US007058974B1
`
`(12) United States Patent
`Maher, III et al.
`
`(10) Patent No.:
`(45) Date of Patent:
`
`US 7.058,974 B1
`Jun. 6, 2006
`
`(54) METHOD AND APPARATUS FOR
`PREVENTING DENIAL OF SERVICE
`ATTACKS
`
`(75) Inventors: Robert Daniel Maher, III, Plano, TX
`(US); Victor A. Bennett, Rockwall, TX
`(US)
`(73) Assignee: Netrake Corporation, Plano, TX (US)
`(*) Notice:
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 1030 days.
`(21) Appl. No.: 09/598,631
`
`(22) Filed:
`
`Jun. 21, 2000
`
`(51) Int. Cl.
`(2006.01)
`G06F II/00
`(2006.01)
`G06F II/22
`(2006.01)
`G06F II/30
`(2006.01)
`G06F II/32
`(52) U.S. Cl. .......................... 726/13; 726/23: 713/189:
`370/229
`(58) Field of Classification Search ................ 713/201,
`713/200, 154: 706/47; 370/474; 726/22,
`726/23, 26
`See application file for complete search history.
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`9, 1998 Bennett
`5,813,001 A
`6,477,669 B1 * 1 1/2002 Agarwal et al. ............ T14f708
`6,598,034 B1* 7/2003 Kloth .......................... TO6/47
`6,636,512 B1 * 10/2003 Lorrain et al. .............. 370,392
`
`
`
`k
`
`6,654,373 B1 * 1 1/2003 Maher et al. ............... 370,392
`6,735,219 B1* 5/2004 Clauberg .................... 370/474
`. cited by examiner
`Primary Examiner Gilberto Barron, Jr.
`Assistant Examiner—Samson Lemma
`(74) Attorney, Agent, or Firm—Haynes and Boone, LLP
`(57)
`ABSTRACT
`
`A method and apparatus for preventing denial of service
`type attacks on data networks is described. The method
`involves Scanning the contents of the data packets flowing
`over the data network using a traffic flow scanning engine.
`The data packets are reordered and reassembled and then the
`payload contents are scanned to determine whether they
`conform to predetermined requirements. Data packets which
`do not reorder or reassemble correctly or which do not
`conform to the predetermined requirements may be dropped.
`Dropping packets which do not reorder or reassemble cor
`rectly or which do not conform to the predetermined require
`ments prevent denial of service attack which exploit bugs in
`the TCP/IP implementation or shortcomings in the TCP/IP
`specification The traffic flow scanning engine is further
`operable to determine whether the data packets are associ
`ated with validated traffic flows. Those data packets asso
`ciated with validated traffic flows are assigned to a higher
`priority while those not associated with a validated traffic
`flow are assigned to a low priority, which may occupy no
`more that a predetermined maximum of the available band
`width. Assigning data packets associated with a non-vali
`dated traffic flow to a low priority prevent brute force type
`denial of service attacks designed to clog networks.
`
`16 Claims, 6 Drawing Sheets
`
`60
`
`26
`
`IDS
`
`28
`
`X
`
`X
`
`22
`
`- 7
`60
`
`60
`
`60
`20 20 X 20 206
`17
`X
`X
`wo O-
`60
`
`30
`EN3OE 30-1E
`s
`O
`g
`A lar
`- i.
`
`--
`
`32
`- - - - - - - - - - - - - - - - - - - - - - - - - - - -
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 1 of 14
`
`

`

`U.S. Patent
`
`Jun. 6, 2006
`
`Sheet 1 of 6
`
`US 7,058,974 B1
`
`
`
`Z |
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 2 of 14
`
`

`

`U.S. Patent
`
`Jun. 6, 2006
`
`Sheet 2 of 6
`
`US 7,058,974 B1
`
`
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 3 of 14
`
`

`

`U.S. Patent
`
`Jun. 6, 2006
`
`Sheet 3 of 6
`
`US 7,058,974 B1
`
`
`
`
`
`
`
`
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 4 of 14
`
`

