Patent Application
20090182867
1. Field of the Invention
The present invention relates generally to the field of network security and more specifically to using low overhead methods for identifying packets in a network.
2. Description of Prior Art
Availability of low cost computers, high speed networking products, and readily available network connections has helped fuel proliferation of the Internet. This proliferation has caused the Internet to become an essential tool for both the business community and private individuals. Dependence on the Internet arises, in part, because the Internet makes it possible for multitudes of users to access vast amounts of information and perform remote transactions expeditiously and efficiently. Along with the rapid growth of the Internet have come problems caused by malicious individuals or pranksters launching attacks from within the network. As the size of the Internet continues to grow, so does the threat posed by these individuals.
The ever-increasing number of computers, routers and connections making up the Internet increases the number of vulnerability points from which these malicious individuals can launch attacks. These attacks can be focused on the Internet as a whole or on specific devices, such as hosts or computers, connected to the network. In fact, each router, switch, or computer connected to the Internet may be a potential entry point from which a malicious individual can launch an attack while remaining largely undetected. Attacks carried out on the Internet often consist of malicious packets being injected into the network. Malicious packets can be injected directly into the network by a computer, or a device attached to the network, such as a router or switch, can be compromised and configured to place malicious packets onto the network.
The most publicized forms of network attacks often involve placing thousands or millions of packets onto the network using a practice known as flooding. The flood of packets can be targeted to a specific device on the network, for example a corporate web site, thus causing the device to become overwhelmed and shutdown. Alternatively, an attack may be designed to clog the links, or connection points, between network components. Network attacks can be further enhanced using a practice known as spoofing. Spoofing involves associating bogus Internet Protocol (IP) addresses with the transmitted packets, thus making the packets origins impossible to determine based upon looking only at a received packet. Spoofing can be further enhanced using a technique referred to as transformation. When a packet is transformed, it undergoes a process that changes the original packet into a new packet, as, for example, would happen during tunneling or network address translation (NAT). Locating the origin of a network attack is further complicated because coordinated attacks can be employed. In a coordinated attack, multiple network devices are compromised and then used to launch a distributed attack. A distributed attack is one that is launched essentially simultaneously from several locations within the network.
Network attacks can also be launched using a single packet. While single packet attacks are not as well publicized as multi-packet attacks, they are becoming more common and they are capable of inflicting significant damage to vulnerable networks. At present, it is extremely difficult to detect single packet attacks in a timely manner using known methods of intrusion detection, which exacerbates the challenge in dealing with them. As a result, network data, currently, must be analyzed after the fact to determine if a single packet attack was the source of disruption. Any tracing of the single packet to its origins, in accordance with prior art techniques, must also take place after the attacking packet traversed the network.
Much of the difficulty in identifying the origin of an attack arises because the Internet employs a stateless routing infrastructure, in that it is one in which routing is based solely on destination addresses. Although source IP addresses may be transmitted with data, they are easy to forge, and as a result they are untrustworthy. A forged source address may bear no similarity to the actual source address from which the packet came. As a result, most prior art techniques and devices for preventing network attacks attempt to stop delivery of malicious packets at the ultimate destination device rather than attempting to locate their origin. Such origin is referred to as an entry point, also referred to as an ingress point or intrusion location, onto the network. Failing to identify the source address of malicious packets inhibits preventing further attacks, and such failure makes identification of the actual perpetrator difficult.
Border routers contain routing tables for other routers within the AS and for routers within the public network that are connected to the AS by a link, i.e. a communicative connection. In
Firewalls are typically installed between a local area network (LAN), or intranet, and the Internet, or public network. Firewalls act as gatekeepers for an AS in that they allow certain packets in while excluding other packets. Firewalls may be implemented in routers or servers connected between an AS and the Internet, or they may function as standalone devices. Rule sets are used by firewalls to determine which packets will be allowed into their respective AS and which packets will be discarded. Since rules determine which packets get through the firewalls, only packets known to be problematic can be stopped. Therefore, rule sets must be updated on a regular basis to provide protection against new threat characteristics.
