Method for securing a dhcp server from unauthorized client attacks in a software defined network
US-2019149515-A1 · May 16, 2019 · US
DHCP-communications monitoring by a network controller in software defined network environments
US11509686B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-11509686-B2 |
| Application number | US-201916442841-A |
| Country | US |
| Kind code | B2 |
| Filing date | Jun 17, 2019 |
| Priority date | May 14, 2019 |
| Publication date | Nov 22, 2022 |
| Grant date | Nov 22, 2022 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
In an embodiment, a computer-implemented method for DHCP-communications monitoring by a network controller in software defined networks is disclosed. A method comprises detecting that a virtualized compute instance is instantiated on a host computer; generating, and transmitting to a port manager executing on the host computer, instructions to set a BLOCK-EXCEPT-DHCP status on a port assigned to the virtualized compute instance; determining whether an IP address has been assigned to the port by a DHCP service; and if it has: generating, and transmitting to the port manager, instructions to set a NORMAL status on the port; generating, and transmitting to the port manager, a SpoofGuard configured with the IP address assigned to the port; based on notifications received from the SpoofGuard, determining whether the IP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed; and if it has, transmitting instructions to set the BLOCK-EXCEPT-DHCP status on the port.
First claim
Opening claim text (preview).
What is claimed is: 1. A computer-implemented method for DHCP-communications monitoring by a network controller in software defined networks, the method comprising: detecting, by the network controller, that a virtualized compute instance is instantiated on a host computer, wherein the virtualized compute instance is any one of: a virtual machine (“VM”) or a container; generating, by the network controller, and transmitting to a port manager executing on the host computer, instructions to set a BLOCK-EXCEPT-DHCP status on a port assigned to the virtualized compute instance; determining an IP address has been assigned to the port of the virtualized compute instance by a DHCP service; in response to determining that the IP address has been assigned to the port of the virtualized compute instance by the DHCP service: generating, and transmitting to the port manager, instructions to set a NORMAL status on the port assigned to the virtualized compute instance; and determining, by the network controller, whether the IP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed; and in response to determining that the IP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed: transmitting, to the port manager, instructions to set the BLOCK-EXCEPT-DHCP status on the port assigned to the virtualized compute instance. 2. The computer-implemented method of claim 1 , wherein setting the BLOCK-EXCEPT-DHCP status on the port causes the port manager of the port to block any traffic to and from the port except DHCP-related traffic. 3. The computer-implemented method of claim 1 , wherein setting the NORMAL status on the port causes the port manager of the port to allow all traffic to and from the port. 4. The computer-implemented method of claim 1 , wherein determining, whether the IP address has been assigned to the port of the virtualized compute instance by the DHCP service includes receiving, from the DHCP service or a datapath process, an indication that the IP address has been assigned to the port of the virtualized compute instance by the DHCP service and the IP address that has been assigned. 5. The computer-implemented method of claim 1 , wherein assigning the IP address to the port of the virtualized compute instance by the DHCP service comprises: transmitting, by a DHCP client executing on the host computer, a DHCP discovery to the DHCP service; receiving, by the DHCP client, a DHCP offer from the DHCP service; transmitting, by the DHCP client, a DHCP request to the DHCP service; and receiving, by the DHCP client, a DHCP acknowledgment and the IP address from the DHCP services. 6. The computer-implemented method of claim 1 , wherein determining, by the network controller, whether the IP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed comprises determining one or more of: whether the virtualized compute instance started using an IP address that is different than the IP address assigned to the port of the virtualized compute instance by the DHCP service, whether a lease on the IP address assigned to the port of the virtualized compute instance by the DHCP service has expired, or whether another virtualized compute instance started using the IP address assigned to the port of the virtualized compute instance by the DHCP service. 7. The computer-implemented method of claim 1 , further comprising transmitting, to the port manager, a SpoofGuard configured with the TP address assigned to the port of the virtualized compute instance, the transmitting causing the port manager to install and configure the SpoofGuard to monitor whether the IP address assigned to the virtualized compute instance is misused or spoofed. 