What technology area does this patent fall under?

Primary CPC classification H04L63/0236. Mapped technology areas include Electricity.

When was this patent published?

Publication date Tue May 12 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.

What related patents are in patentsdb?

We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).

Control device, border router, control method, and control program

US10652211B2 · US · B2

Patent metadata
Field	Value
Publication number	US-10652211-B2
Application number	US-201515524659-A
Country	US
Kind code	B2
Filing date	Nov 18, 2015
Priority date	Nov 19, 2014
Publication date	May 12, 2020
Grant date	May 12, 2020

How to read this patent

A practical reading order for non-experts. Skip the full description unless you need deep technical detail.

Title
What the patent document calls the invention.
Abstract
A short plain-language summary of the technical disclosure.
Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
Key dates
Filing, priority, publication, and grant dates set the timeline.
First independent claim
The legal scope of protection — read this for what is actually claimed.
CPC / IPC classifications
Technology tags used to group this patent with similar filings.
Citations and related patents
Prior art links and similar publications in this corpus.

Abstract

Official abstract text for this publication.

When an attack is detected, a controller samples an attack-target addressed DNS reply, received by a border router, from each of the border routers. Then, the controller adds the transmission-source IP address of the sampled DNS reply to the black list of the border router. Furthermore, upon reception of any of a target-addressed DNS reply and a target-addressed UDP subsequent fragment from the IP address that is described in the black list, the controller gives a command to the border router to discard the packet. Furthermore, the controller specifies the setting, for each of the border routers, that DNS replies to a DNS request from the target are excluded from discarding.

First claim

Opening claim text (preview).

