Browse Prior Art Database

Method to Use IP ID-Based Heuristics to Determine if a Service Request Packet is Genuine and Not Being Spoofed

IP.com Disclosure Number: IPCOM000246635D
Publication Date: 2016-Jun-23
Document File: 1 page(s) / 21K

Publishing Venue

The IP.com Prior Art Database

Abstract

Disclosed is a method to determine if a (TCP) service request is from a spoofer before a more consequential decision (like denying service, rejecting packets from that source, banning the spoofing agent, etc.) is decided upon. The method provides a quick way to heuristically determine if a service request packet truly came from whom it is being advertised as.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 66% of the total text.

Page 01 of 1

Method to Use IP ID -

-Based Heuristics to Determine if a Service Request Packet is

              Based Heuristics to Determine if a Service Request Packet is Genuine and Not Being Spoofed

There have been many instances of denial of service attacks on well known ports and services of big corporation and government where a constant barrage of SYN packets or connection requests are directed at the server. The idea is to overwhelm it and exhaust its resources so that it cannot serve legitimate users. These are often done using spoofed IP packets. Hence, servers have to employ a variety of methods to detect and act on spoofed packets (dropping, filtering, banning, etc.).

    Disclosed is a simple and inexpensive method to determine if a (TCP) service request is from a spoofer before a more consequential decision (like denying service, rejecting packets from that source, banning the spoofing agent, etc.) is decided upon. The method provides a quick way to heuristically determine if a service request packet truly came from whom it is being advertised as.

    In accordance with the method, when a packet is received by a host that is suspected to be spoofed, the host first notes down the IP ID in the packet (ipid1). Then, the host pings the IP in question. If ICMP is enabled, and it receives an ICMP Echo Reply, the method notes down the IP ID (ipid2). Otherwise, the host simply sends a TCP SYN packet to the host on any pre-selected port. Chances are that it will be responded by an RST (it co...