System and method for software defined behavioral DDoS attack mitigation
First Claim
1. A method for mitigating distributed denial of service (DDoS) attacks against a protected entity of a private network, comprising:
- decoupling control plane functionality, responsible for storage of behavioral data and creation of DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies, wherein the control plane functionality is implemented within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic observed by the plurality of DDoS mitigation appliances and management of the DDoS attack mitigation policies, wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances, wherein the plurality of DDoS mitigation appliances are located within the private network;
establishing a secure connection between a DDoS attack mitigation appliance of the plurality of DDoS attack mitigation appliances and the DDoS attack mitigation central controller located external to the private network;
receiving, by the DDoS attack mitigation appliance, the DDoS attack mitigation policies through a public network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliance via the secure connection; and
mitigating a DDoS attack targeting the protected entity based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated based on the granular traffic rate information collected at least from the DDoS attack mitigation appliance.
0 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for mitigating DDoS attacks. A DDoS attack mitigation appliance of multiple mitigation appliances controlled by a DDoS attack mitigation central controller receives DDoS attack mitigation policies through a network connecting the controller and the mitigation appliance. A DDoS attack is mitigated by the mitigation appliance based on the received mitigation policies. The mitigation policies are generated by the controller based on granular behavioral packet rate thresholds estimated based on granular traffic rate information collected from one or more of the multiple mitigation appliances controlled by the controller.
-
Citations
20 Claims
-
1. A method for mitigating distributed denial of service (DDoS) attacks against a protected entity of a private network, comprising:
-
decoupling control plane functionality, responsible for storage of behavioral data and creation of DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies, wherein the control plane functionality is implemented within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic observed by the plurality of DDoS mitigation appliances and management of the DDoS attack mitigation policies, wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances, wherein the plurality of DDoS mitigation appliances are located within the private network; establishing a secure connection between a DDoS attack mitigation appliance of the plurality of DDoS attack mitigation appliances and the DDoS attack mitigation central controller located external to the private network; receiving, by the DDoS attack mitigation appliance, the DDoS attack mitigation policies through a public network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliance via the secure connection; and mitigating a DDoS attack targeting the protected entity based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated based on the granular traffic rate information collected at least from the DDoS attack mitigation appliance. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A distributed denial of service (DDoS) attack mitigation appliance for mitigating DDoS attacks against a protected entity of a private network, the DDoS attack mitigation appliance comprising:
-
a non-transitory storage device having embodied therein instructions representing a security application; and one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising; establishing a secure connection between the DDoS attack mitigation appliance and a DDoS attack mitigation central controller located external to the private network; receiving DDoS attack mitigation policies through a public network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliance via the secure connection; and mitigating a DDoS attack targeting the protected entity based on the received DDoS attack mitigation policies, wherein the DDoS attack mitigation policies are generated by the DDoS attack mitigation central controller based on granular behavioral packet rate thresholds estimated based on granular traffic rate information collected from a plurality of DDoS attack mitigation appliances; wherein the DDoS attach mitigation appliance is one of the plurality of DDoS attack mitigation appliances and the DDoS mitigation central controller and the plurality of DDoS attack mitigation appliances facilitate decoupling of control plane functionality, responsible for storage of behavioral data and creation of the DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies; wherein the control plane functionality is implemented within the DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic and management of the DDoS attack mitigation policies; and wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of the granular traffic rate information. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification