Dhcp snooping with host mobility
US-2021211404-A1 · Jul 8, 2021 · US
Detecting MAC/IP spoofing attacks on networks
US11310265B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11310265-B2 |
| Application number | US-202016803950-A |
| Country | US |
| Kind code | B2 |
| Filing date | Feb 27, 2020 |
| Priority date | Feb 27, 2020 |
| Publication date | Apr 19, 2022 |
| Grant date | Apr 19, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
Systems and methods are provided for detecting MAC/IP spoofing attacks on networks. A method may include authenticating a network device for access to a network using a Media Access Control (MAC) address and an Internet Protocol (IP) address of the network device; wherein an attacking device is connected to the network, and to the network device, by a network hub; wherein the attacking device spoofs the MAC address and the IP address of the network device; establishing a Transport Control Protocol (TCP) connection with the network device subsequent to authenticating the network device; sending at least one TCP keepalive message to the IP address of the network device, wherein, responsive to receiving the TCP keepalive message, the attacking device transmits a TCP reset (RST) message; receiving the TCP RST message; and determining the attacking device is present in the network responsive to receiving the TCP RST message.
First claim
Opening claim text (preview).
What is claimed is: 1. A system, comprising: a hardware processor; and a non-transitory machine-readable storage medium encoded with instructions executable by the hardware processor to perform a method comprising: authenticating a network device for access to a network using a Media Access Control (MAC) address and an Internet Protocol (IP) address of the network device; wherein an attacking device is connected to the network, and to the network device, by a network hub; wherein the attacking device spoofs the MAC address and the IP address of the network device; establishing a Transport Control Protocol (TCP) connection with the network device subsequent to authenticating the network device; sending at least one TCP keepalive message to the IP address of the network device, wherein, responsive to receiving the TCP keepalive message, the attacking device transmits a TCP reset (RST) message; receiving the TCP RST message; and determining the attacking device is present in the network responsive to receiving the TCP RST message. 2. The system of claim 1 , the method further comprising: performing an action responsive to determining the attacking device is present in the network, wherein the action comprises at least one of: disconnecting, from the network, all network devices using the MAC address of the network device, quarantining all network devices using the MAC address of the network device, and notifying an administrator of the network. 3. The system of claim 1 , the method further comprising: sending a Windows management instrumentation (WMI) query to the IP address responsive to receiving the TCP RST message, and prior to performing the action; and performing the action responsive to receiving an improper response to the WMI query. 4. The system of claim 1 , wherein: the attacker and the network device are connected to a network hub; and the network hub is connected to an edge switch in the network. 5. The system of claim 1 , wherein the authenticating the network device for access to the network complies with the IEEE 802.1X standard. 6. The system of claim 1 , wherein the authenticating the network device for access to the network comprises: receiving authentication credentials from the network device; and comparing the authentication credentials to a plurality of authentication credentials stored in an identity store. 7. The system of claim 6 , wherein the identity store comprises an Active Directory store. 8. A non-transitory machine-readable storage medium encoded with instructions executable by a hardware processor of a computing component, the machine-readable storage medium comprising instructions to cause the hardware processor to perform a method comprising: authenticating a network device for access to a network using a Media Access Control (MAC) address and an Internet Protocol (IP) address of the network device; wherein an attacking device is connected to the network, and to the network device, by a network hub; wherein the attacking device spoofs the MAC address and the IP address of the network device; establishing a Transport Control Protocol (TCP) connection with the network device subsequent to authenticating the network device; sending at least one TCP keepalive message to the IP address of the network device, wherein, responsive to receiving the TCP keepalive message, the attacking device transmits a TCP reset (RST) message; receiving the TCP RST message; and determining the attacking device is present in the network responsive to receiving the TCP RST message. 9. The medium of claim 8 , the method further comprising: performing an action responsive to determining the attacking device is present in the network, wherein the action comprises at least one of: disconnecting, from the network, all network devices using the MAC address of the network device, quarantining all network devices using the MAC address of the network device, and notifying an administrator of the network. 10. The medium of claim 8 , the method further comprising: sending a Windows management instrumentation (WMI) query to the IP address responsive to receiving the TCP RST message, and prior to performing the action; and performing the action responsive to receiving an improper response to the WMI query. 11. The medium of claim 8 , wherein: the attacker and the network device are connected to a network hub; and the network hub is connected to an edge switch in the network. 12. The medium of claim 8 , wherein the authenticating the network device for access to the network complies with the IEEE 802.1X standard. 13. The medium of claim 8 , wherein the authenticating the network device for access to the network comprises: receiving authentication credentials from the network device; and comparing the authentication credentials to a plurality of authentication credentials stored in an identity store. 14. The medium of claim 13 , wherein the identity store comprises an Active Directory store. 15. A method comprising: authenticating a network device for access to a network using a Media Access Control (MAC) address and an Internet Protocol (IP) address of the network device; wherein an attacking device is connected to the network, and to the network device, by a network hub; wherein the attacking device spoofs the MAC address and the IP address of the network device; establishing a Transport Control Protocol (TCP) connection with the network device subsequent to authenticating the network device; sending at least one TCP keepalive message to the IP address of the network device, wherein, responsive to receiving the TCP keepalive message, the attacking device transmits a TCP reset (RST) message; receiving the TCP RST message; and determining the attacking device is present in the network responsive to receiving the TCP RST message. 16. (Original The method of claim 15 , further comprising: performing an action responsive to determining the attacking device is present in the network, wherein the action comprises at least one of: disconnecting, from the network, all network devices using the MAC address of the network device, quarantining all network devices using the MAC address of the network device, and notifying an administrator of the network. 17. The method of claim 15 , further comprising: sending a Windows management instrumentation (WMI) query to the IP address responsive to receiving the TCP RST message, and prior to performing the action; and performing the action responsive to receiving an improper response to the WMI query. 18. The method of claim 15 , wherein: the attacker and the network device are connected to a network hub; and the network hub is connected to an edge switch in the network. 19. The method of claim 15 , wherein the authenticating the network device for access to the network complies with the IEEE 802.1X standard. 20. The method of claim 15 , wherein the authenticating the network device for access to the network comprises: receiving authentication credentials from the network device; and comparing the authentication credentials to a plurality of authentication credentials stored in an identity store.
Assignees
Inventors
Classifications
Layer-2 addresses, e.g. medium access control [MAC] addresses · CPC title
- H04L63/0876Primary
based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint · CPC title
Event detection, e.g. attack signature detection · CPC title
Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP] · CPC title
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11310265B2 cover?
- Systems and methods are provided for detecting MAC/IP spoofing attacks on networks. A method may include authenticating a network device for access to a network using a Media Access Control (MAC) address and an Internet Protocol (IP) address of the network device; wherein an attacking device is connected to the network, and to the network device, by a network hub; wherein the attacking device s…
- Who is the assignee on this patent?
- Hewlett Packard Entpr Dev Lp
- What technology area does this patent fall under?
- Primary CPC classification H04L63/0876. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Apr 19 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 4 related publications on this page (citations in our corpus or others sharing the same primary CPC).