DE102006045349B3 - Bit pattern searching method for data packets on e.g. computer, involves performing logical AND- concatenation of contents of registers, and identifying coherent range with specific number of bits in concatenation result - Google Patents

Abstract

The method involves storing data packets with preset number of bits in respective registers having storage locations, where the packets are received from a network device. A logical AND- concatenation of contents of the registers is performed in a bit-by-bit manner by a logic device, and a result of the logical AND- concatenation is stored. A coherent range with a specific number of bits is identified in a result, which has a bit that is not equal to zero, by an identifying device. The identified range is stored as a mask for an indicative bit pattern in one of the registers. Independent claims are also included for the following: (1) a filtering method for filtering of data packets (2) a filtering device, comprising an extracting device.

Description

The The invention relates to a search method by means of a search device to search for a Data packets of a DoS attack on a network device indicative bit pattern, a search device, a filtering method and a filtering device.

The Technical field of the present invention relates to the defense from so - called "Denial of Service (DOS) "attacks on a network device, like a computer connected to a network, like the internet, connected, or a server facility, like for example, a web server. During a so-called DoS attack, such as a flooding attack on the network device meets a very big one Number of data packets in the network setup. These data packets or malicious packages have the purpose of the network device with the Processing of these data packets to overwhelm and thus their functionality to impair or disable the network setup. The malicious packages contain more or less meaningful information depending on the type of attack. As is common in a DoS attack the malicious packages come from different source computers or the address of the source computer false is, it is conventional difficult to package these data packets as malicious packages using their IP address to identify. This in turn makes filtering such difficult Data packets.

Of the Applicant are two conventional Solution approaches known, with which DoS attacks or the like can be fought. These two Solutions are exclusively realized in software. An approach concerns the storage of a so-called black-and-white list. there become the IP addresses from stations that are unwanted Send packages or data packets using the black-and-white list blocked. The disadvantages of this software engineering method are that the IP addresses of the source computers are often forged and thus useless. Another disadvantage is that in a DoS attack often Thousands of computers are involved. In such a case must then for each package the entire black-and-white list are sequentially worked through. This in turn burdens the CPU of the network device. The data packets a DOS attack valid at least in part be. Thus exists at least in these valid parts of the data packet a bit pattern that is present in all data packets or malicious packages of the DoS attack occurs. The applicant is internally known, such a pattern software technology to use the data packets received from the network device to filter or to detect a DoS attack. It carries too this software-technical approach to ward off the DoS attack in that the CPU of the network device due to the necessary Filtering stronger is charged, which is known the inherent Purpose of a DoS attack is.

The publication CA 25 49 577 A1 discloses a method for categorizing network data based on stored empirical values to detect a DOS attack.

In the KR 10 2005 00 66 049 A A method for detecting a DOS attack is described, wherein each incoming packet is compared to a pattern.

The publication US 5,835,726 teaches a packet filter to enforce security rules, bit-linking data packets from different memories, and deriving from the result whether the packet is accepted or discarded.

Therefore there is an object underlying the present invention in it, one for the data packets of a DoS attack on a network device indicative bit pattern by means of a to search dedicated hardware.

A Another task is the CPU of the network device at Searching the indicative bit pattern and filtering the data packets to relieve the DoS attack.

According to the invention, at least one of these tasks by a search method with the Features of claim 1 and / or by a search device with the features of claim 12 and / or by a filtering method with the features of claim 13 and / or by a filter device solved with the features of claim 14.

