(12) United States Patent ao) Patent No.: Us 7,409,712 Bi
Brooks et al. (45) Date of Patent: Aug. 5,2008
(54) METHODS AND APPARATUS FOR NETWORK MESSAGE TRAFFIC REDIRECTION
(75) Inventors: Roy M. Brooks, New Hill, NC (US);
John E. Cavanaugh, Raleigh, NC (US);
Paul M. Quinn, Brookline, MA (US)
(73) Assignee: Cisco Technology, Inc., San Jose, CA (US)
( * ) Notice: Subject to any disclaimer, the term of this patent is extended or adjusted under 35 U.S.C. 154(b) by 722 days.
(21) Appl.No.: 10/620,981
(22) Filed: Jul. 16, 2003
(51) Int. CI.
(52) U.S. CI 726/22; 726/11; 726/13;
726/14; 726/15; 726/23; 726/24; 726/25;
(58) Field of Classification Search 726/11,
726/22-26, 13-15; 713/188; 709/223-229, 709/238-244; 370/229-230.1 See application file for complete search history.
(56) References Cited
U.S. PATENT DOCUMENTS
6,704,873 Bl* 3/2004 Underwood 726/12
6,993,660 Bl* 1/2006 Libenzietal 713/188
2002/0083175 Al * 6/2002 Afeketal 709/225
2002/0133586 Al * 9/2002 Shanklin et al 709/224
2003/0110379 Al * 6/2003 Ylonen et al 713/164
2003/0188189 Al* 10/2003 Desaietal 713/201
2003/0204621 Al * 10/2003 Poletto et al 709/239
2004/0010712 Al* 1/2004 Huietal 713/201
* cited by examiner
Primary Examiner—Kimyen Vu
Assistant Examiner—Baotran N To
(74) Attorney, Agent, or Firm—Chapin IP Law, LLC; Barry W. Chapin, Esq.
Conventional methods of addressing a Distributed Denial of Service attack include taking the target node offline, and routing all traffic to an alternate countermeasure, or "sinkhole" router, therefore requiring substantial lag time to reconfigure the target router into the network. In a network, a system operator monitors a network for undesirable message traffic. Upon a notification of such undesirable message traffic, traffic is rerouted to a filter complex to separate undesirable traffic. The filter complex establishes an alternate route using a second communications protocol, and uses the alternate route to redirect the desirable message traffic to the target node. The use of the second protocol avoids conflict between the redirected desirable traffic and the original, or first, protocol which now performs the reroute. In this manner, the filter complex employs a second alternate communications protocol to reroute and redirect desirable message traffic to the target node while diverting undesirable message traffic, and therefore avoids widespread routing configuration changes by limiting the propagation breadth of the second protocol.
36 Claims, 7 Drawing Sheets