`

`U.S. Patent
`
`Jun. 6, 2006
`
`Sheet 4 of 6
`
`US 7,058,974 B1
`
`- - - - - - - - - - - - - - - - - - - -
`
`99
`
`|---- F -- – —––––––––––––––––––_j & ‘?l-I
`
`|----------------------------------?
`
`
`
`– – – – – – –]?798088 | ||BOV-REIN
`
`| |
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`L - - - - - - - - - - - - - - - - - - - - - - - - -
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 5 of 14
`
`

`

`U.S. Patent
`
`Jun. 6, 2006
`
`Sheet S of 6
`
`US 7,058,974 B1
`
`
`
`
`
`
`
`
`
`
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 6 of 14
`
`

`

`U.S. Patent
`
`Jun. 6, 2006
`
`Sheet 6 of 6
`
`US 7,058,974 B1
`
`Fig. 5
`500 O
`
`502
`
`SCAN HEADER INFORMATION
`
`504
`
`REASSEMBLE AND REORDER
`DATA PACKETS AND FRAGMENTS
`
`510
`
`506
`
`DOES
`PACKETREASSEMBLE N NO
`AND REORDER ACCORDING
`TOPOLICY?
`
`SCAN PAYLOAD CONTENTS
`
`
`
`
`
`DOPACKET
`HEADER AND PAYLOAD
`CONFORM TO REQUIRED
`PARAMETERS2
`
`512
`
`
`
`YES
`
`
`
`
`
`DOES
`DATA PACKET
`BELONG TO VALIDATED
`TRAFFIC FLOW2
`
`YES
`
`
`
`
`
`
`
`
`
`
`
`
`
`DROPPACKET
`
`508
`
`516
`
`ASSIGN DATA PACKET TO
`LOW PRIORITY QOS QUEUE
`
`
`
`
`
`
`
`
`
`TRANSMIT DATA IN LOW PRIORITY
`OOS OUEUE USING NO MORE THAN
`APREDETERMINED PERCENTAGE
`OF AVAILABLE BANDWIDTH
`
`
`
`
`
`518
`
`
`
`524 O
`
`ASSIGN DATA PACKET TO A
`HIGHER PRIORITY OOS QUEUE
`ACCORDING TO CONTENTS
`
`TRANSMIT DATA AS
`DEFINED IN OOS PROTOCOL
`FOR ASSIGNED COSOUEUE
`
`520
`
`522
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 7 of 14
`
`