• a) Speichern eines ersten von der Netzwerkeinrichtung empfangenen Datenpaketes mit N1 Bits in zumindest einem ersten Register mit N2 Speicherstellen, wobei N2 ≥ N1 ist;
• b) Speichern eines zweiten von der Netzwerkeinrichtung empfangenen Datenpaketes mit N1 Bits zumindest einem zweiten Register mit N2 Speicherstellen, wobei N2 ≥ N1' ist;
• c) bitweises logisches UND-Verknüpfen des Inhalts des jeweiligen ersten Registers und des Inhalts des jeweiligen zweiten Registers mittels einer Logikeinrichtung;
• d) Speichern des jeweiligen Ergebnisses des logischen UND-Verknüpfens;
• e) jeweiliges Identifizieren zumindest eines zusammenhängenden Bereiches mit N3 Bits, wobei N3 ≤ N1 ist, in dem jeweiligen gespeicherten Ergebnis, welcher zumindest ein Bit ungleich Null aufweist, mittels einer Identifiziereinrichtung;
• f) Speichern des jeweiligen identifizierten Bereiches als Maske für das indikative Bitmuster in das entsprechende oder ein weiteres erstes Register;
• g) Speichern eines weiteren von der Netzwerkeinrichtung empfangenen Datenpaketes in das zumindest eine zweite Register;
• h) Durchführen der Schritte c) bis f) bis sich eine der gespeicherten Masken nicht mehr ändert, welche zumindest ein Bit ungleich Null aufweist.

Accordingly, a search method is proposed by means of a dedicated search device for a network device for searching a bit pattern indicative of data packets of a DoS attack on the network device, comprising the following steps:

• a) storing a first data packet of N1 bits received by the network device in at least one first register with N2 memory locations, where N2 ≥ N1;
• b) storing a second data packet of N1 bits received from the network device at least one second register with N2 memory locations, where N2 ≥ N1 ';
• c) bitwise logical ANDing the contents of the respective first register and the contents of the respective second register by means of a logic device;
• d) storing the respective result of the logical AND operation;
• e) identifying, by means of an identifier, at least one contiguous region of N3 bits, where N3 ≤ N1, in the respective stored result having at least one nonzero bit;
• f) storing the respective identified area as a mask for the indicative bit pattern in the corresponding or a further first register;
• g) storing a further data packet received by the network device into the at least one second register;
• h) performing steps c) to f) until one of the stored masks, which has at least one nonzero bit, no longer changes.

• – zumindest ein erstes Register mit N2 Speicherstellen, welches dazu geeignet ist, ein von der Netzwerkeinrichtung empfangenes erstes Datenpaket mit N1 Bits zu speichern;
• – zumindest ein zweites Register mit N2 Speicherstellen, welches dazu geeignet ist, ein von der Netzwerkeinrichtung empfangenes zweites Datenpaket mit N1 Bits zu speichern;
• – eine Logikeinrichtung, welche den Inhalt des jeweiligen ersten Registers und den Inhalt des jeweiligen zweiten Registers bitweise logisch miteinander UND-verknüpft;
• – eine Speichereinrichtung zum Speichern des jeweiligen Ergebnisses der logischen UND-Verknüpfung;
• – eine Identifiziereinrichtung, welche jeweils zumindest einen zusammenhängenden Bereich mit N3 Bits, wobei N3 ≤ N1 ist, in dem jeweiligen gespeicherten Ergebnis identifiziert, wobei der zusammenhängende Bereich zumindest ein Bit ungleich Null aufweist; und
• – eine Steuervorrichtung, welche dazu geeignet ist, ein weiteres von der Netzwerkeinrichtung empfangenes Datenpaket in das zumindest eine zweite Register abzuspeichern und das zumindest eine erste Register, das zumindest eine zweite Register, die Logikeinrichtung und die Identifiziereinrichtung derart zu steuern, dass sie die oben erläuterten Schritte c) bis f) so lange durchführen, bis sich eine der gespeicherten Masken nicht mehr ändert, welche zumindest ein Bit ungleich Null aufweist.

Furthermore, a search device for carrying out the above-mentioned search method for a network device for searching a bit pattern indicative of data packets of a DoS attack is proposed, comprising:

• At least a first register with N2 memory locations, which is suitable for storing a first data packet of N1 bits received from the network device;
• At least a second register with N2 memory locations, which is suitable for storing a second data packet of N1 bits received from the network device;
• A logic device which AND-links the content of the respective first register and the content of the respective second register bit by bit;
• A memory device for storing the respective result of the logical AND operation;
• An identifier, each identifying at least one contiguous region of N3 bits, where N3 ≤ N1, in the respective stored result, the contiguous region having at least one nonzero bit; and
• A control device which is suitable for storing another data packet received from the network device into the at least one second register and for controlling the at least one first register, the at least one second register, the logic device and the identifier in such a way that they are as explained above Perform steps c) to f) until one of the stored masks, which has at least one nonzero bit, no longer changes.

