Applying fine-grain policy action to encapsulated network attacks

The invention claimed is: 1. A method comprising: receiving, with an intrusion prevention device, a packet of a packet flow, the packet comprising a packet header and a plurality of sub-packets encapsulated within a payload of the packet, each of the plurality of sub-packets corresponding to respective encapsulated network sessions, wherein the intrusion prevention device is positioned between a source of the packet and a destination for the packet; analyzing, with the intrusion prevention device, each of the plurality of sub-packets encapsulated within the packet; identifying, with the intrusion prevention device, one of the encapsulated network sessions as a malicious encapsulated network session based on the analysis of the plurality of sub-packets; executing, with the intrusion prevention device, a targeted policy action on the one of the sub-packets corresponding to the malicious encapsulated network session based on the identification of the encapsulated network session as a malicious encapsulated network session; forming, with the intrusion prevention device, a reconstructed packet comprising the packet header and the plurality of sub-packets excluding at least the sub-packet corresponding to the malicious encapsulated network session; and forwarding the reconstructed packet with the intrusion prevention device. 2. The method of claim 1 , further comprising recording an identifier of the malicious encapsulated network session as an entry in a session table. 3. The method of claim 2 , wherein the packet comprises a first packet, wherein the plurality of sub-packets comprises a first plurality of sub-packets, and wherein the reconstructed packet comprises a first reconstructed packet, the method further comprising: receiving a second packet of the packet flow, the second packet comprising a second plurality of sub-packets each corresponding to respective encapsulated network sessions; performing a lookup in the session table for each of the second plurality of sub-packets; determining that an encapsulated network session for one of the second plurality of sub-packets matches the identifier of the malicious encapsulated network session in the session table; and forming a second reconstructed packet comprising the at least one of the second plurality of sub-packets whose identifier does not correspond to any of the identifiers of malicious encapsulated network sessions in the session table and forwarding the second reconstructed packet. 4. The method of claim 2 , wherein analyzing each of the first plurality of sub-packets comprises: identifying a first five-tuple for the packet flow, the first five-tuple comprising a source internet protocol (IP) address, a destination IP address, a source port, a destination port, and a protocol; and identifying a second five-tuple for the malicious encapsulated network session from the sub-packet corresponding to the malicious encapsulated network session; wherein executing a targeted policy action comprises executing the targeted policy action based on the combination of the first five-tuple and the second five-tuple; and wherein recording the identifier comprises recording the first five-tuple and the second five-tuple as the identifier. 5. The method of claim 4 , further comprising constructing a virtual packet header for the sub-packet of the malicious encapsulated network session, wherein identifying the second five-tuple comprises identifying the second five-tuple from the virtual packet header. 6. The method of claim 1 , wherein executing a policy action comprises dropping the sub-packet corresponding to the malicious encapsulated network session. 7. The method of claim 1 , wherein executing a policy action comprises sending a close session message to at least one of a server of the malicious encapsulated network session and a client of the malicious encapsulated network session. 8. The method of claim 7 , wherein sending a close session message comprises generating a packet that encapsulates the close session message and sending the generated packet. 9. The method of claim 1 , wherein the packet comprises a first packet and wherein the reconstructed packet comprises a first reconstructed packet, the method further comprising: receiving a second packet of the packet flow, the second packet comprising a second plurality of sub-packets; determining that one of the second plurality of sub-packets belongs to the malicious encapsulated network session; and forming a second reconstructed packet comprising the second plurality of sub-packets excluding the one of the second plurality of sub-packets that belongs to the malicious encapsulated network session and forwarding the second reconstructed packet. 10. The method of claim 9 , further comprising executing a second policy action on the one of the second plurality of sub-packets that belongs to the malicious encapsulated network session. 11. The method of claim 10 , wherein the second policy action executed on the one of the second set of one or more sub-packets is the same as the policy action executed on the sub-packet of the plurality of sub-packets of the first packet corresponding to the malicious encapsulated network session. 12. A network device comprising: a memory storing instructions for a flow analysis module, an attack detection module, and a policy action module; a processor configured to execute the instructions, wherein the processor executes the instructions for the flow analysis module to receive a packet of a packet flow, the packet comprising a packet header and one or more sub-packets each corresponding to respective encapsulated network sessions; wherein the processor executes the instructions for the attack detection module to analyze the one or more sub-packets and to identify at least one of the encapsulated network sessions as a malicious encapsulated network session based on the analysis; wherein the processor executes the instructions for the policy action module to execute a policy action on the sub-packet corresponding to the malicious encapsulated network session based on the identification of the malicious encapsulated network session; and a forwarding component configured to form a reconstructed packet comprising the packet header and the plurality of sub-packets excluding the sub-packet corresponding to the malicious encapsulated network session and forward the reconstructed packet. 13. The device of claim 12 , further comprising a flow table configured to store an identifier for the packet flow. 14. The device of claim 13 , wherein the flow table comprises a first hash table and a second hash table, wherein the first hash table is configured to store the identifier for the packet flow, and wherein the second hash table is configured to store identifiers for the encapsulated network sessions, the flow table further comprising a pointer from the identifier in the first hash table to at least one of the identifiers of the second hash table. 15. The device of claim 14 , wherein the identifier stored in the first hash table comprises a first five-tuple for the packet flow, the first five-tuple comprising a source internet protocol (IP) address, a destination IP address, a source port, a destination port, and a protocol, wherein the at least one identifier of the second hash table comprises a second five-tuple for the malicious encapsulated network session from the sub-packet corresponding to the malicious encapsulated network session. 16. The device of claim 12 , wherein the processor executes the policy action module to drop the sub-packet