Additional protection for an AS may be obtained by supplementing border routers and firewalls with intrusion detection systems (IDSs). IDSs also use rule-based algorithms to determine if a given pattern of network traffic is abnormal. The general premise used by an IDS is that malicious network traffic will have a different pattern from normal, or legitimate, network traffic. Using a rule set, an IDS monitors inbound traffic to an AS. When a suspicious pattern or event is detected, the IDS may take remedial action, or it can instruct a border router or firewall to modify operation to address the malicious traffic pattern. For example, remedial actions may include disabling the link carrying malicious traffic, discarding packets coming from a particular source address, or discarding packets addressed to a particular destination. In
Although border routers, firewalls, and IDSs can be used to help prevent known packets from entering an AS, they are not well equipped for stopping unknown packets because they rely on rule-based look up tables containing signatures of known threats. In addition, border routers, firewalls, and IDSs generally are not well equipped for identifying the origin, or ingress location, of malicious packets, particularly when spoofing is employed. Even when spoofing is not used, the above-noted devices may not be able to determine the ingress point for packets because packets often traverse many Internet links and devices, such as routers, bridges, and switches, before arriving at an AS. Reliably tracing the path of a packet often requires information about each link traversed by a packet. To obtain this information, routing data must remain with the packet or, alternatively, each router, or device, on the path must store information about, or a copy of, each packet traversing a network. With high-speed routers passing gigabits of data per second, storing full copies of packets is not practical.
What has been needed and what has not been available is a method for identifying the origin of malicious packets that can be implemented in an AS on the Internet and which addresses all shortcomings of prior art protection techniques. Embodiments of the present invention offer welcome solutions to these prior art protection problems.
Embodiments of the present invention employ apparatus, system, computer program product and/or method for identifying an intrusion point of a malicious or target packet into a network. More specifically, in a network component operatively coupled to a network by at least one link carrying multiple packets, a computer-readable storage medium containing executable code for instructing a processor to process information about at least one of the packets, the information being used to facilitate locating an intrusion location for a malicious packet in the network. A hash value is determined over at least a portion of one of the packets. The resulting hash value is used to form an index into a memory for storing information about a subset of the multiple packets. A flag is set at one of the memory locations corresponding to the index. A query containing information about a malicious packet is received and the information is extracted from the query. The information in the query is compared to the contents of the memory. And a reply is generated if the information in the query matches the contents of one of the memory locations, thus indicating that an intruding packet has been observed by the network component.
In a further aspect of the invention, in a network carrying multiple packets over at least one network link, where the network includes a computer, a first network component having memory and a processor configured to store information about at least one of the packets and a second network component, a target packet is detected. At least one of the multiple packets is received over a link to obtain a received packet. Next, a hash value or digest is determined over at least a portion of the received packet. The hash value is used to identify a memory location and a flag is set at the identified location. The first network component receives a query message identifying a target packet and uses the flag in processing the query message to determine if the target packet has been encountered. If the target packet has been encountered, the first network component replies.
In yet a further aspect of the invention, in a network carrying multiple packets over at least one link, where the network includes a network component having a memory and a processor, information about received packets is stored and at least a portion of the information is used to locate an intrusion point for one of the packets. A first packet is received at the first network component. A hash value is determined over at least a portion of the first packet. The hash value is used to identify a location in the memory and a flag is set at the location indicating that the hash value for the first packet has occurred. A second packet is received and processed to obtain information contained in it. This information is used to determine if the first packet has been observed. If the first packet has been observed, a reply is made available to the network and the reply may be used in a technique for locating the intrusion point for the first packet.
In still a further aspect of the invention, in a network carrying multiple packets over at least one link, the network including multiple devices and a system, the system being useful for assisting with the location of an intrusion point of a target packet in the network. The system having a first interface for receiving at least one of the multiple packets to produce a received packet. A second interface is used for placing a subset of any received packets onto the network link. A bus couples the first interface and second interface to allow communication. A memory is coupled to the bus, and the memory is used to store information about received packets in a machine-readable form. A processor is also coupled to the bus and the memory, and the processor is used to execute machine-readable instructions for processing received packets. A first hash value is determined for each received packet. A second hash value is determined from at least a portion of a target packet. A first hash value is compared to the second hash value and a reply is made in response to the comparison.
It is advantageous to employ embodiments of the present invention to eliminate the problems caused by undetected malicious packets in a network. A further advantage of the invention is that it detects malicious packets without requiring special purpose network equipment. Furthermore, the present invention communicates information about malicious packets to other network devices thus enhancing network security. Another advantage of the invention is that information about malicious packets is efficiently stored thus facilitating cost effective deployment of disclosed embodiments.