The invention claimed is: 1. A control device that gives a command to each of border routers, connecting networks, so as to control transfer of packets, comprising: processing circuitry configured to, upon detection of an attack due to concentration of reply packets of a predetermined service, acquire at least some of reply packets of a predetermined service, addressed to a target of the attack and received by the border routers; add a transmission-source IP address of the acquired reply packet to a black list of the border router; upon reception of a first type of packet, which is any of a reply packet of the predetermined service, addressed to the target of the attack, and a fragmented packet, addressed to the target of the attack, with an IP address described in the black list as a transmission source, provide a command to the border router so as to discard the first type of packet; and after the attack is detected, upon reception of a request packet of the predetermined service from the IP address of the target of the attack, the processing circuity gives a command to each of the border routers so as to set an exception rule to exclude a second type of packet, which is any of a reply packet of the predetermined service and a fragmented packet, whose transmission-source IP address is a destination IP address of the received request packet, from the discarding. 2. The control device according to claim 1 , wherein the processing circuitry is further configured to monitor an addition state of an IP address to a black list of each border router that is in a list preparation state and, when addition of an IP address to the black list of the border router is not conducted for a predetermined period, determine that a state of the border router is to shift from the list preparation state to a list blocking state, wherein with regard to a border router that is determined to shift to the list blocking state, upon reception of the first type of packet that is any of a reply packet of the predetermined service, addressed to the target of the attack, and a fragmented packet, addressed to the target of the attack, with an IP address described in the black list as a transmission source, the processing circuitry gives a command to the border router so as to discard the first type of packet, and upon reception of any of a third type of packet that is any of a reply packet of the predetermined service, addressed to the target of the attack, and a fragmented packet addressed to the target of the attack, gives a command to a border router in the list preparation state so as to discard the third type of packet. 3. The control device according to claim 1 , wherein the processing circuitry is further configured to, when an amount of per-hour traffic of a target-addressed black-list excluded reply packet, which is a reply packet with an IP address that is not described in the black list as a transmission source, among reply packets of the predetermined service, addressed to the target of the attack and received by a border router that is in the list preparation state, becomes equal to or less than a predetermined value, determine that the border router shifts from a list preparation state to a list blocking state, wherein with regard to a border router that is determined to shift to the list blocking state, upon reception of any of the first type of packet that is any of a reply packet of the predetermined service, addressed to the target of the attack, and a fragmented packet, addressed to the target of the attack, with an IP address described in the black list as a transmission source, the processing circuitry gives a command to the border router so as to discard the first type of packet, and upon reception of any of a third type of packet that is any of a reply packet of the predetermined service, addressed to the target of the attack, and a fragmented packet addressed to the target of the attack, gives a command to a border router in the list preparation state so as to discard the third type of packet. 4. The control device according to claim 1 , wherein the processing circuitry is further configured to monitor an addition state of an IP address to a black list of each border router in a list preparation state and, when addition of an IP address to the black list of the border router is not conducted for a predetermined period, determine that a state of the border router shifts from the list preparation state to a list blocking state, wherein with regard to a border router that is determined to shift to the list blocking state, upon reception of the first type of packet, addressed to the target of the attack, with an IP address described in the black list as a transmission source, the processing circuitry gives a command to the border router so as to discard the first type of packet, and upon reception of any of a third type of packet that is any of a reply packet of the predetermined service, addressed to the target of the attack, and a fragmented packet addressed to the target of the attack, gives a command to a border router in the list preparation state so as to discard the third type of packet. 5. The control device according to claim 1 , wherein the processing circuitry is further configured to, when an amount of per-hour traffic of a target-addressed black-list excluded reply packet, which is a reply packet with an IP address that is not described in the black list as a transmission source, among reply packets of the predetermined service, addressed to the target of the attack and received by a border router that is in the list preparation state, becomes equal to or less than a predetermined value, determine that the border router shifts from a list preparation state to a list blocking state, wherein with regard to a border router that is determined to shift to the list blocking state, upon reception of a third packet, addressed to the target of the attack, with an IP address described in the black list as a transmission source, the processing circuitry gives a command to the border router so as to discard the first type of packet, and upon reception of a third type of packet that is any of a reply packet of the predetermined service, addressed to the target of the attack, and a fragmented packet addressed to the target of the attack, gives a command to a border router in the list preparation state so as to discard the third type of packet. 6. The control device according to claim 2 , wherein the processing circuitry is further configured to observe an amount of traffic of a reply packet of the predetermined service to an IP address of the target of the attack in each of the border routers, wherein upon reception of any of a fourth type of packet that is any of a reply packet of the predetermined service, addressed to the target of the attack, received by a border router in an initial state, and a fragmented packet addressed to the target of the attack, received by a border router in an initial state, the processing circuitry gives a command to the border router in the initial state so as to discard the fourth type of packet, the processing circuitry does not acquire a reply packet of the predetermined service, addressed to the target of the attack, from a border router in the initial state among the border routers, and based on an observed amount of traffic of a reply packet of the predetermined service to an IP address of the target of the attack in each of the border routers, the processing circuitry estimates a total number of reply packets from the respective border routers, sampled by the processing circuitry, and determines a group of border routers that are to shift from the initial state to the list preparation state to the extent that the estimated total amount of reply p

Assignees

Nippon Telegraph & Telephone

Inventors

Classifications

H04L63/101
Access control lists [ACL] · CPC title
H04L12/66
Arrangements for connecting between networks having differing types of switching systems, e.g. gateways · CPC title
H04L47/32
by discarding or delaying data units, e.g. packets or frames · CPC title
H04L63/0236Primary
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
H04L63/1416
Event detection, e.g. attack signature detection · CPC title

Patent family

Related publications grouped by family.

View patent family 56013980

External sources

Frequently asked questions

Answers are generated from the same data shown on this page.

What does patent US10652211B2 cover?: When an attack is detected, a controller samples an attack-target addressed DNS reply, received by a border router, from each of the border routers. Then, the controller adds the transmission-source IP address of the sampled DNS reply to the black list of the border router. Furthermore, upon reception of any of a target-addressed DNS reply and a target-addressed UDP subsequent fragment from the…
Who is the assignee on this patent?: Nippon Telegraph & Telephone
What technology area does this patent fall under?: Primary CPC classification H04L63/0236. Mapped technology areas include Electricity.
When was this patent published?: Publication date Tue May 12 2020 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
What related patents are in patentsdb?: We list 1 related publication on this page (citations in our corpus or others sharing the same primary CPC).