Method and system for filtering spoofed packets in a network
원문보기
IPC분류정보
국가/구분
United States(US) Patent
등록
국제특허분류(IPC7판)
G06F-017/00
H04L-009/00
출원번호
US-0907861
(2001-07-18)
등록번호
US-7360245
(2008-04-15)
발명자
/ 주소
Ramachandran,Viyyokaran R.
Choudhary,Manoj
Madhusudhana,Honnuduke S.
출원인 / 주소
Novell, Inc.
대리인 / 주소
Haynes and Boone, LLP
인용정보
피인용 횟수 :
35인용 특허 :
10
초록▼
A method and system is disclosed for preventing an address spoofing based attack from a private network. The private network has at least one host and at least one router connected therein for transporting at least one packet. An anti-spoofing filter is implemented in each interface of every router.
A method and system is disclosed for preventing an address spoofing based attack from a private network. The private network has at least one host and at least one router connected therein for transporting at least one packet. An anti-spoofing filter is implemented in each interface of every router. When a packet is received on the interface, the filter determines whether the packet is address spoofed by comparing its source physical address derived from the received packet with expected physical address derived from interface IP address, a subnet mask of the interface, an ARP cache of the interface and a list of physical addresses of neighboring routers formed a priori If the packet is determined to be address spoofed, the received packet is discarded by the filter on the interface.
대표청구항▼
What is claimed is: 1. A method for preventing an address spoofing based attack from a network, the network having one or more hosts and one or more routers for transporting at least one packet, each router having one or more interfaces, and each interface having a directly connected sub-network, t
What is claimed is: 1. A method for preventing an address spoofing based attack from a network, the network having one or more hosts and one or more routers for transporting at least one packet, each router having one or more interfaces, and each interface having a directly connected sub-network, the method comprising: receiving a packet into a first interface of a router; deriving a first source physical address for the packet based on a source IP address of the packet, a sub-network mask of the first interface, and a memory space of the first interface containing information about the respective IP address of the hosts and one or more other routers and their corresponding physical addresses; obtaining a second source physical address directly from an encapsulating frame of the packet; determining whether the packet is address spoofed by comparing the first and second source physical addresses, wherein the step of determining further comprises: examining whether the source IP address is within a subnet IP address space of a directly connected sub-network of the interface; if the source IP address is within the subnet IP address space, determining whether the first source physical address matches the second source physical address; if the source IP address is not within the subnet IP address space, checking whether the packet is routed from a neighboring router on the same directly connected sub-network of the interface by checking whether the second source physical address matches with a source physical address present in a neighboring router physical address list of the interface, wherein the packet can be determined to be address spoofed when either the second source physical address fails to match the first physical address or the packet is not routed from a neighboring router on the same directly connected sub-network of the interface; and discarding the packet if the packet is determined to be address spoofed. 2. The method of claim 1 wherein the step of determining is performed by an anti-spoofing filter implemented on each interface of the router, and wherein the filter is implemented with a first hook to an IP forwarding subsystem in an IP layer of the router, and a second hook to a local delivery subsystem in the IP layer of the router. 3. The method of claim 1 further comprising updating the information about the source IP address and corresponding physical address in the memory space by broadcasting an ARP request on an as-needed basis to the directly connected sub-network of the interface to obtain the physical address corresponding to the source IP address of the received packet. 4. The method of claim 1 further comprising maintaining on the interface an updated list of physical addresses of neighboring routers on the same directly connected sub-network by merging a first list of physical addresses of neighboring routers established by broadcasting one or more ARP requests to obtain the physical addresses of neighbor routers, whose IP addresses are obtained from a routing table, and a second list of neighboring routers established by extracting the source physical addresses from one or more routing advertisement messages. 