It is thus an object of the present invention to eliminate the problems caused by malicious packets in a network.
It is a further object of the present invention to identify malicious packets to facilitate identifying their intrusion locations into the network.
It is yet a further object of the present invention to quickly identify the ingress points of malicious packets when distributed attacks are launched against a network.
It is still yet a further object of the present invention to efficiently store information about packets traversing a link in a network.
It is still yet a further object of the present invention to detect transformed packets.
Further objects and advantages of the disclosed embodiments will become more apparent after reference to the detailed description of exemplary embodiments thereof taken in conjunction with the accompanying drawings in which:
A preferred embodiment uses a server and one or more specially configured network components, or devices, such as a router, within an autonomous system (AS) to determine the ingress point for a malicious packet (MP1).
The rightmost portion of
SS1 may be comprised of a device such as a general-purpose computer, or server, operatively coupled to the network of AS1 and executing machine-readable code enabling it to perform source path isolation in conjunction with SR14-17 and IDS1. While SS1 and IDS1 are shown as separate devices in
The central portion of
The lower portion of
The leftmost portion of
To launch an attack, an intruder generates malicious data traffic and places it onto a link for transmission to one or more destination addresses. In
Detection and source path isolation of MP1 may be accomplished as follows. IDS1 identifies MP1 using known methods. After detecting MP1, IDS1 notifies SS1 that a malicious packet has been detected within AS1. The notification may include MP1 or portions thereof along with other information useful for SS1 to begin source path isolation. Examples of information that may be sent from IDS1 to SS1 along with MP1 are time-of-arrival, encapsulation information link information, and the like. When MP1 (or fraction thereof) has been identified and forwarded to SS1 it is referred to as a target packet (TP1) because it becomes the target of the source path isolation method further described herein.
SS1 may then generate a query message (QM1) containing TP1. After generating QM1, SS1 sends it to all routers located one hop away. For example, SR16 is one hop away from SS1, whereas SR14, SR15 and SR17 are two hops away from SS1 and one hop away from SR16, respectively. When SR16 receives QM1 from SS1, SR16 determines if TP1 has been seen. This determination is made by hashing TP1 and comparing the resulting hash value, or digest, to a bit map of hash values representative of packets having previously passed through SR16. SR16 is considered to have observed, or encountered, a packet when the packet is passed from one of the input ports to one of the output ports such as would be done when SR16 forwards, or propagates, a packet during normal operation within a network.
To determine if a packet has been observed, SR16 first stores a representation of each packet it forwards. Then SR16 compares the stored representation to the information about TP1 contained in QM1. Typically, a representation of a packet passed through SR16 will not be a copy of the entire packet, but rather it will be comprised of a portion of the packet or some unique value representative of the packet. Since modern routers can pass gigabits of data per second, storing complete packets is not practical because memories would have to be prohibitively large. In contrast, storing a value representative of the contents of a packet uses memory in a much more efficient manner. By way of example, if incoming packets range in size from 256 bits to 1000 bits, a fixed width number may be computed across the bits making up a packet in a manner that allows the entire packet to be uniquely identified. To further illustrate the use of representations, a 32-bit hash value, or digest, may be computed across each packet. Then, the digest may be stored in memory or the digest may be used as an index, or address, into memory. Using the digest, or an index derived therefrom, results in efficient use of memory while still allowing each packet passing through a router to be identified. The disclosed invention works with any storage scheme that saves information about each packet in a space efficient fashion, that can definitively determine if a packet has not been observed, and that will respond positively (i.e. in a predictable way) when a packet has been observed. Although the invention works with virtually any technique for deriving representations of packets, for brevity, the remaining discussion will use hash digests as exemplary representations of packets having passed through a participating router.
If SR16 has not observed TP1, it may so inform SS1. But if SR16 has a hash matching TP1, it may send a response to SS1 indicating that the packet was observed by, or at, SR16. In addition, SR16 may forward QM1 to adjacent routers 1 hop away. In
In
Still referring to
The process used to perform source path isolation in
Since the locations of border routers are known within AS 300, an outward-in solution may also be employed. With an outward-in solution, SS first queries border routers, B, and they in turn query the routers labeled A. As can be seen from
Further detail of the operation of a source path isolation server (SS) and a source path isolation router (SR) are provided hereinbelow.
After receiving TP1, SS1 may generate QM1 comprising TP1 and any additional information desirable for facilitating communication with participating routers (SRs) (step 404). Examples of additional information that may be included in QM1 are, but are not limited to, destination addresses for participating routers, passwords required for querying a router, encryption keying information, time-to-live (TTL) fields, information for reconfiguring routers, and the like. SS1 then sends QM1 to SRs located one hop away (step 406).
After processing QM1, an SR may send a reply to SS1 (step 408). The response may indicate that a queried router has seen TP1, or alternatively, that it has not (step 410). It is important to observe that the two answers are not equal in their degree of certainty. If SR does not have a hash matching TP1, SR has definitively not seen TP1. However, if SR has a matching hash, then SR has seen TP1 or a packet that has the same hash as TP1. When two different packets, having different contents, hash to the same value it is referred to as a hash collision.
If a queried SR has seen TP1, a reply and identification (ID) information for the respective SR is associated as active path data (step 414). Alternatively, if an SR has not seen TP1, the reply is associated as inactive path data (step 412). Replies received from queried SRs are used to build a trace of the potential paths taken by TP1 as it travels, or propagates, across a network using known methods (step 416). SS1 may attempt to build a trace with each received response to determine the ingress point for TP1 (step 418). If SS1 has not computed the ingress point, the subsequent responses from participating routers located an additional hop away are processed by executing steps 408-418 again.
When SS1 has determined an ingress point for TP1, it may send a message to IDS1 indicating that a solution has been found (step 420). Often it will be desirable to have the participating router closest to the ingress point close off the ingress path used by TP1. As such, SS1 may send a message to the respective participating router instructing it to close off the ingress path using known techniques (step 422). SS1 may also archive copies of solutions generated, data sent, data received, and the like either locally or remotely. Furthermore, SS1 may communicate information about source path isolation attempts to devices at remote locations coupled to a network. For example, SS1 may communicate information to a network operations center (NOC), a redundant source path isolation server, or to a data analysis facility for post processing.
Here it is noted that as SS1 attempts to build a trace of the path taken by TP1, several paths may emerge as a result of hash collisions occurring in the participating routers. When hash collisions occur, they act as false positives in the sense that SS1 interprets the collision as an indication that a desired TP1 has been observed. Fortunately the occurrences of hash collisions can be mitigated. One mechanism for reducing hash collisions is to compute large hash values over the packets since the chances of collisions rise as the number of bits comprising the hash value decreases. Another mechanism for reducing collisions is to control the density of the hash tables in the memories of participating routers. That is, rather than computing a single hash value and setting a single bit for an observed packet, a plurality of hash values are computed for each observed packet using several unique hash functions. This produces a corresponding number of unique hash values for each observed packet. While this approach fills the hash table at a faster rate, the reduction in the number of hash collisions makes the tradeoff worthwhile in many instances. For example, Bloom Filters may be used to compute multiple hash values over a given packet in order to reduce the number of collisions and hence enhance the accuracy of traced paths. Therefore, the disclosed invention is not limited to any particular method of computing hash functions nor is it limited to a particular type of source path localization algorithm or technique.
To participate in source path isolation of target packets, a router is modified so that it can determine a hash value over the immutable portion of each packet received and/or forwarded. A router forwards a packet when it moves a data packet present at an input port to an output port for transmittal toward a desired destination. Modifying a router to record information about observed packets after computing a hash value provides an efficient method for retaining unique information about each packet seen, or observed, by a participating router. Techniques for quickly computing hash values are readily available and they can be implemented in the processing hardware and software currently used in routers without unduly reducing performance of the forwarding engines within the routers. In order to make use of hash value information, a participating router, SR, may store information in a manner facilitating rapid recall when QM1 is received from SS1. Since, modern routers are capable of forwarding large numbers of packets very quickly, attempting to store even a byte per data packet would require very large amounts of high-speed memory. Employing hash values significantly reduces the memory requirements for storing information about packets.