`

`US 7,058,974 B1
`
`1.
`METHOD AND APPARATUS FOR
`PREVENTING DENIAL OF SERVICE
`ATTACKS
`
`TECHNICAL FIELD OF THE INVENTION
`
`5
`
`The present invention relates to broadband data network
`ing equipment. Specifically, the present invention relates to
`a method and device that prevents denial of service type
`internet attacks.
`
`10
`
`BACKGROUND OF THE INVENTION
`
`15
`
`25
`
`30
`
`35
`
`A “denial of service' (DoS) attack is characterized by an
`explicit attempt by attackers to prevent legitimate users of a
`service from using that service. DoS attacks are aimed at
`devices and networks with exposure to the Internet. Their
`goal is to cripple a device or network So that external users
`no longer have access to network resources. Without hack
`ing password files or stealing sensitive data, a denial-of
`service hacker simply fires up a program that will generate
`enough traffic to a particular site that it denies service to the
`site's legitimate users.
`There are three types of DoS attacks: those that exploit a
`bug in a TCP/IP implementation, those that exploit a short
`coming in the TCP/IP specification, and brute-force attacks
`that clog up the network with so much useless traffic that no
`other traffic can get in or out.
`Two lethal attacks, the well-known Ping of Death and the
`newer Teardrop attack, exploit known bugs in TCP/IP imple
`mentations. The Ping of Death uses a ping system utility to
`create an IP packet that exceeds the maximum 65,536 bytes
`of data allowed by the IP specification. The oversize packet
`is then sent to an unsuspecting system. Systems may crash,
`hang, or reboot when they receive Such a maliciously crafted
`packet.
`The recently developed Teardrop attack exploits weak
`nesses in the reassembly of IP packet fragments. During its
`journey through the Internet, an IP packet may be broken up
`into smaller chunks. Each fragment looks like the original IP
`packet except that it contains an offset field that says, for
`instance, “This fragment is carrying bytes 600 through 800
`of the original (nonfragmented) IP packet.” The Teardrop
`program creates a series of IP fragments with overlapping
`offset fields. When these fragments are reassembled at the
`destination host, some systems will crash, hang, or reboot.
`Weaknesses in the TCP/IP specification leave hosts open
`to SYN attacks, executed during the three-way handshake
`that kicks off a TCP conversation between two applications.
`Under normal circumstances, the application that initiates a
`TCP session sends a TCP SYN synchronization packet to the
`receiving application. The receiver sends back a TCP SYN
`ACK acknowledgment packet and then the initiator
`responds with an ACK acknowledgment. After this hand
`shake, the applications are set to send and receive data.
`55
`But a SYN attack floods a targeted system with a series of
`TCP SYN packets. Each packet causes the targeted system
`to issue a SYN-ACK response. While the targeted system
`waits for the ACK that follows the SYN-ACK, it queues up
`all outstanding SYN-ACK responses on what is known as a
`backlog queue. This backlog queue has a finite length that is
`usually quite Small. Once the queue is full, the system will
`either ignore all incoming SYN requests, or more likely
`crash. SYN-ACKs are moved off the queue only when an
`ACK comes back or when an internal timer (which is set at
`relatively long intervals) terminates the three-way hand
`shake.
`
`40
`
`45
`
`50
`
`60
`
`65
`
`2
`A SYN attack creates each SYN packet in the flood with
`a bad source IP address, which under routine procedure
`identifies the original packet. All responses are sent to the
`source IP address. But a bad source IP address either does
`not actually exist or is down; therefore the ACK that should
`follow a SYN-ACK response will never come back. This
`creates a backlog queue that's always full, making it nearly
`impossible for legitimate TCP SYN requests to get into the
`system.
`In a Land attack—a simple hybrid of the SYN attack—
`hackers flood SYN packets into the network with a spoofed
`source IP address of the targeted system.
`A lot more dangerous than any initiative launched by their
`cartoon namesakes, the Smurf attack is a brute-force attack
`targeted at a feature in the IP specification known as direct
`broadcast addressing. A Smurf hacker floods the router of
`the victim with Internet Control Message Protocol (ICMP)
`echo request packets (pings). Since the destination IP
`address of each packet is the broadcast address of the
`victim’s network, the victim's router will broadcast the
`ICMP echo request packet to all hosts on its network. If the
`victim has numerous hosts, this will create a large amount of
`ICMP echo request and response traffic.
`If a hacker chooses to spoof the source IP address of the
`ICMP echo request packet, the resulting ICMP traffic will
`not only clog up the primary victim’s network—the “inter
`mediary’ network but will also congest the network of the
`spoofed source IP address—known as the 'secondary vic
`tim' network.
`The User Datagram Protocol (UDP) Flood denial-of
`service attack also links two unsuspecting systems. By
`spoofing, the UDP Flood attack hooks up one system's UDP
`chargen service, which for testing purposes generates a
`series of characters for each packet it receives, with another
`system's UDP echo service, which echoes any character it
`receives in an attempt to test network programs. As a result,
`a nonstop flood of useless data passes between the two
`systems.
`Prevention of a UDP Flood, can be accomplished by
`either disabling all UDP services on each host in the network
`or by having a firewall filter all incoming UDP service
`requests. However, categorically denying all UDP traffic,
`you will rebuff legitimate applications, such as RealAudio,
`that use UDP as their transport mechanism.
`Accordingly, what is needed is a method of preventing
`DoS attacks and a network device that can perform that
`method in order to prevent DoS attacks from disrupting
`entire networks.
`
`SUMMARY OF THE INVENTION
`
`The present invention provides for a method of preventing
`DoS attacks. The method involves scanning the contents of
`the data packets then verifying that the contents of the data
`packets conform to a set of predetermined requirements, the
`predetermined requirement including reordering and reas
`sembling data packets according to a defined policy and
`insuring that they conform to required parameters such as
`packet length, non-overlapping offsets, and adherence to
`protocol standards. Data Packets that do not verify may be
`dropped.
`After the contents have been verified, the data packets are
`checked to determine if they are associated with a validated
`traffic flow. If the data packet is associated with a validated
`traffic flow it is assigned to a higher priority quality of
`service for transmission back onto the network. If the data
`packet is not associated with a validated traffic flow it is
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 8 of 14
`
`

