Scalable DDoS protection of SSL-encrypted services
First Claim
1. A system for mitigating network attacks within encrypted network traffic, the system comprising:
- a cloud based Distributed Denial of Service (DDoS) mitigation service having a plurality of attack management devices;
one or more attack mitigation devices communicatively coupled to a protected network and to the cloud based DDoS mitigation service, wherein the one or more attack mitigation devices are configured and operable to decrypt the encrypted network traffic received from the DDoS mitigation service and destined to the protected network to form a plurality of decrypted network packets, analyze the plurality of decrypted network packets to detect one or more attacks by determining which decrypted network packets are associated with network attacks, generate, in response to detecting the one or more attacks, one or more attack signatures corresponding to the one or more detected attacks and send the generated one or more attack signatures to the one or more attack management devices utilizing cloud-signaling network protocols to push the attack signatures to the plurality of cloud based attack management devices wherein the one or more attack mitigation devices are further configured and operable to re-encrypt only decrypted network packets not associated with the one or more detected network attacks and to send the re-encrypted packets to the protected network; and
wherein the one or more attack management devices are configured and operable to block encrypted network traffic matching the one or more attack signatures from reaching the protected network without needing to decrypt incoming encrypted traffic received from one or more external devices.
2 Assignments
0 Petitions
Accused Products
Abstract
A system for mitigating network attacks within encrypted network traffic is provided. The system includes a protected network including a plurality of devices. The system further includes attack mitigation devices communicatively coupled to the protected network and to a cloud platform. The attack mitigation devices are configured and operable to decrypt the encrypted traffic received from the cloud platform and destined to the protected network to form a plurality of decrypted network packets and analyze the plurality of decrypted network to detect attacks. The attack mitigation devices are further configured to generate, in response to detecting the attacks, attack signatures corresponding to the detected attacks and configured to send the generated attack signatures to attack mitigation services provided in the cloud platform. The attack mitigation services are configured and operable to drop encrypted network traffic matching the attack signatures received from the attack mitigation devices.
15 Citations
9 Claims
-
1. A system for mitigating network attacks within encrypted network traffic, the system comprising:
-
a cloud based Distributed Denial of Service (DDoS) mitigation service having a plurality of attack management devices; one or more attack mitigation devices communicatively coupled to a protected network and to the cloud based DDoS mitigation service, wherein the one or more attack mitigation devices are configured and operable to decrypt the encrypted network traffic received from the DDoS mitigation service and destined to the protected network to form a plurality of decrypted network packets, analyze the plurality of decrypted network packets to detect one or more attacks by determining which decrypted network packets are associated with network attacks, generate, in response to detecting the one or more attacks, one or more attack signatures corresponding to the one or more detected attacks and send the generated one or more attack signatures to the one or more attack management devices utilizing cloud-signaling network protocols to push the attack signatures to the plurality of cloud based attack management devices wherein the one or more attack mitigation devices are further configured and operable to re-encrypt only decrypted network packets not associated with the one or more detected network attacks and to send the re-encrypted packets to the protected network; and wherein the one or more attack management devices are configured and operable to block encrypted network traffic matching the one or more attack signatures from reaching the protected network without needing to decrypt incoming encrypted traffic received from one or more external devices. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
Specification