An SR determines a hash value over an immutable portion of a packet observed at an input port. The hash value is determined by taking an input block of data, such as a data packet, and processing it to obtain a numerical value that is unique for the given input data. The hash value, also referred to as a message digest or hash digest, is a fixed length whereas the input data may vary in size. Since the hash digest is unique for each input block of data, it serves as a signature for the data over which it was computed. For example, incoming packets varying in size from 32 bits to 1000 bits could have a fixed 32-bit hash value computed over their length. Furthermore, the hash value may be computed in such a way that it is a function of all of the bits making up the input data, or alternatively it can be computed over a portion of input data. When used, a hash value essentially acts as a fingerprint identifying the input block of data over which it was computed. However, unlike fingerprints, there is a chance that two very different pieces of data will hash to the same value, i.e. a hash collision. An acceptable hash function should provide a good distribution of values over a variety of data inputs in order to prevent these collisions. Since collisions occur when different, i.e. unique, input blocks result in the same hash value, an ambiguity arises when attempting to associate a result with a particular input. Suitable hash functions are readily known in the art and will not be discussed in detail herein. For example, hash functions used in the art, which may be used in conjunction with the matter disclosed herein, can be found in Cryptography And Network Security Principles And Practice, Stallings, Prentice Hall (2000) and. An example of a useful hash function that can be used with the invention is the Cyclical Redundancy Check (CRC).
To further reduce collisions, each SR may implement its own unique hash function. By way of example, if there are two adjacent routers, SR15 and SR16, coupled together and each employs the same hash function, and there are two target packets, TP1 and TP2 on a network. Now assume, TP1 passes only through SR15, and TP2 passes through SR16 before arriving at SR15. If TP1 and TP2 have a hash collision at SR15, then the tracing algorithm will include SR16 in the traced path because SR16 would incorrectly report TP2's hash value as a potential signal that TP1 had passed through SR16 because of the identical hash values of TP1 and TP2. However, if SR16 employs a different hash function, then TP1 and TP2 will have different hash values at SR16, and thus SR16 would not be included in the tracing path even though a collision occurred between TP1 and TP2 at SR15.
Generally packets have an immutable portion and a mutable portion. These names are used to help distinguish between the portions of the packet that may change as it is routed through the network and the portion, or portions, remaining intact, or unchanged. Immutable is used to describe the portions of a packet that do not change as a function of the packet's path across, or through, a network. In contrast, mutable describes the portions of a packet that change as a function of the packet's path through the network. Typically, the data, or baggage, portion of a packet is thought to be immutable whereas the header portion is considered to be mutable. Although the header portion may be largely comprised of mutable fields, it often contains immutable fields as well. When practicing the invention it is desirable to compute hash values over at least a portion of the immutable fields of a packet to produce hash values that do not change as the packet traverses a network.
Embodiments disclosed herein may store the actual hash values to identify packets traversing the network, or they may use other techniques for minimizing storage requirements associated with retaining hash values and other information associated therewith. One such technique for minimizing storage requirements uses a bit array for storing hash values. Rather than storing the actual hash value, which can typically be on the order of 32 bits or more in length, the invention uses the hash value as an index for addressing into a bit array. In other words, when a hash value is computed for a forwarded packet, the hash value serves as the address location into the bit array. At the address corresponding to the hash value, a single bit is set at the respective location thus indicating that a particular hash value, and hence a particular data packet, has been seen by the router. For example, using a 32 bit hash value provides on the order of 4.3 billion possible index values into a bit array. Storing one bit per packet rather than storing the packet itself, which can be 1000 bits long, produces a storage ratio of 1:1000. While bit arrays are described by way of example, it will be obvious to those skilled in the relevant art, that other storage techniques may be employed with out departing from the spirit of the invention.
While using a bit array significantly reduces memory requirements for participating routers, they are not eliminated. Over time, a memory will fill up and the possibility of overwriting an existing index value increases. The risk of overwriting an index value may be reduced if the bit array is periodically flushed to other storage media such as a magnetic disk drive, optical media, solid state drive, or the like. To facilitate this, a time-table may be established for flushing the bit array, wherein such time-table may be based on the speed of the router, number of input data streams, the size of available fast memory, and the like. If desired, the flushing cycle can be reduced by computing hash values only for a subset of the packets passing through a router. While this approach reduces the flushing cycle, it increases the possibility that a target packet may be missed, i.e. a hash value is not computed over a portion of it.
