System and method for software defined behavioral DDoS attack mitigation

US 10,009,373 B2
Filed: 11/18/2017
Issued: 06/26/2018
Est. Priority Date: 07/16/2013
Status: Active Grant

First Claim

Patent Images

1. A method for mitigating distributed denial of service (DDoS) attacks against a protected entity of a private network, comprising:

decoupling control plane functionality, responsible for storage of behavioral data and creation of DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies, wherein the control plane functionality is implemented within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic observed by the plurality of DDoS mitigation appliances and management of the DDoS attack mitigation policies, wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances, wherein the plurality of DDoS mitigation appliances are located within the private network;

establishing a secure connection between a DDoS attack mitigation appliance of the plurality of DDoS attack mitigation appliances and the DDoS attack mitigation central controller located external to the private network;

receiving, by the DDoS attack mitigation appliance, the DDoS attack mitigation policies through a public network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliance via the secure connection; and

mitigating a DDoS attack targeting the protected entity based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated based on the granular traffic rate information collected at least from the DDoS attack mitigation appliance.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for mitigating DDoS attacks. A DDoS attack mitigation appliance of multiple mitigation appliances controlled by a DDoS attack mitigation central controller receives DDoS attack mitigation policies through a network connecting the controller and the mitigation appliance. A DDoS attack is mitigated by the mitigation appliance based on the received mitigation policies. The mitigation policies are generated by the controller based on granular behavioral packet rate thresholds estimated based on granular traffic rate information collected from one or more of the multiple mitigation appliances controlled by the controller.

Citations

20 Claims

1. A method for mitigating distributed denial of service (DDoS) attacks against a protected entity of a private network, comprising:
- decoupling control plane functionality, responsible for storage of behavioral data and creation of DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies, wherein the control plane functionality is implemented within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic observed by the plurality of DDoS mitigation appliances and management of the DDoS attack mitigation policies, wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances, wherein the plurality of DDoS mitigation appliances are located within the private network;
  
  establishing a secure connection between a DDoS attack mitigation appliance of the plurality of DDoS attack mitigation appliances and the DDoS attack mitigation central controller located external to the private network;
  
  receiving, by the DDoS attack mitigation appliance, the DDoS attack mitigation policies through a public network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliance via the secure connection; and
  
  mitigating a DDoS attack targeting the protected entity based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated based on the granular traffic rate information collected at least from the DDoS attack mitigation appliance.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the granular traffic rate information includes traffic rates observed during a predetermined period of time for a plurality of predetermined parameters of layer 2, layer 3, layer 4 or layer 7 of a network stack.
  - 3. The method of claim 2, further comprising enforcing the received DDoS attack mitigation policies at layers 2, 3, 4 and 7 of the network stack.
  - 4. The method of claim 1, further comprising:
    - receiving, by the DDoS attack mitigation appliance, inbound and outbound packets; and
      
      performing behavioral DDoS attack mitigation by blocking packets that exceed granular behavioral thresholds or access control policies set by the received DDoS attack mitigation policies.
  - 5. The method of claim 4, further comprising creating service protection profiles based on Internet Protocol (IP) subnets, Virtual Local Area Network (VLAN) tags or Media Access Control (MAC) addresses of a source or a destination of the packets.
  - 6. The method of claim 4, further comprising:
    - collecting, by the DDoS attack mitigation appliance, granular traffic rate information from traffic passing through it, andsending, by the DDoS attack mitigation appliance, granular traffic rate information to the DDoS attack mitigation central controller via the secure connection.
  - 7. The method of claim 6, further comprising tracking offending sources that exceed behavioral source packet rate thresholds or repetitively send packets that are caught within an identified behavioral granular parameter flood.
  - 8. The method of claim 1, further comprising:
    - collecting, by the DDoS attack mitigation appliance, granular packet drop statistics from traffic passing through it, andsending, by the DDoS attack mitigation appliance, granular packet drop statistics to the DDoS attack mitigation central controller via the secure connection.
  - 9. The method of claim 1, further comprising:
    - continuously collecting in real time, by the DDoS attack mitigation appliance, the granular traffic rate information; and
      
      enabling, by the DDoS attack mitigation appliance, the DDoS attack mitigation central controller to adjust the DDoS attack mitigation policies by providing continuous feedback to the DDoS attack mitigation central controller in a form of the continuously collected granular traffic rate information.
  - 10. The method of claim 1, wherein the private network comprises a data center network or an Internet Service Provider (ISP) network.

11. A distributed denial of service (DDoS) attack mitigation appliance for mitigating DDoS attacks against a protected entity of a private network, the DDoS attack mitigation appliance comprising:
- a non-transitory storage device having embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  establishing a secure connection between the DDoS attack mitigation appliance and a DDoS attack mitigation central controller located external to the private network;
  
  receiving DDoS attack mitigation policies through a public network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliance via the secure connection; and
  
  mitigating a DDoS attack targeting the protected entity based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated based on granular traffic rate information collected from a plurality of DDoS attack mitigation appliances;
  
  wherein the DDoS attach mitigation appliance is one of the plurality of DDoS attack mitigation appliances and the DDoS mitigation central controller and the plurality of DDoS attack mitigation appliances facilitate decoupling of control plane functionality, responsible for storage of behavioral data and creation of the DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies;
  
  wherein the control plane functionality is implemented within the DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic and management of the DDoS attack mitigation policies; and
  
  wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of the granular traffic rate information.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The appliance of claim 11, wherein the granular traffic rate information includes traffic rates observed during a predetermined period of time for a plurality of predetermined parameters of layer 2, layer 3, layer 4 or layer 7 of a network stack.
  - 13. The appliance of claim 12, wherein the method further comprises enforcing the received DDoS attack mitigation policies at layers 2, 3, 4 and 7 of a network stack.
  - 14. The appliance of claim 11, wherein the method further comprises:
    - receiving inbound and outbound packets; and
      
      performing behavioral DDoS attack mitigation by blocking packets that exceed granular behavioral thresholds or access control policies set by the received DDoS attack mitigation policies.
  - 15. The appliance of claim 14, wherein the method further comprises creating service protection profiles based on Internet Protocol (IP) subnets, Virtual Local Area Network (VLAN) tag or Media Access Control (MAC) addresses of source or destination of the packets.
  - 16. The appliance of claim 11, wherein the method further comprises:
    - collecting the granular traffic rate information from traffic passing through it, andsending the granular traffic rate information to the DDoS attack mitigation central controller.
  - 17. The appliance of claim 16, wherein the method further comprises tracking offending sources that exceed behavioral source packet rate thresholds or repetitively send packets which are caught within an identified behavioral granular parameter flood.
  - 18. The appliance of claim 11, wherein the method further comprises:
    - collecting granular packet drop statistics from traffic passing through it, andsending granular packet drop statistics to the DDoS attack mitigation central controller.
  - 19. The appliance of claim 11, wherein the method further comprises:
    - continuously collecting in real time the granular traffic rate information; and
      
      enabling the DDoS attack mitigation central controller to adjust the DDoS attack mitigation policies by providing continuous feedback to the DDoS attack mitigation central controller in a form of the continuously collected granular traffic rate information.
  - 20. The appliance of claim 11, wherein the private network comprises a data center network or an Internet Service Provider (ISP) network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Jain, Hemant Kumar
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/817,192
Publication Number

US 20180091548A1
Time in Patent Office

220 Days
Field of Search

726 22- 25, 726 1, 713188
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

System and method for software defined behavioral DDoS attack mitigation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for software defined behavioral DDoS attack mitigation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links