• – Generieren einer Maske mittels des oben erläuterten Suchverfahrens;
• – Vergleichen von Datenpaketen, welche von der Netzwerkeinrichtung empfangen werden, mit der Maske; und
• – Herausfiltern derjenigen Datenpakete, welche das zu der Maske indikative Bitmuster beinhalten.

In addition, a filter method for filtering data packets of a DoS attack on a network device is proposed, comprising the following steps:

• Generating a mask by means of the search method explained above;
• Comparing data packets received from the network device with the mask; and
• - filtering out those data packets which contain the bit pattern indicative of the mask.

Furthermore, a filter device is proposed for filtering data packets of a DoS attack on a network device, which comprises:
a search device as explained above; and
an extracting device which filters out those received data packets containing the bit pattern indicative of the mask.

The The idea underlying the present invention consists essentially therein, a dedicated hardware for a network device suitable for making a pattern or bit pattern, which for the data packets of a DoS attack or a DoS attack indicative are to provide to relieve the CPU of the network device and these against overloading to protect as a result of the DoS attack.

One Another advantage of the hardware-technical realization of the search the bit pattern or pattern and the filtering out of the harmful packages, which belongs to the DoS attack This is because it's faster than a software-technical one solution can be done.

One Another advantage of the present invention is that according to the invention the search options across from the conventional one Search for IP addresses that may belong to a DoS attack or could are significantly expanded.

One Another advantage of the invention is that only a small Number of registers must be used.

One Another advantage is that by using the dedicated Search device and the consequent removal of the burden for the CPU even with an unsuccessful search for a mask or a bit pattern (Pattern), namely if there is no DoS attack, the performance of the overall system of Network device is not charged.

In this case, the network device can be designed as a computer or server connected to a network, such as the Internet. But it can also be connected to a network control system, such as those used in industrial environments, or even mobile devices, such as PDA or mobile phones. The advantage is that all these devices CPU's ge have performance, which can be protected according to the invention.

advantageous Refinements and developments of the invention will become apparent the dependent claims and the description with reference to the drawings.

According to one preferred development of the invention, the above-explained search method continues on that the mask, which after carrying out the above steps a) until g) does not change anymore and at least one non-zero bit has, as a valid, indicative of the bit pattern Mask is determined.

According to one preferred embodiment of the invention will be the respective result the logical AND connection stored in the corresponding first register. An advantage of this Embodiment is that thus the number of used Register is minimized.

According to one Another preferred embodiment, the respective result of logical AND connection stored in another first register. The special advantage this embodiment is that in the presence of a not related to the DoS attack Data packets this is not overwritten, but in the original one first registers are stored and forwarded from this can.

According to one Further development is after the process step f) the corresponding register with replicas of the mask to provide a parallelized Search filled up.

According to one Another preferred embodiment is the predetermined range in the further data packet by an absolute start position and / or determined by an absolute end position.

According to one Another preferred embodiment is the predetermined range determined in the further data packet by a relative start position.

According to one Another preferred development is after step f) of Content of the respective second register by means of a control device shifted by a predetermined number N4 bits, and the steps c) to f) are carried out until the respective second register the respective content before the Moving has. N4 is for example 1 or 8.

According to one Another preferred development is the content of the second register, which stores the data packet received by the network device, shifted by N4 bits by means of a control device and each in a corresponding second register for parallelized search saved.

According to one Another preferred development that are at least a first Register, the at least one second register, the logic device, the Identification device and the control device at least as Part of an FPGA circuit or formed as part of an ASIC circuit.

According to one Another preferred embodiment is the bit length of the respective stored Result determined by the smaller of N1 and N1 ', that is, the Maslenlänge each by the shorter one Package determined.