If the TTL field is not expired, SR1 determines if TP1 has been transformed (step 508). TP1 is transformed when it undergoes a transformation in route through a network such that a hash value computed over the immutable portion of the packet has a different value from that of the non-transformed portion. For example, TP1 may have undergone a transformation of the baggage portion of the packet in an attempt to make identification of TP1 and/or its source more difficult. If TP1 has been transformed, SR1 creates a new query packet (QM2) containing a hash value for the immutable portion of the transformed packet (step 510). Where no packet transformation has occurred, the method determines if the hash value computed matches an index value in the bit array (step 512). As previously noted, index values contained in the bit array identify hash values of packets that have been forwarded by a queried router, here SR1. Depending on available memory in SR1, the hash value may be compared to bit array indices retrieved either from disk or from volatile memory.
If the hash value does not match an index value, SR1 does not forward QM1 (step 516), but instead may send a negative reply to SS1 (step 518). If a queried SR determines that TP1 has been transformed, the hash value of this variant, referred to as QM2, may be added to the baggage portion of QM1 (step 514), or alternatively can be used to create a new message (not shown) for forwarding to other devices. Next, QM1 is preferably forwarded to all interfaces excluding the one that QM1 was received on (step 520). After forwarding the message, SR1 sends a positive reply to SS1 indicating that the packet has been observed (step 522). The reply may contain the address of SR1, information about observed packets, and information about transformed packets, such as QM2, that have passed through SR1.
As previously disclosed herein, a hash value is preferably determined over an immutable portion of TP1 when it passes through SR1, and the resulting hash value is used as an index value, or address, into a memory. The index value is used to facilitate the storage of information about a packet so that it can be uniquely identified. In
When a hash value is determined for a particular TP1, an indicator bit, or flag, is set at an address corresponding to that hash value. The indicator bit is used to confirm that a particular TP1 has either been “seen” or “not-seen”. If a hash value is computed for a TP1, then the indicator bit is set to some state, for example to a “1”. The “1” indicates that the respective TP1 has been “seen” by SR1. In
Additional information may be stored for each hash value, or for a given data table or record, to further aid with source path isolation for TP1. For example, a “time” parameter can be associated with each computed hash value. If used, “time” will normally represent the exact time that a particular TP1 was seen by SR1. Additionally, a “link id” parameter can be used to identify the particular link upon which a TP1 arrived. Identifying the link may be of benefit when SRI disables an ingress path for TP1. A “status” parameter can be employed to aid with monitoring system performance and health. It will be apparent to those skilled in the art that numerous other parameters can be associated with data arriving at SR without departing from the spirit of the invention.
Processor 702 may be any type of conventional processing device that interprets and executes instructions. Main memory 704 may be a random access memory (RAM) or a similar dynamic storage device. Main memory 704 stores information and instructions to be executed by processor 702. Main memory 704 may also be used for storing temporary variables or other intermediate information during execution of instructions by processor 702. ROM 706 stores static information and instructions for processor 702. It will be appreciated that ROM 706 may be replaced with some other type of static storage device. Storage device 708, also referred to as data storage device, may include any type of magnetic or optical media and their corresponding interfaces and operational hardware. Storage device 708 stores information and instructions for use by processor 702. Bus 710 includes a set of hardware lines (conductors, optical fibers, or the like) that allow for data transfer among the components of system 720.
Display device 712 may be a cathode ray tube (CRT), liquid crystal display (LCD) or the like, for displaying information in an operator or machine-readable form. The keyboard 714 and cursor control 716 allow the operator to interact with system 720. The cursor control 716 may be, for example, a mouse. In an alternative configuration, keyboard 714 and cursor control 716 can be replaced with a microphone and voice recognition means to enable an operator or machine to interact with system 720.
Communication interface 718 enables system 720 to communicate with other devices/systems via any communications medium. For example, communication interface 718 may be a modem, an Ethernet interface to a LAN, an interface to the Internet, a printer interface, etc. Alternatively, communication interface 718 can be any other interface that enables communication between system 720 and other devices, systems or networks. Communication interface 718 can be used in lieu of keyboard 714 and cursor control 716 to facilitate operator or machine remote control and communication with system 720.
