Method and apparatus for detecting port scans with fake source address

US 7,962,957 B2
Filed: 04/23/2007
Issued: 06/14/2011
Est. Priority Date: 04/23/2007
Status: Expired due to Fees

First Claim

Patent Images

1. A computer implemented method for port scan protection, the computer implemented method comprising:

responsive to detecting a port scan, generating, by a processor, a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet, wherein the modified reply data packet will elicit a response from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet;

sending the modified reply data packet to a first source internet protocol address associated with the port scan; and

responsive to receiving the response to the modified reply data packet, identifying that a second source internet protocol address in a header of the response is a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer implemented method, apparatus, and computer program product for port scan protection. A reply data packet having a modified transmission control protocol header is generated to form a modified reply data packet, in response to detecting a port scan. The modified reply data packet will elicit a response from a recipient of the modified data packet. The reply data packet is sent to a first Internet protocol address associated with the port scan. A second Internet protocol address is identified from a header of the response to the modified reply data packet. The second Internet protocol address is an actual Internet protocol address of a source of the port scan. All network traffic from the second Internet protocol address may be blocked to prevent an attack on any open ports from the source of the port scan.

236 Citations

35 Claims

1. A computer implemented method for port scan protection, the computer implemented method comprising:
- responsive to detecting a port scan, generating, by a processor, a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet, wherein the modified reply data packet will elicit a response from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet;
  
  sending the modified reply data packet to a first source internet protocol address associated with the port scan; and
  
  responsive to receiving the response to the modified reply data packet, identifying that a second source internet protocol address in a header of the response is a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The computer implemented method of claim 1 wherein the modified header conforming to the protocol includes a bad sequence number.
  - 3. The computer implemented method of claim 2 wherein the bad sequence number is a protocol violation that will excite a response from the recipient.
  - 4. The computer implemented method of claim 2 wherein the bad sequence number is a sequence number falling outside an acceptable range of sequence numbers.
  - 5. The computer implemented method of claim 1 wherein the modified header conforming to the protocol includes a reset flag.
  - 6. The computer implemented method of claim 1 wherein the modified header conforming to the protocol includes a finish flag.
  - 7. The computer implemented method of claim 1 wherein modifying the header further comprises:
    - altering a checksum used to generate the modified reply data packet.
  - 8. The computer implemented method of claim 1 further comprising:
    - blocking all network traffic originating from the second routing address to prevent an attack on any open ports.
  - 9. The computer implemented method of claim 1 wherein the first routing address is not a correct routing address of a computing device.
  - 10. The computer implemented method of claim 1 further comprising:
    - responsive to receiving a port scan data packet, identifying a source routing address in a header of the port scan data packet as the first routing address.
  - 11. The computer implemented method of claim 1 wherein the modified header conforming to the protocol is a modified transmission control protocol header.
  - 12. The computer implemented method of claim 1 wherein the modified header conforming to the protocol is a modified user datagram protocol header.
  - 13. The computer implemented method of claim 1 wherein a datalink layer in the modified header indicates a media access control address for a destination of the modified reply data packet.

14. A computer program product for port scan protection, the computer program product comprising:
- a computer usable storage device including computer usable program code embodied therewith, the computer usable program code comprising;
  
  computer usable program code for generating a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet in response to detecting a port scan, wherein the modified reply data packet will elicit a response data packet from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet;
  
  computer usable program code for sending the modified reply data packet to a first source internet protocol address associated with the port scan; and
  
  computer usable program code for identifying that a second source internet protocol address in a header of the response data packet in response to receiving the response data packet a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 15. The computer program product of claim 14 wherein the modified header conforming to the protocol includes a bad sequence number.
  - 16. The computer program product of claim 15 wherein the bad sequence number is a sequence number falling outside an acceptable range of sequence numbers.
  - 17. The computer implemented method of claim 15 wherein the bad sequence number is a protocol violation that will excite a response from a recipient of the reply data packet.
  - 18. The computer program product of claim 14 wherein the modified header conforming to the protocol includes a reset flag.
  - 19. The computer program product of claim 14 wherein the modified header conforming to the protocol includes a finish flag.
  - 20. The computer program product of claim 14 further comprising:
    - computer usable program code for altering a checksum used to generate the modified reply data packet.
  - 21. The computer program product of claim 14 further comprising:
    - computer usable program code for blocking all network traffic originating from the second routing address to prevent an attack on any open ports.
  - 22. The computer program product of claim 14 wherein the modified header conforming to the protocol is a modified transmission control protocol header.
  - 23. The computer program product of claim 14 wherein a datalink layer in the modified header indicates a media access control address for a destination of the modified reply data packet.