`

`3
`assigned to a low priority quality of service queue, such that
`data packets in the low priority quality of service queue can
`occupy no more that a predetermined maximum of the
`available network bandwidth when they are transmitted back
`onto the network.
`The present invention also includes a network device for
`preventing DoS attacks. The network device includes a
`traffic flow scanning engine and a quality of service proces
`sor. The traffic flow scanning engine is operable to scan the
`contents of the data packets, including the header and the
`payload, and to associate the data packets with particular
`traffic flows. The traffic flow scanning engine is also oper
`able to determine whether each traffic flow is a validated or
`non-validated. Further, the traffic flow scanning engine 15
`reorders and reassembles the data packets and associated
`traffic flows and insures that the data packets conform to
`predetermined requirements. The network device may drop
`packets that do not reorder or reassemble correctly or which
`do not conform to the predetermined requirements. Once the 20
`traffic flow scanning engine has scanned the data packet it
`produces a conclusion associated with that data packet, both
`of which are passed to the quality of service processor.
`The quality of service processor uses the conclusion from
`the traffic flow scanning engine to place the data packets in
`the appropriate quality of service queue. Data packets asso
`ciated with validated traffic flow are placed in higher priority
`queues and transmitted back onto the network according to
`the protocol for the particular queue. Data packets not
`assigned to a validated traffic flow are placed in low priority
`QoS queue. Data packets in the low priority QoS queue are
`transmitted onto the network Such that they occupy no more
`than a predetermined maximum of available bandwidth,
`thereby preventing flood type DoS attacks.
`The foregoing has outlined, rather broadly, preferred and
`alternative features of the present invention so that those
`skilled in the art may better understand the detailed descrip
`tion of the invention that follows. Additional features of the
`invention will be described hereinafter that form the subject a
`of the claims of the invention. Those skilled in the art will
`appreciate that they can readily use the disclosed conception
`and specific embodiment as a basis for designing or modi
`fying other structures for carrying out the same purposes of
`the present invention. Those skilled in the art will also as
`realize that Such equivalent constructions do not depart from
`the spirit and scope of the invention in its broadest form.
`
`25
`
`5
`
`10
`
`30
`
`35
`
`US 7,058,974 B1
`
`4
`DETAILED DESCRIPTION OF THE DRAWINGS
`
`Referring now to FIGS. 1a and 1b, a network topology is
`shown which is an example of several network infrastruc
`tures that connect in some manner to a broader public IP
`network 10 such as the internet. FIGS. 1a and 1b is in no
`way meant to be a precise network architecture, but only to
`serve as a rough illustration of a variety of network struc
`tures which can exist on a broadband IP network. Public IP
`network 10 can be accessed in a variety of ways. FIGS. 1a
`and 1b shows the public IP network being accessed through
`a private IP network 12 which can be the IP network of a
`company such as MCI or UUNET which provide private
`core networks. An endless variety of network structures can
`be connected to private IP network 12 in order to access
`other networks connected to private IP network 12 or to
`access public IP network 10.
`One example of a network structure connecting to private
`IP network 12 is hosting network 14. Hosting network 14 is
`an example of a network structure that provides hosting
`services for internet websites. These hosting services can be
`in the form of webfarm 16. Webfarm 16 begins with
`webservers 30 and database 32 which contain the webpages,
`programs and databases associated with a particular website
`Such as amazon.com or yahoo.com. Webservers 30 connect
`to redundant load balancers 28 which receive incoming
`internet traffic and assign it to a particular webserver to
`balance the loads across all of webservers 30. Redundant
`intrusion detection systems 26 and firewalls connect to load
`balancers 28 and provide security for webfarm 16. Indi
`vidual webfarms 16 and 17 connect to hosting network 14’s
`switched backbone 18 by means of a network of switches 20
`and routers 22. Hosting network 14's switched backbone 18
`is itself made up of a network of switches 20 which then
`connect to one or more routers 22 to connect to private IP
`network 12. Connections between individual webfarms 16
`and 17 and the switched backbone 18 of hosting network 14
`are usually made at speeds such as OC-3 or OC-12 (approx.
`150 megabits/sec or 625 megabits/sec), while the connection
`from router 22 of hosting network 14 to private IP network
`12 are on the order OC-48 speeds (approx. 2.5 gigabits/sec).
`Another example of network structures connecting to
`private IP network are illustrated with service provider
`network 34. Service provider network 34 is an example of
`a network structure for Internet Service Providers (ISPs) or
`Local Exchange Carriers (LECs) to provide both data and
`voice access to private IP network 12 and public IP network
`10. Service provider network 34 provides services such as
`internet and intranet access for enterprise networks 36 and
`37. Enterprise networks 36 and 37 are, for example, com
`pany networks Such as the company network for Lucent
`Technologies or Merril Lynch. Each enterprise network,
`such as enterprise network 36, includes a plurality of net
`work servers and individual workstations connected to a
`switched backbone 18, which can be connected by routers
`22 to service provider network 34.
`In addition to internet access for enterprise networks,
`service provider network 34 provides dial-up internet access
`for individuals or Small businesses. Dial-up access is pro
`vided in service provider network 34 by remote access
`server (RAS) 42, which allows personal computers (PCs) to
`call into service provider network 34 through the public
`switched telephone network (PSTN), not shown. Once a
`connection has been made between the PC 50 and RAS 42
`through the PSTN, PC 50 can then access the private or
`public IP networks 12 and 10.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`50
`
`For a more complete understanding of the present inven
`tion, reference is now made to the following descriptions
`taken in conjunction with the accompanying drawings, in
`which:
`FIGS. 1a and 1b is a network topology diagram illustrat- 55
`ing example environments in which the present invention
`can operate;
`FIG. 2 is a block diagram of a "bump-in-the-line” network
`apparatus according to the present invention;
`FIG. 3 is a block diagram of the payload Scanning engine
`from FIG. 2;
`FIG. 4 is a block diagram of a routing network apparatus
`according to the present invention; and
`FIG. 5 is a flow chart illustrating a method according to 65
`the present invention for preventing denial of service
`attacks.
`
`60
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 9 of 14
`
`

