Method and apparatus for detecting spoofed network traffic

US 8,281,397 B2
Filed: 04/29/2010
Issued: 10/02/2012
Est. Priority Date: 04/29/2010
Status: Active Grant

First Claim

Patent Images

1. A method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of interfaces, comprising:

creating a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources;

for each interface,acquiring IP address prefixes from a training traffic flow entering the interface;

converting the IP address prefixes into AS numbers based on the mapping table; and

generating an interface expected AS number table for the interface based on the AS numbers; and

determining if an operational traffic flow is allowed to enter the network based on the interface expected AS number table.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detecting spoofed IP network traffic is presented. A mapping table is created to indicate correlations between IP address prefixes and AS numbers, based on routing information collected from a plurality of data sources. At each interface of a target network, IP address prefixes from a training traffic flow are acquired and further converted into AS numbers based on the mapping table. An EAS (Expected Autonomous System) table is populated by the AS numbers collected for each interface. The EAS table is used to determine if an operation traffic flow is allowed to enter the network.

120 Citations

23 Claims

1. A method of detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of interfaces, comprising:
- creating a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources;
  
  for each interface,acquiring IP address prefixes from a training traffic flow entering the interface;
  
  converting the IP address prefixes into AS numbers based on the mapping table; and
  
  generating an interface expected AS number table for the interface based on the AS numbers; and
  
  determining if an operational traffic flow is allowed to enter the network based on the interface expected AS number table.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method according to claim 1, wherein the step of acquiring IP address prefixes comprises monitoring a group of incoming packets entering into the interface for a first preset period of time, each of the group of incoming packets containing an IP address prefix.
  - 3. The method according to claim 1, further comprising:
    - generating a comprehensive expected AS number table based on the interface expected AS number table generated for each interface; and
      
      determining if an operational traffic flow is allowed to enter the network based on the comprehensive expected AS number table.
  - 4. The method according to claim 3, wherein the step of generating a comprehensive expected AS number table comprises:
    - generating an entry associated with each interface, based on the expected AS number table generated for the interface; and
      
      combining the entries into a comprehensive expected AS number table.
  - 5. The method according to claim 4, wherein the step of determining if an operational traffic flow is allowed to enter the network comprises:
    - receiving at least one incoming packet through at least one of the plurality of network interfaces during a second period of time, the at least one incoming packet containing an IP address prefix;
      
      acquiring the IP address prefix;
      
      converting the IP address prefix into at least one AS number based on the mapping table;
      
      comparing the converted AS number with AS numbers of each entry of the comprehensive expected AS number table; and
      
      determining if there is a match between the converted AS number and the AS numbers of each entry of the comprehensive expected AS number table.
  - 6. The method according to claim 5, further comprising:
    - if there is no match between the converted AS number and the AS numbers of each entry of the comprehensive expected AS number table, generating a first alert indicating that the operational traffic flow is not allow to enter the network; and
      
      if there is a match between the converted AS number and the AS numbers of an entry of the comprehensive expected AS number table,identifying an interface associated with the entry;
      
      comparing the interface associated with the entry with the at least one of the interfaces through which the at least one incoming packet enters the network; and
      
      determining if there is a match between the interface associated with the entry and the at least one of the interfaces through which the at least one incoming packet enters the network.
  - 7. The method according to claim 6, further comprising:
    - if there is no match between the interface associated with the entry and said at least one of the interfaces through which said at least one incoming packet enters the network, generating a second alert indicating that the operational traffic flow is allowed to enter the network but not allowed to enter said at least one of the interfaces.
  - 8. The method according to claim 1, wherein the step of processing routing information from a plurality of data sources comprises determining if there is a conflict between the routing information from the data sources.
  - 9. The method according to claim 8, further comprising:
    - if there is no conflict between the routing information from the data sources, combining routing information from the data sources; and
      
      if there is a conflict between the routing information from the data sources, assigning a priority for each of the data sources containing conflicting routing information and processing the routing information from the data source(s) having a relatively higher priority.
  - 10. The method according to claim 1, further comprising:
    - updating periodically the mapping table by processing routing information from the plurality of data sources; and
      
      updating periodically the expected AS number table for each interface based on the mapping table.

11. A non-transitory computer readable medium having computer readable program for operating on a computer for detecting spoofed Internet Protocol (IP) traffic directed to a network having a plurality of interfaces, said program comprising instructions that cause the computer to perform the steps:
- creating a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources;
  
  for each interface,acquiring IP address prefixes from a training traffic flow entering the interface;
  
  converting the IP address prefixes into AS numbers based on the mapping table; and
  
  generating an interface expected AS number table for the interface based on the AS numbers; and
  
  determining if an operational traffic flow is allowed to enter the network based on the interface expected AS number table.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer readable medium according to claim 11, wherein the step of acquiring IP address prefixes comprises monitoring a group of incoming packets entering into the interface for a first preset period of time, each of the group of incoming packets containing an IP address prefix.
  - 13. The non-transitory computer readable medium according to claim 11, further comprising:
    - generating a comprehensive expected AS number table based on the interface expected AS number table generated for each interface; and
      