24. An apparatus comprising:
- a bus system;
  
  a communications system connected to the bus system;
  
  a memory connected to the bus system, wherein the memory includes computer usable program code; and
  
  a processing unit connected to the bus system, wherein the processing unit executes the computer usable program code to generate a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet in response to detecting a port scan, wherein the modified reply data packet will elicit a response data packet from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet;
  
  send the modified reply data packet to a first source internet protocol address associated with the port scan; and
  
  identify that a second source internet protocol address in a header of the response data packet in response to receiving the response data packet a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
- - 25. The apparatus of claim 24 wherein the modified header conforming to the protocol includes a bad sequence number.
  - 26. The apparatus of claim 25 wherein the bad sequence number is a protocol violation that will excite a response from a recipient of the reply data packet.
  - 27. The apparatus of claim 24 wherein the modified header conforming to the protocol includes a reset flag.
  - 28. The apparatus of claim 24 wherein the modified header conforming to the protocol includes a finish flag.
  - 29. The apparatus of claim 24 wherein the processor unit further executes the computer usable program code to block all network traffic originating from the second routing address to prevent an attack on any open ports.
  - 30. The apparatus of claim 24 wherein the modified header conforming to the protocol is a modified transmission control protocol header.
  - 31. The apparatus of claim 24 wherein a datalink layer in the modified header indicates a media access control address for a destination of the modified reply data packet.

32. A system for protecting against port scans, the system comprising:
- a host computer, wherein the host computer comprises;
  
  an enhanced port scan protection software for detecting a port scan data packet and generating a reply data packet having a modified header conforming to a protocol used to transmit data packets to form a modified reply data packet in response to detecting a port scan, wherein the modified reply data packet will elicit a response data packet from a recipient of the modified reply data packet, wherein the modified header will compel the recipient'"'"'s transmission control protocol/internet protocol layer to respond to the modified reply data packet in response to the recipient snooping the modified reply data packet, wherein the modified reply data packet is sent to a first source internet protocol address associated with the port scan; and
  
  a source Internet protocol address detector, wherein the source Internet protocol address detector identifies that a second source internet protocol address in a header of a response to the modified reply data packet is a correct source internet protocol address of a source of the port scan, wherein the second source internet protocol address is different from the first source internet protocol address.
- View Dependent Claims (33, 34, 35)
- - 33. The system of claim 32 wherein the modified header conforming to the protocol includes a protocol violation that will excite the response from the recipient of the reply data packet.
  - 34. The system of claim 32 wherein the modified header conforming to the protocol includes a reset flag or a finish flag.
  - 35. The system of claim 32 wherein the host computer is a first computer and further comprising:
    - a second computer, wherein the second computer comprises;
      
      a port scanner, wherein the port scanner performs the port scan on the first computer by sending the port scan data packet having a fake source routing address to the first computer, wherein the fake source routing address is not a correct routing address for the second computer; and
      
      a transmission control protocol/Internet protocol layer, wherein the transmission control protocol/Internet protocol layer generates the response to the modified reply data packet automatically.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Keohane, Susann Marie, McBrearty, Gerald Francis, Shieh, Johnny Meng-Han, Mullen, Shawn Patrick, Murillo, Jessica Carol
Primary Examiner(s)
Srivastava; Vivek
Assistant Examiner(s)
LAUZON, THOMAS C

Application Number

US11/738,547
Publication Number

US 20080263666A1
Time in Patent Office

1,513 Days
Field of Search

726/23
US Class Current

726/23
CPC Class Codes

H04L 63/126 the source of the received ...

H04L 63/1458 Denial of Service

Method and apparatus for detecting port scans with fake source address

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

236 Citations

35 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for detecting port scans with fake source address

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

236 Citations

35 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others