`

`US 7,058,974 B1
`
`5
`
`10
`
`15
`
`25
`
`5
`Service provider network 34 also provides the ability to
`use the internet to provide voice calls over a data network
`referred to as Voice over IP (VoIP). VoIP networks 46 and 47
`allow IP phones 48 and PCs 50 equipped with the proper
`software to make telephone calls to other phones, or PCs
`connected to the internet or even to regular phones con
`nected to the PSTN. VoIP networks, such as VoIP network
`46, include media gateways 52 and other equipment, not
`shown, to collect and concentrate the VoIP calls which are
`sent through service provider network 34 and private and
`public internet 12 and 10 as required. As mentioned, the
`advent of VoIP as well as other real time services such as
`video over the internet make quality of service a priority for
`service providers in order to match the traditional telephone
`service provided by traditional telephone companies.
`Service provider network 34 includes a switched back
`bone 18 formed by switches 20 as well as routers 22 between
`it and its end users and between it and private IP network 12.
`Domain name servers 44 and other networking equipment,
`which are not shown, are also included in service provider
`network 34. Similar to hosting network 34, connection
`speeds for service provider network 34 can range from
`speeds such as T1, T3, OC-3 and OC-12 for connecting to
`enterprise networks 36 and 37 as well as VoIP networks 46
`and 47 all the way to OC-48 and conceivably even OC-192
`for connections to the private IP network.
`It can easily be seen that aggregation points 60 exist at the
`edges of these various network structures where data is
`passed from one network structure to another at speeds Such
`as OC-3, OC-12, and OC-48. One major problem in the
`network structures shown in FIG. 1 is the lack on any type
`of intelligence at these aggregation points 60 which would
`allow the network to provide services such as security,
`metering and quality of service. The intelligence to provide
`these services would require that the network understand the
`type of data passing through the aggregation points 60 and
`not just the destination and/or source information which is
`currently all that is understood. Understanding the type of
`data, or its contents, including the contents of the associated
`payloads as well as header information, and further under
`standing and maintaining a state awareness across each
`individual traffic flow would allow the network to configure
`itself in real time to bandwidth requirements on the network
`for applications such as VoIP or video where quality of
`service is a fundamental requirement. An intelligent, or
`45
`“content aware', network would also be able to identify and
`filter out security problems such as email worms, viruses,
`denial of service (DoS) attacks, and illegal hacking in a
`manner that would be transparent to end users. Further, a
`content aware network would provide for metering capa
`bilities by hosting companies and service providers, allow
`ing these companies to regulate the amount of bandwidth
`allotted to individual customers as well as to charge pre
`cisely for bandwidth and additional features such as security.
`In accordance with the requirements set forth above, the
`present invention provides for a network device that is able
`to Scan, classify, and modify network traffic including pay
`load information at speeds of OC-3, OC-12, OC-48 and
`greater thereby providing a “content aware' network
`capable of preventing denial of service attacks on the
`network.
`Referring now to FIG. 2, one embodiment of a network
`apparatus according to the present invention is shown.
`Network apparatus 100, as shown, acts as a "bump-in-the
`line' type device by accepting data received from a high
`speed network line, processing the data, and then placing the
`data back on the line. Network apparatus 100 accepts data
`
`6
`from the line by means of input physical interface 102. Input