As will be described in detail below, system 720 may provide SS1 operating within AS1 with the ability to perform source path isolation for a given TP1. SS1 may receive MP1 from IDS1 and generate QM1 in response to processor 702 executing sequences of instructions contained in, for example, memory 704. Such instructions may be read into memory 704 from another computer-readable medium, such as storage device 708, or from another device coupled to bus 710 or coupled via communication interface 718. Execution of sequences of instructions contained in memory 704 causes processor 702 to perform the method described in conjunction with
System 720 may also be used to enable SR1 to pass data, store information about packets that have been seen, and respond to query messages. For example, SR1 may compute, or determine, a hash value over an immutable portion of a packet using processor 702 and instructions received from, for example, memory 704. The execution of instructions contained in memory 704 causes processor 702 to further perform the method generally described in
As can be seen, the disclosed embodiments provide the functionality necessary to facilitate the source path isolation of malicious packets in a network. While the preceding disclosure is directed to an Internet Protocol (IP) network, disclosed embodiments can be used with other network protocols such as frame relay, asynchronous transfer mode (ATM), synchronous optical network (SONET), and the like. In addition, disclosed embodiments may be adapted to operate within different layers of a network such as the data link layer, network layer, transport layer or the like. Furthermore, the disclosed embodiments are not limited to particular network topologies or architectures.
Also, methods associated with determining a hash value for packets that have been seen may be implemented in various types of network devices in addition to source path isolation routers (SRs) heretofore discussed. For example, the method discussed in conjunction with
The disclosed methods for implementing a source path isolation server (SS) and a source path isolation router (SR) are not limited to a single programming language or hardware architecture. For example, software for performing the functions of SS or SR may be implemented in a high level programming language such as C, C++, LISP, or the like. Alternatively, software may be implemented in a lower level language such as assembly language, or a device specific language, where requirements such as speed must be met. Furthermore, an SS or SR may be configured to communicate with, and make information available to, other devices operatively connected to a network using known programming languages and techniques. For example, it may be desirable to have SS make source path isolation solutions available to an operator responsible for monitoring network security. In addition, an SS or SR can be implemented in a distributed fashion either by employing multiple processors or by having various components physically separated and coupled by a communication means such as a distributed bus, network, or the like. Also, it may be desirable to have an SS communicate with one or more SRs over a dedicated network instead of using the network carrying data traffic among the SRs. For example, using a dedicated network may provide additional security, reliable bandwidth, or communication redundancy in the event that one or more links to an SR is disabled.
Query messages (QMs) and replies are not limited to a single network protocol or packet type. In many instances, it will be desirable to have QMs and replies transported using readily known protocols; however, customized protocols and message types can be used. For example, it may be desirable to employ a smart packet for sending QMs to participating routers. A smart packet is one that may contain a standard message along with machine-readable code containing executable instructions for instructing a receiving device, such as an SR, to modify its operation in response to the contents of the executable code contained within the smart packet. Smart packets facilitate rapid responses to network intrusions by allowing an SR to modify operation soon after receiving a QM from an SS, or a forwarded QM from a participating router.
As can be seen, many variations of the disclosed embodiments are possible without departing from the spirit of the invention. Therefore, the present embodiments are to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
This application is a continuation of U.S. patent application Ser. No. 10/654,771, filed Sep. 4, 2003, which, in turn, claims priority under 35 U.S.C. § 119 based on U.S. Provisional Application No. 60/407,975, filed Sep. 5, 2002, both of which are incorporated herein by reference. U.S. patent application Ser. No. 10/654,771 is also a continuation-in-part of U.S. patent application Ser. No. 10/251,403, filed Sep. 20, 2002, which claims priority under 35 U.S.C. § 119 based on U.S. Provisional Application No. 60/341,462, filed Dec. 14, 2001, both of which are incorporated herein by reference. U.S. patent application Ser. No. 10/654,771 is also a continuation-in-part of U.S. patent application Ser. No. 09/881,145, and U.S. patent application Ser. No. 09/881,074, both of which were filed on Jun. 14, 2001, and both of which claim priority under 35 U.S.C. § 119 based on U.S. Provisional Application No. 60/212,425, filed Jun. 19, 2000, all of which are incorporated herein by reference.
| Number | Date | Country | |
|---|---|---|---|
| 60407975 | Sep 2002 | US | |
| 60341462 | Dec 2001 | US | |
| 60212425 | Jun 2000 | US | |
| 60212425 | Jun 2000 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 10654771 | Sep 2003 | US |
| Child | 12249832 | US |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 10251403 | Sep 2002 | US |
| Child | 10654771 | US | |
| Parent | 09881145 | Jun 2001 | US |
| Child | 10654771 | US | |
| Parent | 09881074 | Jun 2001 | US |
| Child | 09881145 | US |
