Method and apparatus for tracing packets in a communications network
First Claim
1. A method for tracing a sequence of packets to a potential source thereof within a communications network, the sequence of packets being received at a target host in said communications network at a received packet rate, the method comprising the steps of:
- (a) identifying a plurality of network elements comprised in said communications network;
(b) applying a burst load to a selected one of said identified network elements in said communications network;
(c) measuring a change in said received packet rate in response to said application of said burst load to said selected network element;
(d) including said selected network element in a potential path if said change in said received packet rate fails to meet a predetermined criterion; and
(e) repeating steps (b), (c) and (d) on other selected network elements a plural number of times to generate a path leading from said target host to said potential source based on the selected network elements which have been included in said potential path.
12 Assignments
0 Petitions
Accused Products
Abstract
A method for tracing packets in a communications network directed to tracing a stream of anonymous packets received at a given target host, in order to identify their source, in response, for example, to a Denial-of-Service (“DoS”) attack on the target host. Advantageously, the tracing is performed without reliance on knowledge or cooperation from intervening Internet Service Providers (ISPs) along the path. The method is performed by applying a “burst load” (i.e., a brief but heavy load of transmitted packets) to various elements (i.e., links or routers) in the network and measuring the change in the rate with which the stream of packets arrive at the target. If the rate is substantially altered upon introduction of the burst load, then it may be deduced that the given element is most likely on the path from the source host of the DoS attack to the target host.
27 Citations
30 Claims
-
1. A method for tracing a sequence of packets to a potential source thereof within a communications network, the sequence of packets being received at a target host in said communications network at a received packet rate, the method comprising the steps of:
-
(a) identifying a plurality of network elements comprised in said communications network; (b) applying a burst load to a selected one of said identified network elements in said communications network; (c) measuring a change in said received packet rate in response to said application of said burst load to said selected network element; (d) including said selected network element in a potential path if said change in said received packet rate fails to meet a predetermined criterion; and (e) repeating steps (b), (c) and (d) on other selected network elements a plural number of times to generate a path leading from said target host to said potential source based on the selected network elements which have been included in said potential path. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. An apparatus for tracing a sequence of packets to a potential source thereof within a communications network, the sequence of packets being received at a target host in said communications network at a received packet rate, the apparatus comprising:
-
(a) means for identifying a plurality of network elements comprised in said communications network; (b) means for applying a burst load to a selected one of said identified network elements in said communications network; (c) means for measuring changes in said received packet rate in response to said application of said burst load to said selected network elements; (d) means for including said selected network element in a potential path if said change in said received packet rate fails to meet a predetermined criterion; and (e) means for repeating an operation of means (b), (c) and (d) on other selected network elements a plural number of times to generate a path leading from said target host to said potential source based on the selected network elements which have been included in said potential path. - View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification