim 11, wherein the guard device is adapted to discard the first request if the first request is not assessed to be authentic.
  - 14. An apparatus according to claim 11, and comprising a memory, wherein the guard device is adapted, upon assessing the first request to be authentic, to make a record of the source address in the memory as an authentic address, and upon receiving a further request from the source address, to verify the source address of the further request based on the record, so as to allow the server to furnish the network information to the verified source address.
  - 15. An apparatus according to claim 10, wherein the network information comprises a network address associated with the domain name.
  - 16. An apparatus according to claim 10, wherein the guard device is adapted to encode information in the response, and to assess the authenticity of the first request by checking the second request for the encoded information.
  - 17. An apparatus according to claim 10, wherein the first and second requests respectively comprise first and second Domain Name System (DNS) requests, and wherein the response comprises a DNS response.
  - 18. An apparatus according to claim 10, wherein the guard device is adapted to open a TCP connection responsive to the TCP SYN packet, and to provide the network information regarding the given domain name over the connection.

19. A computer software product for authenticating communication traffic, comprising a computer-readable medium in which program instructions are stored, wherein the instructions, when read by a computer, cause the computer to receive a first request, sent over a network from a source address, to provide network information regarding a given domain name, to send a response to the source address in reply to the first request, to receive a second request from the source address in reply to the response, and to assess authenticity of the first request based on the second request,wherein the first and second requests and the response comprises data packets, and wherein the source address comprises an Internet Protocol (IP) address, and wherein the first request comprises a Domain Name System (DNS) request contained in a User Datagram Protocol (UDP) packet, and wherein the instructions cause the computer to send the response so as to require that the first request be resent in a Transmission Control Protocol (TCP) packet, so that the second request comprises a TCP SYN packet.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. A product according to claims 19, wherein the instructions cause the computer to intercept the first request prior to delivery of the first request to a server holding the network information, and upon assessing the first request to be authentic, to submit the first request to the server, so as to provide a further response to the source address containing the network information corresponding to the given domain name.
  - 21. A product according to claim 20, wherein the instructions cause the computer to retrieve the network information from the server and to send the further response containing the retrieved network information.
  - 22. A product according to claim 20, wherein the instructions cause the computer to discard the first request if the first request is not assessed to be authentic.
  - 23. A product according to claim 20, wherein the instructions cause the computer, upon assessing the first request to be authentic, to make a record of the source address in a memory of the computer as an authentic address, and upon receiving a further request from the source address, to verify the source address of the further request based on the record, so as to allow the server to furnish the network information to the verified source address.
  - 24. A product according to claim 19, wherein the network information comprises a network address associated with the domain name.
  - 25. A product according to claim 19, wherein the instructions cause the computer to encode information in the response, and to assess the authenticity of the first request by checking the second request for the encoded information.
  - 26. A product according to claim 19, wherein the first and second requests respectively comprise first and second Domain Name System (DNS) requests, and wherein the response comprises a DNS response.
  - 27. A product according to claim 19, wherein the instructions cause the computer to open a TCP connection responsive to the TCP SYN packet, and to provide the network information regarding the given domain name over the connection.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Riverhead Networks, Inc.
Inventors
Pazi, Guy, Golan, Alon, Touitou, Dan, Afek, Yehuda
Primary Examiner(s)
Morse, Gregory
Assistant Examiner(s)
HENEGHAN, MATTHEW E

Application Number

US10/251,912
Publication Number

US 20030070096A1
Time in Patent Office

998 Days
Field of Search

713/153, 713/170, 713/201, 709/225, 709/229, 709/245
US Class Current

713/170
CPC Class Codes

H04L 61/4511   using domain name system [DNS]

H04L 63/123   received data contents, e.g...

H04L 63/1458   Denial of Service

H04L 63/1466   Active attacks involving in...

H04L 63/1491   using deception as counterm...

Protecting against spoofed DNS messages

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

90 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Protecting against spoofed DNS messages

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

90 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links