The Invention will be described below with reference to the schematic figures The drawings specified embodiments explained in more detail. Show it:

1 a schematic flow diagram of a first embodiment of the method according to the invention;

2 a schematic example for searching a bit pattern with static position;

3 an exemplary data packet and associated bit pattern having an absolute position in the data packet;

4 an exemplary data packet and associated bit pattern having a relative position in the data packet;

5 a schematic representation of a filled with replications of the mask first register and a second register with a data packet;

6 a schematic flow diagram of a second embodiment of the method according to the invention;

7 a schematic flow diagram of a third embodiment of the method according to the invention;

8a a brief excerpt from a schematic sequence of the search of a bit pattern with dynamic position;

8b a schematic example for searching a bit pattern with dynamic position;

9 a schematic flow diagram of a fourth embodiment of the method according to the invention; and

10 a schematic block diagram of a preferred embodiment of the search device according to the invention.

In all figures are the same or functionally identical elements and devices - if nothing else is stated - with the same reference numerals have been provided.

1 shows a schematic flow diagram of a first embodiment of the inventive search method by means of a dedicated search device 1 for a network device for searching a bit pattern indicative of data packets DP of a DoS attack on the network device. Hereinafter, the first embodiment of the inventive search method according to the flowchart in 1 with reference to the block diagram in 10 explained. The first embodiment of the search method according to the invention has the following steps a) to i):

Process step a):

A first data packet DP with N1 bits received by the network device is stored in at least one first register 2 saved with N2 memory locations. Where N2 ≥ N1.

Process step b):

A second data packet DP with N1 bits received from the network device is stored in at least one second register 3 saved with N2 memory locations. Where N2 ≥ N1 '. N1 'and N1 may be the same or different.

Process step c):

The content of the respective first register 2 and the contents of the respective second register 3 be by means of a logic device 4 bitwise logical AND-linked. Preferably, the logic device 4 for each of the N2 memory locations of the first register 2 and the second register 3 an AND gate on.

Process step d):

The respective result of the logical AND operation is saved. Preferably, the respective result is in the corresponding first register 2 saved. Alternatively, the respective result in another first register 2 get saved.

Process step e):

At least one contiguous region of N3 bits, where N3 ≦ N1, is identified in the respective stored result, the contiguous region having at least one nonzero bit. The respective identification is made by means of an identifier 6 carried out.

Process step f):

The respective identified area is used as a mask for the indicative bit pattern in the corresponding or in another first register 2 saved.

Process step h):

The Steps c) to f) are performed until one of the stored Masks no longer changes and at least one nonzero bit.

Process step i):

the one Mask is considered valid, for the Bit pattern of the DoS attack indicative mask which determines after performing the Step a) to g) no longer changes and at least one nonzero bit.

For example can step h) for the respective mask and for a predetermined range of the further data packet DP are performed.

In 2 Fig. 12 shows a schematic example for searching a bit pattern with a static position.

is For example, the data packet DP a TCP packet with a length of 64 k, at least three registers with a number of 64 become k storage locations necessary. Thus, a maximum memory of To provide 192k.

Preferably, the predetermined range in the further data packet DP is determined by an absolute start position P1 and / or by an absolute end position. In addition shows 3 an exemplary data packet DP and an associated bit pattern B with an absolute position P1 in the data packet DP.

Alternatively, the predetermined range in the further data packet DP can also be determined by a relative start position P2. In 4 An exemplary data packet DP and an associated bit pattern B with a relative position P2 are shown in the data packet DP. For example, the relative position P2 may refer to the end of the data packet header or header.

The absolute position P1 of the bit pattern B within a data packet DP of the DoS attack is the simplest case. The position P1 is counted from the beginning or beginning of the data packet DP and is therefore absolute. In order to identify or filter malicious packets or data packets DP of the DoS attack, a mask for detecting the pattern or bit pattern at the corresponding absolute position P1 is respectively compared with the data packets DP. However, this type of filtering or search is not limited by the IP address, but can be performed at any point of the data packet DP. This significantly increases the flexibility to filter and search bit patterns or patterns. Thus, the filtering according to the invention becomes independent of source addresses that are usually forged in DoS attacks.