`physical interface 102 can consist of a plurality of ports, and
`can accept any number of network speeds and protocols,
`including such high speeds as OC-3, OC-12, OC-48, and
`protocols including 9/100 Ethernet, gigabit Ethernet, and
`SONET. Input physical interface 102 takes the data from the
`physical ports, frames the data, and then formats the data for
`placement on fast-path data bus 126 which is preferably an
`industry standard data bus such as a POS-PHY Level 3, or
`an ATM UTOPIA Level 3 type data bus.
`Fast-path data bus 126 feeds the data to traffic flow
`scanning processor 140, which includes header processor
`104 and payload analyzer 110. The data is first sent to header
`processor 104, which is operable to perform several opera
`tions using information contained in the data packet headers.
`Header processor 104 stores the received data packets in
`packet storage memory 106 and scans the header informa
`tion. The header information is scanned to identify the type,
`or protocol, of the data packet, which is used to determine
`routing information as well as to create a session id using
`predetermined attributes of the data packet.
`In the preferred embodiment, a session id is created using
`session information consisting of the source address, desti
`nation address, Source port, destination port and protocol,
`although one skilled in the art would understand that a
`session id could be created using any Subset of fields listed
`or any additional fields in the data packet without departing
`from the scope of the present invention. When a data packet
`is received that has new session information the header
`processor creates a unique session id to identify that par
`ticular traffic flow. Each successive data packet with the
`same session information is assigned the same session id to
`identify each packet within that flow. Session ids are retired
`when the particular traffic flow is ended through an explicit
`action, or when the traffic flow times out, meaning that a data
`packet for that traffic flow has not been received within a
`predetermined amount of time. While the session id is
`discussed herein as being created by the header processor
`104 the session id can be created anywhere in traffic flow
`scanning engine 140 including in payload analyzer 110.
`As will be discussed below, network apparatus 100 in
`order to function properly needs to reorder out of order data
`packets and reassemble data packet fragments. Header pro
`cessor 104 is operable to perform the assembly of asynchro
`nous transfer mode (ATM) cells into complete data packets
`(PDUs), which could include the stripping of ATM header
`information.
`Header processor 104 is also operable to perform routing
`functions. Routing tables and information can be stored in
`database memory 108. Routing instructions received by
`network apparatus 100 are identified, recorded and passed to
`microprocessor 124 by header processor 104 so that micro
`processor 124 is able to update the routing tables in database
`memory 108 accordingly. While network apparatus 100 is
`referred to as a “bump-in-the-line' apparatus. The input and
`the output could be formed by multiple lines, for example
`four OC-12 lines could be connected to network apparatus
`100 which operates at OC-48 speeds. In such a case,
`"bump-in-the-line” network apparatus 100 will have limited
`routing or Switching capabilities between the multiple lines,
`although the Switching capability will be less than in a
`conventional router or Switch. Additionally, a network appa
`ratus can be constructed according to the principles of the
`present invention, which is able to operate as a network
`router or Switch. Such an implementation is discussed in
`greater detail with reference to FIG. 4.
`
`30
`
`35
`
`40
`
`50
`
`55
`
`60
`
`65
`
`UNIFIED PATENTS EXHIBIT 1019
`UNIFIED PATENTS, LLC v. DYNAPASS IP HOLDINGS LLC
`IPR2023-00425
`Page 10 of 14
`
`

