Abstract: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.

Abstract: A modified security protocol for remotely managed computer-based communications devices is presented. The protocol is based on the Syslog Sign protocol but is altered to allow an entity that collects log events from and/or remotely manages the device to provide authenticated acknowledgement of event logs that have been successfully received. This is achieved through an Acknowledgement Block which is signed by the entity and made available to the device.

Abstract: Methods of preventing flooding-type denial-of-service attacks in a computer-based network are described. Connection establishing messages known as SYN packets are matched with connection terminating messages (FIN packets) by using a hash algorithm. The hash algorithm or message digest uses source and destination IP addresses, port numbers, and a secret key as input parameters. The SYN packets and FIN packets are mapped to buckets using the hash algorithm and statistics are maintained for each bucket. A correspondence between SYN packets and FIN packets is maintained to close a security hole.

Abstract: A communications security system has been described. The security system in the form of a firewall is made up of a plurality of communicatively coupled sets of modules in a matrix configuration. The modules may be implemented in hardware and software in order to rely on the advantages of each technology. Data packets are typically coupled to an ingress side of the firewall where policy rules having the highest importance are checked first. The result is a high speed system having carrier class availability.

Abstract: Methods and apparatus for detecting denial of service attacks on a system in a communications network are provided. A frequency analysis is performed on certain types of packets that arrive with a periodic nature. A frequency power spectrum obtained through Fourier Transform reveals whether the power level of any particular frequency is greater than the average power spectrum. The detection of a higher than average power level is an indication that an attack is in progress.

Abstract: Methods and apparatus for mitigating denial of service attacks in a communications network are described. Frequency domain techniques such as Fourier Transform are used to detect packet flooding in which a frequency spectrum reveals a periodic pattern to the attack packets. A pulse generator is used to create pulses having the frequency and phase of the periodic pattern. New packets arriving simultaneously with the created pulses are dropped from the system and packets which are not synchronized with the pulse generator are passed through the system normally.

Abstract: Methods of detecting TCP SYN flooding attacks at a router located between a LAN and a network such as the Internet are described. The methods rely on a counting arrangement in which SYN and Fin packets are counted on both the LAN side and the network or Internet side of the router during a time interval. Weighting factors are applied to each count, the factor for the LAN side count having the opposite polarity to the factor for the network side count. The absolute values of the sums of the weighting factors of like polarity are equal. An abnormal number of unsuccessful connection attempts are determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.

Abstract: A modified security protocol for remotely managed computer-based communications devices is presented. The protocol is based on the Syslog Sign protocol but is altered to allow an entity that collects log events from and/or remotely manages the device to provide authenticated acknowledgement of event logs that have been successfully received. This is achieved through an Acknowledgement Block which is signed by the entity and made available to the device.

Abstract: Systems and methods of mitigating attacks, such as Denial of Service (DoS) attacks, in a communications network are presented. Source addresses of packets received at network devices are monitored in relation to known reliable addresses stored in a decision engine. If the source address, as stored in a source table, is known as being legitimate the packets are placed in a high priority queue for transmission at the highest rate. Packets with an unknown address are placed in a lower priority queue, the source address stored in a different source table, and the packet is serviced at a lower rate. Packets that become known to be legitimate are moved from the unknown table to the table from which high priority queues are serviced. In this way, an attacker that employs spoofing techniques is prevented from overtaxing network resources.

Abstract: Methods and apparatus for mitigating denial of service attacks in a communications network are described. Frequency domain techniques such as Fourier Transform are used to detect packet flooding in which a frequency spectrum reveals a periodic pattern to the attack packets. A pulse generator is used to create pulses having the frequency and phase of the periodic pattern. New packets arriving simultaneously with the created pulses are dropped from the system and packets which are not synchronized with the pulse generator are passed through the system normally.

Abstract: Methods and apparatus for detecting denial of service attacks on a system in a communications network are provided. A frequency analysis is performed on certain types of packets that arrive with a periodic nature. A frequency power spectrum obtained through Fourier Transform reveals whether the power level of any particular frequency is greater than the average power spectrum. The detection of a higher than average power level is an indication that an attack is in progress.

Abstract: Methods of detecting TCP SYN flooding attacks at a router located between a LAN and a network such as the Internet are described. The methods rely on a counting arrangement in which SYN and Fin packets are counted on both the LAN side and the network or Internet side of the router during a time interval. Weighting factors are applied to each count, the factor for the LAN side count having the opposite polarity to the factor for the network side count. The absolute values of the sums of the weighting factors of like polarity are equal. An abnormal number of unsuccessful connection attempts are determined based on a parameter calculated using the weighting factors in conjunction with the respective counts.

Abstract: Methods of preventing flooding-type denial-of-service attacks in a computer-based network are described. Connection establishing messages known as SYN packets are matched with connection terminating messages (FIN packets) by using a hash algorithm. The hash algorithm or message digest uses source and destination IP addresses, port numbers, and a secret key as input parameters. The SYN packets and FIN packets are mapped to buckets using the hash algorithm and statistics are maintained for each bucket. A correspondence between SYN packets and FIN packets is maintained to close a security hole.

Abstract: A communications security system has been described. The security system in the form of a firewall is made up of a plurality of communicatively coupled sets of modules in a matrix configuration. The modules may be implemented in hardware and software in order to rely on the advantages of each technology. Data packets are typically coupled to an ingress side of the firewall where policy rules having the highest importance are checked first. The result is a high speed system having carrier class availability.

Abstract: A method and system for providing routing information for use in virtual private networks is disclosed. The method supports a variety of different secure network topologies. According to the method a static map is generated including information on each static gateway and resources accessible therethrough. The map also contains security information for accessing and authenticating a gateway.

Abstract: A method and system for implementing network policy is described. The method involves storing policy data using certificates using a certificate database server. Upon retrieval, a policy is then validated as properly certified prior to use. When a policy is not validated, it indicates tampering or improper policy data entry. When policy data is successfully validated, the policy is implemented.