5 shows a schematic flow diagram of a second embodiment of the method according to the invention. The second embodiment according to 5 differs from the first embodiment according to 1 in that it furthermore has the method step f2) explained in greater detail below. To avoid repetition, the method step a) to i) is dispensed with again. The second embodiment of the method according to the invention 5 So includes the already explained process steps a) to i) and the additional process step f2):

Process step f2:

After method step f, the corresponding first register is 2 populated with replications of the stored mask to provide a parallelized search. The actual mask length remains the same and the new extended mask contains a large number of those for parallelized search.

In 6 Fig. 12 is a schematic representation of a first register filled with replicas of the bit pattern B corresponding to the found mask 2 and a second register 3 shown with a data packet DP.

In the 7 and 9 are schematic flow diagrams each showing an embodiment of the search method according to the invention, in which a bit pattern are searched with a dynamic or changing position in the data packets DP of the DoS attack.

If a packet no pattern or bit pattern at a particular position owns, means not that at all There is no bit pattern that could be identified. In fact, own Data packets generated, for example, for a flooding attack usually useless payload data. This user data can include a pattern for their identification can be used according to the invention. This but does not have to be in a predetermined position. With In other words, the position of the pattern or bit pattern can be from Package to package be different. For the present invention is only a prerequisite that such a pattern exists at all.

In 7 is a schematic flow diagram of a third embodiment of the search method according to the invention shown. The embodiment according to 7 differs from the first embodiment according to 1 in that an additional method step f3) is provided. To avoid repetition, the renewed presentation of process steps a) to i) is dispensed with. The additional method step f3) extends the search method according to the invention 1 in that bit patterns with a dynamic position within the data packets DP can be found:

Process step f3:

After performing step f), the contents of the respective second register 3 by means of a control device 7 shifted by a predetermined number N4 of bits and steps c) to f) are performed until the respective second register 3 has the content before moving.

• 1. Das erste Datenpaket DP wird in das erste Register 2 gespeichert.
• 2. Das zweite Datenpaket DP wird in das zweite Register 3 gespeichert.
• 3. Beide Datenpakete DP werden bitweise logisch UND-verknüpft.
• 4. Das Ergebnis ist eine erste Version einer ersten Maske, welche gespeichert wird.
• 5. Die erste Maske wird dahingehend geprüft, ob sie einen Wert größer als Null hat. D.h. es wird geprüft, ob die erste Version der ersten Maske zumindest ein Bit ungleich Null aufweist.
• 6. Das zweite Paket wird dann bitweise oder byteweise verschoben bzw. rotiert, das heißt die Bits oder Bytes, die am Ende hinausgeschoben werden, werden am Beginn vorangestellt. Sowohl eine Links- als auch eine Rechtsverschiebung ist möglich.
• 7. Das erste Paket und das verschobene zweite Paket werden dann wieder bitweise logisch UND-verknüpft.
• 8. Das Ergebnis ist eine erste Version einer zweiten Maske, die gespeichert wird.
• 9. Das zweite Paket wird wieder verschoben.
• 10. Die Schritte 11 und 12 werden wiederholt, bis das zweite Paket seinen ursprünglichen Wert aufweist.
• 11. Nun ist eine Vielzahl erster Versionen von Masken gespeichert.
• 12. Diese Masken werden nun mit einem dritten Paket verknüpft, wobei das dritte Paket in gleicher Weise rotiert, geshiftet oder verschoben wird. Dies wird durchgeführt mit dem dritten Paket und nachfolgenden Paketen mittels oben erwähnter, bitweiser logischer UND-Verknüpfung. Nach jedem Schritt wird ein Prüfschritt durchgeführt, der prüft, ob die jeweilige Maske einen Wert von größer als Null aufweist.
• 13. Nachdem einige Datenpakete mit den jeweiligen Masken kombiniert oder logisch verknüpft worden sind, wird sich eine der Masken nicht mehr ändern und einen Wert größer als Null haben. Diese Maske kann als gültiges und stabiles Bitmuster bezeichnet werden, welches indikativ für die Datenpakete des DoS-Angriffes oder für die Schadpakete ist.
• 14. Dieses Bitmuster oder Pattern kann zum Filtern der nachfolgenden Datenpakete genutzt werden.

