-
1.发明授权公开(公告)号:US09185129B2
公开(公告)日:2015-11-10
申请号:US13447360
申请日:2012-04-16
IPC分类号: H04L29/06
CPC分类号: H04L63/1458 , H04L63/0272 , H04L2463/141
摘要: A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.
摘要翻译: 描述了一种保护数据网络免受拒绝服务(DOS)攻击的方法。 该方法可以使用各种网络工具来选择性地阻止或禁用经历DOS攻击的数据中继部分,从而防止DOS攻击到达网络上的至少一些资源。 在一个实施例中,网络交换机识别在数据中继线上携带可疑数据的虚拟LAN(VLAN)。 然后,网络交换机调整网络的生成树,以便受保护的VLAN上的一个或多个端口被阻止或禁用,而不受影响的VLAN可以继续携带数据。 还提出了其他方法,用于在网络阻塞响应DOS攻击或其他入侵的网络的一个或多个VLAN或其他部分时避免有效数据丢失。
-
2.发明授权公开(公告)号:US08181240B2
公开(公告)日:2012-05-15
申请号:US11152625
申请日:2005-06-14
IPC分类号: G06F17/00
CPC分类号: H04L63/1458 , H04L63/0272 , H04L2463/141
摘要: A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.
摘要翻译: 描述了一种保护数据网络免受拒绝服务(DOS)攻击的方法。 该方法可以使用各种网络工具来选择性地阻止或禁用经历DOS攻击的数据中继部分,从而防止DOS攻击到达网络上的至少一些资源。 在一个实施例中,网络交换机识别在数据中继线上携带可疑数据的虚拟LAN(VLAN)。 然后,网络交换机调整网络的生成树,以便受保护的VLAN上的一个或多个端口被阻止或禁用,而不受影响的VLAN可以继续携带数据。 还提出了其他方法,用于在网络阻塞响应DOS攻击或其他入侵的网络的一个或多个VLAN或其他部分时避免有效数据丢失。
-
3.发明申请公开(公告)号:US20120204263A1
公开(公告)日:2012-08-09
申请号:US13447360
申请日:2012-04-16
IPC分类号: G06F21/00
CPC分类号: H04L63/1458 , H04L63/0272 , H04L2463/141
摘要: A method of protecting a data network from denial of service (DOS) attacks is described. The method may use various network tools to selectively block or disable portions of a data trunk experiencing a DOS attack, thereby preventing the DOS attack from reaching at least some resources on the network. In one embodiment, a network switch identifies a virtual LAN (VLAN) carrying suspect data on a data trunk. The network switch then adjusts a spanning tree for the network so that one or more ports on the compromised VLAN are blocked or disabled, while non-compromised VLANs are allowed to continue carrying data. Other approaches are also presented for avoiding the loss of valid data when a network blocks one or more VLANs or other portions of a network in response to a DOS attack or other intrusion.
摘要翻译: 描述了一种保护数据网络免受拒绝服务(DOS)攻击的方法。 该方法可以使用各种网络工具来选择性地阻止或禁用经历DOS攻击的数据中继部分,从而防止DOS攻击到达网络上的至少一些资源。 在一个实施例中,网络交换机识别在数据中继线上携带可疑数据的虚拟LAN(VLAN)。 然后,网络交换机调整网络的生成树,以便受保护的VLAN上的一个或多个端口被阻止或禁用,而不受影响的VLAN可以继续携带数据。 还提出了其他方法,用于在网络阻塞响应DOS攻击或其他入侵的网络的一个或多个VLAN或其他部分时避免有效数据丢失。
-
公开(公告)号:US08788823B1
公开(公告)日:2014-07-22
申请号:US10971523
申请日:2004-10-22
IPC分类号: H04L9/32
CPC分类号: H04L63/10 , H04L63/0263
摘要: Protocol status information is used to perform traffic filtering by dropping messages that are not consistent with the protocol status information. In one embodiment, a method involves comparing message information and protocol status information. The message information is associated with a first message. The protocol status information is obtained in response to one or more second messages, which are conveyed according to a protocol used to assign network addresses to clients. The method also involves determining whether to discard the first message, based on an outcome of the comparison of the message information and the protocol status information. For example, it can be determined that the first message should be discarded, if the message information does not match the protocol status information.
