System and method for software defined behavioral DDoS attack mitigation

US 10,116,703 B2
Filed: 05/31/2017
Issued: 10/30/2018
Est. Priority Date: 07/16/2013
Status: Active Grant

First Claim

Patent Images

1. A method for controlling a plurality of distributed denial of service (DDoS) mitigation appliances, comprising:

decoupling control plane functionality, responsible for storage of behavioral data and creation of DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies, wherein the control plane functionality is implemented within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic and management of the DDoS attack mitigation policies and wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances;

configuring, by the DDoS attack mitigation central controller, the DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances comprising collecting, by the DDoS attack mitigation central controller, the granular traffic rate information from the plurality of DDoS attack mitigation appliances, and estimating granular behavioral packet rate thresholds based on the granular traffic rate information; and

causing, by the DDoS attack mitigation central controller, the plurality of DDoS attack mitigation appliances to enforce the granular behavioral packet rate thresholds by sending the DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for software defined behavioral DDoS attack mitigation are provided. According to one embodiment, a method is provided for controlling multiple distributed denial of service (DDoS) mitigation appliances. A DDoS attack mitigation central controller configures attack mitigation policies for the DDoS attack mitigation appliances. The DDoS attack mitigation policies are sent to the DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the DDoS attack mitigation appliances.

17 Citations

14 Claims

1. A method for controlling a plurality of distributed denial of service (DDoS) mitigation appliances, comprising:
- decoupling control plane functionality, responsible for storage of behavioral data and creation of DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies, wherein the control plane functionality is implemented within a DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic and management of the DDoS attack mitigation policies and wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of granular traffic rate information regarding traffic observed by each of the plurality of DDoS mitigation appliances;
  
  configuring, by the DDoS attack mitigation central controller, the DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances comprising collecting, by the DDoS attack mitigation central controller, the granular traffic rate information from the plurality of DDoS attack mitigation appliances, and estimating granular behavioral packet rate thresholds based on the granular traffic rate information; and
  
  causing, by the DDoS attack mitigation central controller, the plurality of DDoS attack mitigation appliances to enforce the granular behavioral packet rate thresholds by sending the DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the granular traffic rate information includes traffic rates observed during a predetermined period of time for a plurality of predetermined parameters of layer 2, layer 3, layer 4 or layer 7 of a network stack.
  - 3. The method of claim 1, wherein said configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances further comprises:
    - updating DDoS attack mitigation policies based on the granular behavioral packet rate thresholds; and
      
      sending the updated DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances.
  - 4. The method of claim 1, wherein said configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances further comprises receiving the DDoS attack mitigation policies from an administrator of the DDoS attack mitigation central controller through a user interface.
  - 5. The method of claim 1, further comprising:
    - collecting, by the DDoS attack mitigation central controller, granular packet drop statistics from the plurality of DDoS attack mitigation appliances; and
      
      reporting the granular packet drop statistics to the administrator of the DDoS attack mitigation central controller.
  - 6. The method of claim 1, further comprising:
    - establishing a secure connection between the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances;
      
      sending the DDoS attack mitigation policies through the secure connection; and
      
      receiving granular traffic rate information and granular packet drop statistics from the plurality of DDoS attack mitigation appliances through the secure connection.
  - 7. The method of claim 1, further comprising managing mitigation policies in a data store by the DDoS attack mitigation central controller.

8. A distributed denial of service (DDoS) mitigation central controller for controlling a plurality of DDoS attack mitigation appliances, the DDoS mitigation central controller comprising:
- a non-transitory storage device having tangibly embodied therein instructions representing a security application; and
  
  one or more processors coupled to the non-transitory storage device and operable to execute the security application to perform a method comprising;
  
  configuring, by the DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances, comprising collecting, by the DDoS attack mitigation central controller, granular traffic rate information and estimating granular behavioral packet rate thresholds based on the granular traffic rate information;
  
  causing, by the DDoS attack mitigation central controller, the plurality of DDoS attack mitigation appliances to enforce the granular behavioral packet rate thresholds by sending the DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances through a network connecting the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances;
  
  wherein the DDoS mitigation central controller and the plurality of DDoS attack mitigation appliances facilitate decoupling of control plane functionality, responsible for storage of behavioral data and creation of the DDoS attack mitigation policies, and data plane functionality, responsible for collection of the behavioral data and performing DDoS attack mitigation based on the DDoS attack mitigation policies;
  
  wherein the control plane functionality is implemented within the DDoS attack mitigation central controller and includes adaptive, continuous estimation of behavioral thresholds based on past traffic and management of the DDoS attack mitigation policies; and
  
  wherein the data plane functionality is implemented within and distributed among the plurality of DDoS mitigation appliances and includes collection of the granular traffic rate information.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The controller of claim 8, wherein the granular traffic rate information includes traffic rates observed during a predetermined period of time for a plurality of predetermined parameters of layer 2, layer 3, layer 4 or layer 7 of a network stack.
  - 10. The controller of claim 8, wherein said configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances further comprises:
    - updating DDoS attack mitigation policies based on the granular behavioral packet rate thresholds; and
      
      sending the updated DDoS attack mitigation policies to the plurality of DDoS attack mitigation appliances.
  - 11. The controller of claim 8, wherein said configuring, by a DDoS attack mitigation central controller, DDoS attack mitigation policies for the plurality of DDoS attack mitigation appliances further comprises receiving the DDoS attack mitigation policies from an administrator of the DDoS attack mitigation central controller through a user interface.
  - 12. The controller of claim 8, wherein the granular traffic rate information comprises granular packet drop statistics, and wherein the method further comprises reporting the granular packet drop statistics to the administrator of the DDoS attack mitigation central controller.
  - 13. The controller of claim 8, wherein the method further comprises:
    - establishing a secure connection between the DDoS attack mitigation central controller and the plurality of DDoS attack mitigation appliances;
      
      sending the DDoS attack mitigation policies through the secure connection; and
      
      receiving granular traffic rate information and granular packet drop statistics from the plurality of DDoS attack mitigation appliances through the secure connection.
  - 14. The controller of claim 8, wherein the method further comprises managing mitigation policies in a data store by the DDoS attack mitigation central controller.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Jain, Hemant Kumar
Primary Examiner(s)
Waliullah, Mohammed

Application Number

US15/609,244
Publication Number

US 20170264646A1
Time in Patent Office

517 Days
Field of Search

726 22- 25, 726 1, 713188
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

System and method for software defined behavioral DDoS attack mitigation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for software defined behavioral DDoS attack mitigation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links