      determining if an operational traffic flow is allowed to enter the network based on the comprehensive expected AS number table.
  - 14. The non-transitory computer readable medium according to claim 13, wherein the step of generating a comprehensive expected AS number table comprises:
    - generating an entry associated with each interface, based on the expected AS number table generated for the interface; and
      
      combining the entries into a comprehensive expected AS number table.
  - 15. The non-transitory computer readable medium according to claim 14, wherein the step of determining if an operational traffic flow is allowed to enter the network comprises:
    - receiving at least one incoming packet through at least one of the plurality of network interfaces during a second period of time, the at least one incoming packet containing an IP address prefix;
      
      acquiring the IP address prefix;
      
      converting the IP address prefix into at least one AS number based on the mapping table;
      
      comparing the converted AS number with AS numbers of each entry of the comprehensive expected AS number table; and
      
      determining if there is a match between the converted AS number and the AS numbers of each entry of the comprehensive expected AS number table.
  - 16. The non-transitory computer readable medium according to claim 15, further comprising:
    - if there is no match between the converted AS number and the AS numbers of each entry of the comprehensive expected AS number table, generating a first alert indicating that the operational traffic flow is not allow to enter the network; and
      
      if there is a match between the converted AS number and the AS numbers of an entry of the comprehensive expected AS number table,identifying an interface associated with the entry;
      
      comparing the interface associated with the entry with the at least one of the interfaces through which the at least one incoming packet enters the network; and
      
      determining if there is a match between the interface associated with the entry and the at least one of the interfaces through which the at least one incoming packet enters the network.
  - 17. The non-transitory computer readable medium according to claim 16, further comprising:
    - if there is no match between the interface associated with the entry and said at least one of the interfaces through which said at least one incoming packet enters the network, generating a second alert indicating that the operational traffic flow is allowed to enter the network but not allowed to enter said at least one of the interfaces.
  - 18. The non-transitory computer readable medium according to claim 11, wherein the step of processing routing information from a plurality of data sources comprises determining if there is a conflict between the routing information from the data sources.
  - 19. The non-transitory computer readable medium according to claim 18, further comprising:
    - if there is no conflict between the routing information from the data sources, combining routing information from the data sources; and
      
      if there is a conflict between the routing information from the data sources, assigning a priority for each of the data sources containing conflicting routing information and processing the routing information from the data source(s) having a relatively higher priority.
  - 20. The non-transitory computer readable medium according to claim 11, further comprising:
    - updating periodically the mapping table by processing routing information from the plurality of data sources; and
      
      updating periodically the expected AS number table for each interface based on the mapping table.

21. An anti-spoofing apparatus comprising:
- a mapping component which generates a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources;
  
  wherein the mapping table is stored in a first database;
  
  a learning component which acquires IP address prefixes from a plurality of training traffic flows entering a network, converts the acquired IP address prefixes into AS numbers based on the mapping table and generates an expected AS number table based on the converted AS numbers;
  
  wherein the expected AS number table is stored in a second database; and
  
  a determining component which acquires an IP prefix of an incoming operational traffic flow, converts the IP prefix into an AS number based on the mapping table and determines whether the incoming operational traffic flow is allowed to enter the network;
  
  wherein the determining component comprises a comparing component which compares the converted AS number with the AS numbers of the EAS number table and the determining component generates an alert notification based on the result of the comparison, wherein the alert notification is stored in a third database.

22. A network system comprising:
- a plurality of interfaces for receiving and forwarding traffic flows;
  
  a plurality of traffic monitors in communication with the plurality of interfaces, for collecting information from the traffic flows; and
  
  at least one server in communication with the plurality of traffic monitors, for controlling the traffic flows within the network system, said server comprises an anti-spoofing apparatus comprising;
  
  a mapping component which generates a mapping table indicating correlations between IP address prefixes and AS numbers by processing routing information from a plurality of data sources;
  
  a learning component which acquires IP address prefixes from a plurality of training traffic flows, converts the acquired IP address prefixes into AS numbers based on the mapping table and generates an expected AS number table based on the converted AS numbers; and
  
  a determining component which acquires an IP prefix of an incoming operational traffic flow, converts the IP prefix into an AS number based on the mapping table and determines whether the incoming operational traffic flow is allowed to enter the network.
- View Dependent Claims (23)
- - 23. The network system according to claim 22, wherein the determining component comprises a comparing component which compares the converted AS number with the AS numbers of the EAS number table, and the determining component generates an alert notification based on the result of the comparison.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KDDI Corporation, Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson)
Original Assignee
Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson)
Inventors
Vaidyanathan, Ravichander, Ghosh, Abhrajit, Cheng, Yuu-Heng, Yamada, Akira, Miyake, Yutaka
Primary Examiner(s)
Pich, Ponnoreay

Application Number

US12/769,696
Publication Number

US 20110271340A1
Time in Patent Office

887 Days
Field of Search

726/22, 709/225
US Class Current

726/22
CPC Class Codes

H04L 63/1416 Event detection, e.g. attac...

Method and apparatus for detecting spoofed network traffic

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

120 Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for detecting spoofed network traffic

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

120 Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links