Below example for a search of a bit pattern with dynamic position is the third embodiment according to 7 briefly explain.

• 1. The first data packet DP is in the first register 2 saved.
• 2. The second data packet DP is in the second register 3 saved.
• 3. Both data packets DP are logically ANDed bit by bit.
• 4. The result is a first version of a first mask, which is saved.
• 5. The first mask is checked to see if it has a value greater than zero. That is, it is checked whether the first version of the first mask has at least one nonzero bit.
• 6. The second packet is then shifted bitwise or bytewise or rotated, that is, the bits or bytes that are pushed out at the end are prefixed at the beginning. Both a left and a right shift is possible.
• 7. The first packet and the shifted second packet are then logically ANDed again bitwise.
• 8. The result is a first version of a second mask that is saved.
• 9. The second package is moved again.
• 10. Steps 11 and 12 are repeated until the second packet is at its original value has.
• 11. Now a large number of first versions of masks are stored.
• 12. These masks are now linked to a third package, with the third package being similarly rotated, shifted or moved. This is done with the third packet and subsequent packets using the above-mentioned bitwise logical AND operation. After each step, a test step is performed, which checks whether the respective mask has a value greater than zero.
• 13. After some data packages have been combined or logically linked to the respective masks, one of the masks will no longer change and have a value greater than zero. This mask can be referred to as a valid and stable bit pattern which is indicative of the data packets of the DoS attack or the malicious packets.
• 14. This bit pattern or pattern can be used to filter the subsequent data packets.

A brief schematic excerpt of the above-described method for searching a dynamic position bit pattern is shown 8a ,

In 8b Fig. 12 shows a schematic example of such a search of a bit pattern with a dynamic position. The illustrated arrow with the reference symbol PF shows that the bit pattern, as it were, slides over the data packet.

9 shows a schematic flow diagram of a fourth embodiment of the inventive search method. The fourth embodiment according to 9 differs from the first embodiment according to 1 in that an additional method step b2) is provided. To avoid repetition, a renewed presentation of the method steps a) to i) is dispensed with. The additional process step b2) is as follows:

Process step b2):

The content of the second register 3 which stores the data packet DP received from the network is controlled by a control device 7 each shifted by N4 bits and each in a corresponding second register 3 stored for parallelized search.

10 shows a schematic block diagram of a preferred embodiment of the search device according to the invention 1 for performing the above-mentioned network device searching method for searching a bit pattern indicative of data packets DP of a DoS attack. The search device according to the invention 1 has at least a first register 2 , at least a second register 3 , a logic device 4 , a storage device 5 , an identifier 6 and a control device 7 which are designed, in particular, as part of an FPGA circuit or as part of an ASIC circuit.

The first register 2 with N2 memory locations is suitable for storing a first data packet DP with N1 bits received from the network unit.

The second register 3 with N2 memory locations is suitable for storing a second data packet DP with N1 bits received from the network device.

The logic device 4 leads in each case a logical AND connection of the content of the respective first register 2 and the contents of the respective second register 3 bit by bit.

The storage device 5 is suitable for storing the respective result of the logical AND operation. Alternatively, on an additional device 5 be waived. Then the respective result of the logical AND operation becomes a first register 2 saved.

The identifier 6 identifies at least one contiguous region of N3 bits, where N3 ≦ N1, in the respective stored result, the contiguous region having at least one nonzero bit.

The control device 7 is suitable to the steps c) to f) according to 1 until one of the stored masks, which has at least one nonzero bit, no longer changes.

Even though the present invention described above with reference to the preferred embodiments it is not limited to that, but in many ways and modifiable. For example, it is conceivable the length of Mask to a predetermined length to reduce. This could Although data packets that do not belong to the DoS attack are also filtered out, but the reduced expense of registers and time can outweigh this disadvantage.

