Patent Application
20100070639
This invention relates in general the detection of clone devices on the network, and more particularly to the detection of clone devices on Internet Protocol (IB) Networks used for delivering media content.
In cable systems, such as cable systems using the Data Over Cable Service Interface Specifications (DOCSIS), cable service to cable modems located at customers' locations is provided by a number of cable modem termination systems (“CMTS”), where each CMTS is responsible for providing service to a group of the cable modems. The cable modem is authorized for service by a customer service representative using its Media Access Control (“MAC”) address for identification. In order for the customer to obtain cable service, this MAC address is provided by the cable modem to a Dynamic Host Configuration Protocol (“DHCP”) server. If the MAC address provided by the cable modem appears to be valid, the DHCP server will then provide an Internet Protocol (“IP”) address to the cable modern. The cable modem may then be able to access the media content on the IP network using the IP address provided by the DHCP server.
Thus, each CMTS provides service to a group of cable modems each with its own MAC address, where the group of cable modems and their MAC addresses is known as a media access layer domain or simply domain. In most cable systems, such as the ones adopting DOCSIS, no duplicate MAC address is allowed to exist within a domain, so that each MAC address uniquely identifies a corresponding cable modem in the domain. The CMTS does not allow cable modem MAC addresses to be duplicated within its domain. However, the same MAC address may exist in different domains. It is discovered that this has become the back door through which hackers using clone devices may be able to steal cable service. For example, a hacker fraudulently obtains the MAC address of an authorized cable modem, and submits this MAC address using a clone device in a different domain to the DHCP server to obtain an IP address. Since the DHCP server cannot tell the difference between an authorized or cloned MAC address it assigns an IP address which allows the clone device to steal cable service without payment. While multi-system operators (“MSO”) have installed centralized monitoring tools for detecting clone cable modems, the tool is unable to determine which cable modem is an authorized one belonging to a paying customer. It is therefore desirable to provide a solution whereby such clones can be detected and their access blocked automatically.
Media content is now delivered through IP networks operated by media operators other than cable systems, such as Internet Protocol Television (“IPTV”) or still other types of IP networks. Thus, more generally, access to media content delivered through IP networks such as a cable or IPTV network may be controlled by Network Access Control (“NAC”) Servers. Each NAC server may control access to an IP network by a corresponding group of devices, each with a unique physical address. Since two different devices serviced by two different NAC servers may have the same physical address, it is again possible for hackers using clone devices to steal media content in a manner analogous to the one described above for cable systems. It is therefore desirable to provide a solution whereby such fraud may be prevented or reduced.
In one embodiment, fraud can be reduced or prevented by providing an identifier for each NAC server. When such server receives a request from a client device for an IP address, the NAC server will then transmit the request together with its own identifier to a DHCP server. This will then allow the DHCP server to identify whether the request from the client device is one from a legitimate client device instead of one from an unauthorized client device, such as a clone.
In another embodiment of the invention, when a request from a client device is received from an NAC server together with the identifier of the NAC server, it is determined from the identifier and the physical address of the client device whether the client device is an authorized client device. An IP address is provided to the client device only when it is determined that the client device is one which is authorized.
In yet another embodiment of the invention, a system for providing an IP address for a client device to access information on a network comprises one or more NAC servers each having an identifier and controlling access to the network. This system also includes a DHCP server. Each of the NAC servers transmits requests for IP addresses from client devices with the identifier of such NAC server to the DHCP server. The DHCP server determines from the received identifier and physical address whether such client device is authorized. The DHCP server sends an IP address to such client device only when it is determined that the client device is authorized.
Features in the above embodiments may be used individually or in combination.
All patents, patent applications, articles, books, specifications, other publications, documents and things referenced herein are hereby incorporated herein by this reference in their entirety for all purposes. To the extent of any inconsistency or conflict in the definition or use of a term between any of the incorporated publications, documents or things and the text of the present document, the definition or use of the term in the present document shall prevail.
For simplicity in description, identical components are labeled by the same numerals in this application.
Thus in general, media content or other services may be delivered through an IP network under the control of a number of Network Access Control (“NAC”) servers. Each of the client devices serviced (including access control) by each NAC server has a unique address among the group of client devices serviced by such server. However, different client devices serviced by different NAC servers may have the same physical address so that hackers may be able to steal service by fraudulently obtaining the physical address of a legitimate client device and send such address to the DHCP server to obtain an IP address.
To solve the problem above, the physical address (such as the MAC address) and the identifier of the NAC server controlling access by such client device (referred to herein as the associated NAC server) are both used to determine whether such client device should be allowed access to the network. In the case of cable systems, this identifier may be a media access layer domain number of the media access layer domain serviced and controlled by a particular CMTS. This physical address and the associated identifier of the NAC server are then stored (e.g. as a pair) in an authorization database 12 shown in
As shown in
The NAC server (e.g. server 16 or 22) provides service to and control access by a group of client devices such as client device 18 or 24. Each of the servers 16 and 22, and each of all other NAC servers not shown in
When one of the NAC servers (such as server 16 or 22) controlling access to the IP network receives a requests for an IP address along arrow 32 from a client device 30 as shown in
Since each NAC server will have its own unique identifier that is different from the identifiers of all other NAC servers in the same IP network, and since each client device among a group of client devices service controlled by the same NAC server will have its own unique physical address, the physical address together with the identifier will be a unique pair, and will uniquely identify each client device, even though client devices serviced by different NAC servers may have the same physical address. For example, as shown in
Thus, even if a hacker is able to fraudulently obtain the physical address of a particular client device, such as client device 18, he or she will be unable to obtain an IP address from the DHCP server 14. For example, if a hacker fraudulently obtains the physical address of client device 18 and sends a request for an IP address to server 16, using a clone client device 30, server 16 will reject the request since the physical addresses of client devices served and controlled by server 16 must be unique, and the physical address of the requesting clone client device 30 duplicates that of another client device 18 different from the requesting clone client device. The fact that the requesting clone client device 30 is an unauthorized clone may also be discovered. In a different scenario, the hacker may have obtained the physical address of client device 24 and sends the IP address request to server 16. Since client device 24 is outside of the group of client devices serviced and controlled by server 16, server 16 will not recognize the request as one from an unauthorized client device and will send along its own identifier with the IP request to the DHCP server 14.
As noted above, authorization database 12 will have stored therein the identifier of servers 16 and client device 18 as an associated pair and the identifier of server 22 and client device 24 as an associated pair. In the scenario above, the pair received by server 14, however, now consists of the identifier of server 16 and the physical address of client device 24, and this pair does not match any associated pair in the database 12. This mismatch would then be discovered by server 14 and the request for an IP address would be denied and not provided to server 16. Therefore, clone client devices will be unable to obtain an IP address from server 14 and will be unable to steal service from the network.
While the invention has been described above by reference to various embodiments, it will be understood that changes and modifications may be made without departing from the scope of the invention, which is to be defined only by the appended claims and their equivalents.