5. A method for preventing an address spoofing based attack from a network, the network having one or more routers for transporting at least one packet, each router having one or more interfaces, and each interface having a directly connected sub-network, the method comprising: implementing a filter in an interface of a router; receiving a packet on the interface; determining, by the filter, whether the packet is address spoofed by comparing its source physical address derived directly from the packet with an expected physical address derived from a source IP address of the interface, a sub-network mask of the interface, an ARP cache of the interface and a list of physical addresses of neighboring routers, wherein the step of determining further comprises: examining whether the source IP address is within a subnet IP address space of a directly connected sub-network of the interface; if the source IP address is within the subnet IP address space, deriving the source physical address from an encapsulating frame of the packet, and matching the derived source physical address with a predetermined physical address corresponding to the source IP address in the ARP cache; and if the source IP address is not within the subnet IP address space, checking whether the packet is routed from a neighboring router on the same directly connected sub-network of the interface by checking whether the source physical address derived from the packet matches with a physical address present in the neighbor router physical address list of the interface, wherein the packet is determined to be address spoofed when either the packet's source physical address fails to match the predetermined physical address corresponding to the source IP address in the ARP cache or the packet is not routed from a neighboring router on the same directly connected sub-network of the interface; and discarding the packet if the packet is determined to be address spoofed. 6. The method of claim 5 wherein the filter is implemented with a first hook to an IP forwarding subsystem in the IP layer of the router, and a second hook to a local delivery subsystem in the IP layer of the router. 7. The method of claim 5 further comprising updating the ARP cache by broadcasting when needed an ARP request to the directly connected sub-network of the interface to obtain the physical address corresponding to the source IP address of the received packet. 8. The method of claim 5 further comprising maintaining on the interface an updated list of physical addresses of neighboring routers on the same directly connected sub-network by merging a first list of physical addresses of neighboring routers established by broadcasting one or more ARP requests to obtain the physical addresses of neighbor routers, whose IP addresses are obtained from the routing table, and a second list of neighboring routers established by extracting the source physical addresses from one or more routing advertisement messages. 9. The method of claim 8 further comprising: obtaining the IP addresses of the other routers from a routing table of the router; broadcasting at least one ARP request for corresponding physical addresses of the obtained IP addresses; and generating the first list of neighboring routers by extracting the physical addresses from a received ARP response to the broadcast request. 10. The method of claim 8 further comprising verifying an authenticity of the routers in the list of neighboring routers after the list is generated. 11. The method of claim 10 wherein the step of verifying includes having a testing router send a special IP packet through a first interface to a tested router and checking whether the special IP packet will be routed back to another interface of the testing router. 12. The method of claim 10 wherein the step of verifying includes forcing a tested router to generate an ICMP redirect message. 13. The method of claim 10 wherein the step of verifying includes making a tested router to generate an ICMP Time Exceed message based on a predetermined time parameter. 14. A system for preventing an address spoofing based attack from a network, the network having one or more routers for transporting at least one packet, each router having one or more interfaces, and each interface having a directly connected sub-network, the system comprising: a filter in an interface of a router; means for receiving a packet on the interface; means for deriving a first source physical address for the packet based on a source IP address of the packet, a sub-network mask of the interface, and a memory space of the interface; means for obtaining a second source physical address directly from an encapsulating frame of the packet; means for determining whether the packet is address spoofed by comparing the first and second source physical addresses, wherein the means for determining further comprises: means for examining whether the source IP address is within a subnet IP address space of a directly connected sub-network of the interface; means for deriving the source physical address from an encapsulating frame of the packet, means for matching the derived source physical address with a predetermined physical address corresponding to the source IP address in the ARP cache; means for checking whether the packet is routed from a neighboring router on the same directly connected sub-network of the interface, wherein the packet is determined to be address spoofed when either the packet's source physical address fails to match the predetermined physical address corresponding to the source IP address in the ARP cache or the packet is not routed from a neighboring router on the same directly connected sub-network of the interface; and means for discarding the packet if it is determined to be address spoofed. 15. The system of claim 14 wherein the filter is implemented with a first hook to an IP forwarding subsystem in the IP layer of the router, and a second hook to a local delivery subsystem in the IP layer of the router. 16. The system of claim 14 further comprising means for updating the ARP cache by broadcasting when needed an ARP request to the directly connected sub-network of the interface to obtain the physical address corresponding to the source IP address of the packet. 