`

`US 7,058,974 B1
`
`10
`
`15
`
`7
`After data packets have been processed by header pro
`cessor 104 the data packets, their associated session id and
`any conclusion formed by the header processor, such as
`routing or QoS information, are sent on fast-data path 126 to
`the other half of traffic flow scanning engine 140, payload
`analyzer 110. The received packets are stored in packet
`storage memory 112 while they are processed by payload
`analyzer 110. Payload analyzer 110 is operable to scan the
`contents of data packets received from header processor 104,
`particularly the payload contents of the data packets,
`although header information can also be scanned as
`required. The contents of any or all data packets are com
`pared to a database of known signatures and if the contents
`of a data packet or packets matches a known signature, an
`action associated with that signature and/or sessionid can be
`taken by network apparatus 100. Additionally, payload ana
`lyzer 110 is operable to maintain state awareness throughout
`each individual traffic flow. In other words, payload analyzer
`110 maintains a database for each session which stores state
`information related to not only the current data packets from
`a traffic flow, but state information related to the entirety of
`the traffic flow. This allows network apparatus 100 to act on
`not only based on the content of the data packets being
`scanned but also based on the contents of the entire traffic
`flow. The specific operation of payload analyzer 110 will be
`described with reference to FIG. 3.
`Once the contents of the packets have been Scanned and
`a conclusion reached by traffic flow scanning engine 140, the
`packets and the associated conclusions of either or both the
`header processor and the payload analyzer are sent to quality
`of service (QoS) processor 116. QoS processor 116 again
`stores the packets in its own packet storage memory 118 for
`forwarding. QoS processor 116 is operable to perform the
`traffic flow management for the stream of data packets
`processed by network apparatus 100. QoS processor con
`tains engines for traffic management 126, traffic shaping 128
`and packet modification 130.
`QoS processor 116 takes the conclusion of either or both
`of header processor 104 and payload analyzer 110 and
`assigns the data packet to one of its internal quality of
`40
`service queues 132 based on the conclusion. The quality of
`service queues 132 can be assigned priority relative to one
`another or can be assigned a maximum or minimum per
`centage of the traffic flow through the device. This allows
`QoS processor to assign the necessary bandwidth to traffic
`flows such as VoIP video and other flows with high quality
`and reliability requirements while assigning remaining
`bandwidth to traffic flows with low quality requirements
`Such as email and general web surfing to low priority
`queues. Information in queues that do not have the available
`bandwidth to transmit all the data currently residing in the
`queue according to the QoS engine is selectively discarded
`thereby removing that data from the traffic flow.
`The quality of service queues 132 also allow network
`apparatus 100 to manage network attacks such as denial of
`service (DoS) attacks. Network apparatus 100 can act to
`qualify traffic flows by scanning the contents of the packets
`and verifying that the contents contain valid network traffic
`between known sources and destinations. Traffic flows that
`have not been verified because they are from unknown
`Sources or because they are new unclassified flows can be
`assigned to a low quality of service queue until the sources
`are verified or the traffic flow classified as valid traffic. Since
`most DoS attacks send either new session information, data
`from spoofed sources, or meaningless data, network appa
`ratus 100 would assign those traffic flows to low quality
`traffic queues. This ensures that the DoS traffic would
`
`30
`
`8
`receive no more that a small percentage (i.e. 5%) of the
`available bandwidth thereby preventing the attacker from
`flooding downstream network equipment.
`The QoS queues 132 in QoS processor 116 (there are 65
`k queues in the present embodiment of the QoS processor
`although any number of queues could be used) feed into
`schedulers 134 (1024 in the present embodiment), which
`feed into logic ports 136 (256 in the present embodiment),
`which send the data to flow control port managers 138 (32
`is the present embodiment) which can correspond to physi
`cal egress ports for the network device. The traffic manage
`ment engine 126 and the traffic shaping engine 128 deter
`mine the operation of the schedulers and logic ports in order
`to maintain traffic flow in accordance with the programmed
`parameters.
`QoS processor 116 also includes packet modification
`engine 130, which is operable to modify, add, or delete bits
`in any of the fields of a data packet. This allows QoS
`processor 116 to change addresses for routing or to place the
`appropriate headers on the data packets for the required
`protocol. The packet modification engine 130 can also be
`used to change information within the payload itself if
`ne