摘要翻译: 协议状态信息用于通过丢弃与协议状态信息不一致的消息来进行流量过滤。 在一个实施例中,一种方法包括比较消息信息和协议状态信息。 消息信息与第一消息相关联。 响应于根据用于向客户端分配网络地址的协议传送的一个或多个第二消息来获得协议状态信息。 该方法还包括基于消息信息和协议状态信息的比较的结果来确定是否丢弃第一消息。 例如,如果消息信息与协议状态信息不匹配,则可以确定第一消息应被丢弃。
-
5.发明授权System and method for performing security actions for inter-layer binding protocol traffic 有权为层间绑定协议流量执行安全动作的系统和方法公开(公告)号:US07551559B1
公开(公告)日:2009-06-23
申请号:US10971521
申请日:2004-10-22
申请人: Premkumar Jonnala , Adam J. Sweeney , Dehua Huang , Silviu Dobrota , Pradeep S. Sudame , Marco E. Foschiano
发明人: Premkumar Jonnala , Adam J. Sweeney , Dehua Huang , Silviu Dobrota , Pradeep S. Sudame , Marco E. Foschiano
IPC分类号: H04L5/12
CPC分类号: H04L63/1466 , H04L63/1416
摘要: Users are allowed to specify per-interface rate limits for inter-layer binding protocol traffic. If the user-specified rate limit is exceeded on a given interface, inter-layer binding protocol messages received via that interface are caused to be dropped (e.g., by selectively dropping ILBP messages, or by simply shutting down the interface). If the rate is not exceeded, inter-layer binding protocol messages received via that interface can be validated (e.g., by comparing an inter-layer binding included in the body of an inter-layer binding protocol message to protocol status information obtained by snooping protocol messages). If the inter-layer binding does not match the protocol status information, the inter-layer binding protocol message is dropped. If a match is found, the inter-layer binding protocol message is allowed to be forwarded normally. Such systems and methods may be used to inhibit various undesirable network behavior, such as man-in-the-middle attacks.
摘要翻译: 允许用户为层间绑定协议流量指定每接口速率限制。 如果在给定接口上超过用户指定的速率限制,则会导致通过该接口接收到的层间绑定协议消息(例如,通过选择性地删除ILBP消息,或简单地关闭接口)。 如果不超过该速率,则可以验证通过该接口接收的层间绑定协议消息(例如,通过将层间绑定协议消息正文中包含的层间绑定与通过侦听协议获得的协议状态信息进行比较 消息)。 如果层间绑定与协议状态信息不符,则删除层间绑定协议消息。 如果发现匹配,则允许层间绑定协议消息正常转发。 这样的系统和方法可以用于抑制各种不期望的网络行为,例如中间人攻击。
-
6.发明授权System and method for maintaining protocol status information in a network device 有权用于在网络设备中维护协议状态信息的系统和方法公开(公告)号:US07343485B1
公开(公告)日:2008-03-11
申请号:US10654388
申请日:2003-09-03
IPC分类号: H04L9/00
CPC分类号: H04L63/0254
摘要: A method may involve: maintaining protocol status information for a network protocol, where the protocol status information includes protocol information generated by a protocol server and network traffic information indicative of how messages are conveyed from the protocol client to a network, and updating the protocol status information in response to intercepting a protocol message being conveyed between a protocol client and a protocol server. For example, the network protocol can be DHCP (Dynamic Host Configuration Protocol) and the protocol status information can be updated to include an IP (Internet Protocol) address assigned to the protocol client by the protocol server in the protocol message. Such a method may inhibit the misuse of one or more network protocols and/or attacks on protocol servers.
摘要翻译: 一种方法可以包括:维护网络协议的协议状态信息,其中协议状态信息包括由协议服务器生成的协议信息和指示消息如何从协议客户端传送到网络的网络业务信息,以及更新协议状态 响应于拦截在协议客户端和协议服务器之间传送的协议消息的信息。 例如,网络协议可以是DHCP(动态主机配置协议),并且可以更新协议状态信息以包括由协议服务器在协议消息中分配给协议客户端的IP(因特网协议)地址。 这种方法可能会阻止对协议服务器的一个或多个网络协议和/或攻击的误用。
-
-
-
-
-
搜索结果
6 条记录 (耗时 0.025 秒)