17. The system of claim 14 further comprising means for updating a list of physical addresses of neighboring routers on the same directly connected sub-network by merging a first list of physical addresses of neighboring routers established by broadcasting one or more ARP requests to obtain the physical addresses of neighbor routers, whose IP addresses are obtained from the routing table, and a second list of neighboring routers established by extracting the source physical addresses from one or more routing advertisement messages. 18. The system of claim 17 further comprising means for verifying an authenticity of the routers in the updated list after the list is generated. 19. A computer-readable medium having instructions stored thereon that when executed on a computer prevent an address spoofing based attack from a network, the network having one or more routers for transporting at least one packet, each router having one or more interfaces, and each interface having a directly connected sub-network, the computer-readable medium comprising instructions for: receiving a packet at an interface of a router; deriving a first source physical address for the packet based on a source IP address of the packet, a sub-network mask of the interface, and a memory space of the interface containing information about the IP addresses of the hosts and one or more other routers and their corresponding physical addresses; obtaining a second source physical address directly from an encapsulating frame of the packet; determining whether the packet is address spoofed by comparing the first and second source physical addresses, wherein the instructions for determining further comprise instructions for: examining whether the source IP address is within a subnet IP address space of a directly connected sub-network of the interface; if the source IP address is within the subnet IP address space, determining whether the first source physical address matches the second source physical address; and if the source IP address is not within the subnet IP address space, checking whether the packet is routed from a neighboring router on the same directly connected sub-network of the interface by checking whether the second source physical address matches with a source physical address present in a neighboring router physical address list of the interface, wherein the packet can be determined to be address spoofed when either the second source physical address fails to match the first physical address or the packet is not routed from a neighboring router on the same directly connected sub-network of the interface; and discarding the packet if it is determined to be address spoofed. 20. The computer-readable medium of claim 19 wherein the instructions for determining is performed by an anti-spoofing filter implemented on each interface of the router, and wherein the filter is implemented with a first hook to an IP forwarding subsystem in an IP layer of the router, and a second hook to a local delivery subsystem in the IP layer of the router. 21. The computer-readable medium of claim 19 further comprising instructions for updating the information about the source IP address and corresponding physical address in the memory space by broadcasting an ARP request on an as-needed basis to the directly connected sub-network of the interface to obtain the physical address corresponding to the source IP address of the received packet. 22. The computer-readable medium of claim 19 further comprising instructions for maintaining on the interface an updated list of physical addresses of neighboring routers on the same directly connected sub-network by merging a first list of physical addresses of neighboring routers established by broadcasting one or more ARP requests to obtain the physical addresses of neighbor routers, whose IP addresses are obtained from a routing table, and a second list of neighboring routers established by extracting the source physical addresses from one or more routing advertisement messages. 23. A method of operating a network having a router, the method comprising: receiving a packet at an interface of the router; comparing source IP and physical addresses of the received packet with expected source IP and physical addresses of the packet, wherein the expected source physical address is based on a source IP address of the packet and a sub-network mask of the interface, wherein the expected source IP and physical addresses are obtainable from the interface, wherein the step of comparing further comprises examining whether the source IP address of the received packet is within a subnet IP address space of a directly connected sub-network of the interface; if the source IP address of the received packet is within the subnet IP address space, determining whether the source physical address of the received packet matches the expected source physical address; and if the source IP address of the received packet is not within the subnet IP address space, checking whether the packet is routed from a neighboring router on the same directly connected sub-network of the interface by checking whether the expected source physical address matches with a source physical address present in a neighboring router physical address list of the interface, wherein the packet can be determined to be address spoofed when either the expected source physical address fails to match the physical address of the received packet or the packet is not routed from a neighboring router on the same directly connected sub-network of the interface; and discarding the packet if the packet is determined to be address spoofed.
연구과제 타임라인
LOADING...
LOADING...
LOADING...
LOADING...
LOADING...
이 특허에 인용된 특허 (10)
Sherer W. Paul ; Nessett Danny M., Medium access control address authentication.
Wong Thomas K. ; Lim Swee B. ; Radia Sanjay R. ; Tsirigotis Panagiotis ; Goedman Robert J. ; Patrick Michael W., Method and apparatus for assignment of IP addresses.
