IP Time to Live (TTL) field used as a covert channel

US 7,415,018 B2
Filed: 09/17/2003
Issued: 08/19/2008
Est. Priority Date: 09/17/2003
Status: Active Grant

First Claim

Patent Images

1. A method of determining, in a communications network, an upstream station, among several other candidates, traversed by a packet having a time-to-live (TTL) field arriving at a downstream station, comprising the steps of:

a) marking the TTL field of the packet flow arriving at the upstream station, in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations;

b) receiving and identifying at the downstream station a marked packet flow; and

c) determining, depending upon the TTL field of the marked packet flow received, that said packet flow traversed the upstream station;

wherein the TTL field of the marked packet is identified by looking for constant shifts in statistical parameters and in the distributed TTL value with marking turned on and turned off.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The Time to Live (TTL) field in an IP header is used as a covert channel in a communication system. More particularly the TTL field can be used to selectively mark packets with unique identifiers as they pass through an upstream station on their way to a downstream station. In this way the source of a traffic flow at least within a particular domain can be absolutely identified. This method of performing a traceback operation doesn'"'"'t utilize additional resources as it relies on functionality which already exists in the system.

51 Citations

View as Search Results

11 Claims

1. A method of determining, in a communications network, an upstream station, among several other candidates, traversed by a packet having a time-to-live (TTL) field arriving at a downstream station, comprising the steps of:
- a) marking the TTL field of the packet flow arriving at the upstream station, in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations;
  
  b) receiving and identifying at the downstream station a marked packet flow; and
  
  c) determining, depending upon the TTL field of the marked packet flow received, that said packet flow traversed the upstream station;
  
  wherein the TTL field of the marked packet is identified by looking for constant shifts in statistical parameters and in the distributed TTL value with marking turned on and turned off.
- View Dependent Claims (2)
- - 2. The method as defined in claim 1 wherein step c) involves comparing the value of the TTL field of packets in a flow to which said packets belong with and without marking being performed, thereby enabling the manner of marking, which identifies the upstream station, to be determined.

3. A method of determining, in a communications network, an upstream station, among several other candidates, traversed by a packet having a time-to-live (TTL) field arriving at a downstream station, comprising the steps of:
- a) marking the TTL field of the packet flow arriving at the upstream station in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations; and
  
  b) receiving and identifying at the downstream station a marked packet flow; and
  
  c) determining, depending upon the TTL field of the marked packet flow received, that said packet flow traversed the upstream station; and
  
  comparing the value of the TTL field of packets in a flow to which said packets belong with and without marking being performed, thereby enabling the manner of marking, which identifies the upstream station, to be determined;
  
  wherein each upstream marking station is assigned a plurality of values and associated ratios, where the sum of all said associated ratios is 100%; and
  
  the marking station marks a percent of the packet flow given by one of said associated ratios with a corresponding one of said values, thus uniquely identifying its marking.
- View Dependent Claims (4, 5)
- - 4. The method as defined in claim 3 wherein for flows with randomized TTL values the marked packet is identified by looking for constant shifts in parameters of statistical distribution of TTL values with marking turned on and turned off.
  - 5. The method as defined in claim 3 wherein the marking station uses a plurality of different marking schema and wherein marking of packets is performed using in succession a different one of said schema over a plurality of consecutive time windows.

6. A system for determining, in a communications network, an upstream station, among several other candidates, traversed by a packet having a time-to-live (TTL) field arriving at a downstream station, comprising:
- a) means for marking the TTL field of the packet flow arriving at the upstream station, in a manner that uniquely identifies the upstream station among all the other concurrently marking upstream stations; and
  
  b) means for receiving and identifying at the downstream station a marked packet flow; and
  
  c) means for determining depending upon the TTL field of the marked packet flow received that said packet flow traversed the upstream station;
  
  wherein the upstream station to mark packets is selected by a group of network edge stations marking concurrently with a common primary mark and one selected station of the group using a secondary unique mark, the selection of the station using the secondary mark rotating among stations of the group.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The system as defined in claim 6 wherein the value of the marked packet is assigned dynamically by an external entity.
  - 8. The system as defined in claim 6 wherein the upstream station to mark packets is selected by an external entity.
  - 9. The system as defined in claim 6 wherein the upstream station to mark packets is selected by a group of network edge stations marking concurrently.
  - 10. The system as defined in claim 6 wherein the downstream station is one of an edge router;
    - a last mile router;
      
      receiving device and a network management system.
  - 11. The system as defined in claim 6 wherein the upstream stations, also referred to as marking station, is one of a generic router;
    - a core router;
      
      an edge router;
      
      a single network interface;
      
      a last mile router; and
      
      a network appliance.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
RPX Corporation
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Robert, Jean-Marc, Le Moigne, Olivier, Jones, Emanuele
Primary Examiner(s)
Nguyen; Chau
Assistant Examiner(s)
Foud; Hicham B

Application Number

US10/663,791
Publication Number

US 20050058129A1
Time in Patent Office

1,798 Days
Field of Search

370/252, 370/254, 370/255, 370/389, 370/392, 370/401
US Class Current

370/392
CPC Class Codes

H04L 2463/141   Denial of service attacks a...

H04L 2463/146   Tracing the source of attacks

H04L 63/1458   Denial of Service

IP Time to Live (TTL) field used as a covert channel

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

IP Time to Live (TTL) field used as a covert channel

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links