Method and apparatus for preventing denial of service attacks
US7058974B1 · kind B1 · utility
Assignee
Inventors
Key dates
| Filing date | Jun 21, 2000 |
| Grant date | Jun 6, 2006 |
| Priority date | — |
| Expiry date | Apr 17, 2023 |
Classification
- Technology area (CPC H)Electricity
- CPC primaryH04L47/15
- WIPO fieldDigital communication
- WIPO sectorElectrical engineering
Abstract
A method and apparatus for preventing denial of service type attacks on data networks is described. The method involves scanning the contents of the data packets flowing over the data network using a traffic flow scanning engine. The data packets are reordered and reassembled and then the payload contents are scanned to determine whether they conform to predetermined requirements. Data packets which do not reorder or reassemble correctly or which do not conform to the predetermined requirements may be dropped. Dropping packets which do not reorder or reassemble correctly or which do not conform to the predetermined requirements prevent denial of service attack which exploit bugs in the TCP/IP implementation or shortcomings in the TCP/IP specification The traffic flow scanning engine is further operable to determine whether the data packets are associated with validated traffic flows. Those data packets associated with validated traffic flows are assigned to a higher priority while those not associated with a validated traffic flow are assigned to a low priority, which may occupy no more that a predetermined maximum of the available bandwidth. Assigning data packets associated with …
Source: USPTO / EPO open patent data. Objective bibliographic and citation counts.