Aggarwal Ajay (Somersworth NH) Scott Walter (Salem NH) Rustici Eric (Londonderry NH) Bucciero David (Nashua NH) Haskins Andrew (Lee NH) Matthews Wallace (Exeter NH), Method and apparatus for determining a communications path between two nodes in an Internet Protocol (IP) network.
Fiveash, William Alton; McBrearty, Gerald Francis; Mullen, Shawn Patrick; Shieh, Johnny Meng-Han, Protecting open world wide web sites from known malicious users by diverting requests from malicious users to alias addresses for the protected sites.
Boden, Edward B.; Brzozowski, Wesley A.; Gruber, Franklin A.; Palermo, Donald A.; Williams, Michael D., System and method for IP network address translation using selective masquerade.
Huegen, Craig Allen; Dobbins, Ellis Roland; Foo, Ian; Gleichauf, Robert Eric, Arrangement for tracking IP address usage based on authenticated link identifier.
Holloway, Lee Hahn; Rao, Srikanth N.; Prince, Matthew Browning; Tourne, Matthieu Philippe François; Pye, Ian Gerald; Bejjani, Ray Raymond; Rodery, Jr., Terry Paul, Determining the likelihood of traffic being legitimately received at a proxy server in a cloud-based proxy service.
Holloway, Lee Hahn; Rao, Srikanth N.; Prince, Matthew Browning; Tourne, Matthieu Philippe François; Pye, Ian Gerald; Bejjani, Ray Raymond; Rodery, Jr., Terry Paul, Determining the likelihood of traffic being legitimately received at a proxy server in a cloud-based proxy service.
Holloway, Lee Hahn; Rao, Srikanth N.; Prince, Matthew Browning; Tourne, Matthieu Philippe François; Pye, Ian Gerald; Bejjani, Ray Raymond; Rodery, Jr., Terry Paul, Identifying a denial-of-service attack in a cloud-based proxy service.
Holloway, Lee Hahn; Rao, Srikanth N.; Prince, Matthew Browning; Tourne, Matthieu Philippe François; Pye, Ian Gerald; Bejjani, Ray Raymond; Rodery, Jr., Terry Paul, Identifying a denial-of-service attack in a cloud-based proxy service.
Keohane, Susann M.; McBrearty, Gerald F.; Mullen, Shawn P.; Murillo, Jessica C.; Shieh, Johnny M., Logical partition media access control impostor detector.
Keohane, Susann M.; McBrearty, Gerald F.; Mullen, Shawn P.; Murillo, Jessica C.; Shieh, Johnny M., Logical partition media access control impostor detector.
Koehane, Susann M.; McBrearty, Gerald F.; Mullen, Shawn P.; Murillo, Jessica C.; Shieh, Johnny M., Logical partition media access control impostor detector.
Andrus, Don Nielsen; Quick, Jr., Roy Franklin; Rezaiifar, Ramin; Bender, Paul E.; Cooper, Rotem, Method and apparatus for preferred roaming list compression.
Park, Hyoung-Bae; Lee, Yun-Seok; Choi, Kyu-Min; Kong, Kyoung-Pil; You, Pil-Sang; Kim, Sung-Goo, Method for neutralizing the ARP spoofing attack by using counterfeit MAC addresses.
Holloway, Lee Hahn; Rao, Srikanth N.; Prince, Matthew Browning; Tourne, Matthieu Philippe François; Pye, Ian Gerald; Bejjani, Ray Raymond; Rodery, Jr., Terry Paul, Mitigating a denial-of-service attack in a cloud-based proxy service.
Holloway, Lee Hahn; Rao, Srikanth N.; Prince, Matthew Browning; Tourne, Matthieu Philippe François; Pye, Ian Gerald; Bejjani, Ray Raymond; Rodery, Jr., Terry Paul, Mitigating a denial-of-service attack in a cloud-based proxy service.
Holloway, Lee Hahn; Rao, Srikanth N.; Prince, Matthew Browning; Tourne, Matthieu Philippe François; Pye, Ian Gerald; Bejjani, Ray Raymond; Rodery, Jr., Terry Paul, Mitigating a denial-of-service attack in a cloud-based proxy service.
※ AI-Helper는 부적절한 답변을 할 수 있습니다.