Claims (14)

Search method by means of a dedicated search device ( 1 ) for a network device for searching a bit pattern indicative of data packets (DP) of a DoS attack on the network device, comprising the steps of: a) storing a first data packet (DP) received by the network device with N1 bits in at least one first register ( 2 ) with N2 storage locations, where N2 ≥ N1; b) storing a second data packet (DP) received by the network device with N1 bits in at least one second register ( 3 ) with N2 storage locations, where N2 ≥ N1 '; c) bitwise logical ANDing the contents of the respective first register ( 2 ) and the content of the respective second register ( 3 ) by means of a logic device ( 4 ); d) storing the respective result of the logical AND operation; e) respectively identifying at least one contiguous area with N3 bits, where N3 ≤ N1, in the respective stored result having at least one non-zero bit by means of an identifier ( 6 ); f) storing the respective identified area as a mask for the indicative bit pattern in the corresponding or in a further first register ( 2 ); g) storing a further data packet (DP) received by the network device into the at least one second register ( 3 ); h) performing steps c) to f) until one of the stored masks, which has at least one nonzero bit, no longer changes. Search method according to claim 1, characterized, that the search method has the following further step: i) determining that mask, which after the implementation of steps a) to g) no longer changes and has at least one non-zero bit as valid, indicative of the bit pattern Mask. Search method according to claim 1 or 2, characterized in that the respective result of the logical AND operation in the corresponding first register ( 2 ) is stored. Search method according to Claim 1 or one of Claims 2 to 3, characterized in that after the method step f) the corresponding first register ( 2 ) is populated with replicas of the mask to provide a parallelized search. Search method according to claim 1 or one of claims 2 to 4, characterized in that the step h) for the respective mask in a predetermined Area of further data packet (DP) is performed. Search method according to claim 5, characterized in that that the predetermined range in the further data packet (DP) by an absolute start position (P1) and / or an absolute end position is determined. Search method according to claim 5, characterized in that that the predetermined range in the further data packet (DP) by a relative start position (P2) is determined. Search method according to claim 1 or one of claims 2 or 3, characterized in that after step f) the content of the respective second register ( 3 ) by means of a control device ( 7 ) is shifted by a predetermined number N4 of bits and the steps c) to f) are carried out until the respective second register ( 3 ) has the respective content before moving. Search method according to Claim 1 or one of Claims 2 or 3, characterized in that the content of the second register ( 3 ), which stores the data packet (DP) received from the network device, by means of a control device ( 7 ) is shifted by N4 bits in each case and in each case into a corresponding second register ( 3 ) is stored for parallelized search. Search method according to Claim 1 or one of Claims 2 to 9, characterized in that the at least one first register ( 2 ), that at least a second register ( 3 ), the logic device ( 4 ), the identifier ( 6 ) and / or the control device ( 7 ) are formed at least as part of an FPGA circuit or as part of an ASIC circuit. Search method according to claim 1 or one of claims 2 to 10, characterized in that the bit length of the respective stored Result is determined by the smaller of N1 and N1. Search device ( 1 ) for carrying out the search method according to claim 1 or one of claims 2 to 10 for a network device for searching a bit pattern indicative of data packets (DP) of a DoS attack, comprising: - at least one first register ( 2 N2 memory locations adapted to store N2 bits of a first data packet (DP) received from the network unit; - at least a second register ( 3 N2 memory locations adapted to store N1 bits of a second data packet (DP) received from the network unit, where N2 ≥ N1 '; - a logic device ( 4 ) containing the contents of the respective first register ( 2 ) and the content of the respective second register ( 3 ) bitwise logically ANDed with each other; A memory device ( 5 ) for storing the respective result of the logical AND operation; - an identifier ( 6 ) identifying at least one contiguous region of N3 bits, where N3 ≦ N1, in the respective stored result, the contiguous region having at least one nonzero bit; and a control device adapted to perform steps c) to f) until one of the stored masks, which has at least one nonzero bit, no longer changes. Filtering method for filtering data packets (DP) a DoS attack on a network device, with the steps: - To generate a mask by means of the search method according to claim 1 or a the claims 2 to 10; - To compare of data packets (DP) received by the network device be with the mask; and - filtering out those Data packets (DP) containing the bit pattern indicative of the mask. Filtering device for filtering data packets (DP) of a DoS attack on a network device, comprising: - a search device ( 1 ) according to claim 12, and - an extracting device which filters out those received data packets (DP) containing the bit pattern indicative of the mask.