8. One or more non-transitory computer-readable storage media storing one or more computer instructions which, when executed by one or more processors, cause the one or more processors to perform: detecting, by a network controller, that a virtualized compute instance is instantiated on a host computer; generating, by the network controller, and transmitting to a port manager executing on the host computer, instructions to set a BLOCK-EXCEPT-DHCP status on a port assigned to the virtualized compute instance, wherein the virtualized compute instance is any one of: a virtual machine (“VM”) or a container; determining, an IP address has been assigned to the port of the virtualized compute instance by a DHCP service; in response to determining that the IP address has been assigned to the port of the virtualized compute instance by the DHCP service: generating, and transmitting to the port manager, instructions to set a NORMAL status on the port assigned to the virtualized compute instance; and determining, by the network controller, whether the IP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed; and in response to determining that the IP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed: transmitting, to the port manager, instructions to set the BLOCK-EXCEPT-DHCP status on the port assigned to the virtualized compute instance. 9. The one or more non-transitory computer-readable storage media of claim 8 , wherein setting the BLOCK-EXCEPT-DHCP status on the port causes the port manager of the port to block any traffic to and from the port except DHCP-related traffic. 10. The one or more non-transitory computer-readable storage media of claim 8 , wherein setting the NORMAL status on the port causes the port manager of the port to allow all traffic to and from the port. 11. The one or more non-transitory computer-readable storage media of claim 8 , wherein determining, whether the IP address has been assigned to the port of the virtualized compute instance by the DHCP service includes receiving, from the DHCP service or a datapath process, an indication that the IP address has been assigned to the port of the virtualized compute instance by the DHCP service and the IP address that has been assigned. 12. The one or more non-transitory computer-readable storage media of claim 8 , wherein assigning the IP address to the port of the virtualized compute instance by the DHCP service comprises: transmitting, by a DHCP client executing on the host computer, a DHCP discovery to the DHCP service; receiving, by the DHCP client, a DHCP offer from the DHCP service; transmitting, by the DHCP client, a DHCP request to the DHCP service; and receiving, by the DHCP client, a DHCP acknowledgment and the IP address from the DHCP services. 13. The one or more non-transitory computer-readable storage media of claim 8 , wherein determining, by the network controller, whether the TP address assigned to the port of the virtualized compute instance has been misused, expired or spoofed comprises determining one or more of: whether the virtualized compute instance started using an IP address that is different than the IP address assigned to the port of the virtualized compute instance by the DHCP service, whether a lease on the IP address assigned to the port of the virtualized compute instance by the DHCP service has expired, or whether another virtualized compute instance started using the IP address assigned to the port of the virtualized compute instance by the DHCP service. 14. The one or more non-transitory computer-readable storage media of claim 8 , wherein the one or more computer instructions further cause the one or more processors to perform transmitting, to the port manager, a SpoofGuard configured with the IP a
Assignees
Inventors
Classifications
- H04L63/1466Primary
Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks · CPC title
Update or notification mechanisms, e.g. DynDNS · CPC title
Network integration; Enabling network access in virtual machine instances · CPC title
Filtering by address, protocol, port number or service, e.g. IP-address or URL · CPC title
using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP] · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US11509686B2 cover?
- In an embodiment, a computer-implemented method for DHCP-communications monitoring by a network controller in software defined networks is disclosed. A method comprises detecting that a virtualized compute instance is instantiated on a host computer; generating, and transmitting to a port manager executing on the host computer, instructions to set a BLOCK-EXCEPT-DHCP status on a port assigned t…
- Who is the assignee on this patent?
- Vmware Inc
- What technology area does this patent fall under?
- Primary CPC classification H04L63/1466. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Nov 22 2022 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 3 related publications on this page (citations in our corpus or others sharing the same primary CPC).