ISP blacklist feed
First Claim
1. A method of providing a notification containing an ISP from which DDoS attacks originate, the method comprising performing by a computing system:
- receiving an indication that one or more network resources are being targeted as part of one or more DDoS attacks;
obtaining one or more malicious IP addresses corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks;
sending a request to a database system to determine an Internet Service Provider (ISP) associated with each of the one or more malicious IP addresses;
computing a metric associated with a first ISP involved in the one or more DDoS attacks, wherein the metric includes at least one of;
a quantity of malicious IP addresses of the first ISP corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks and a quantity of malicious requests from the malicious IP addresses of the first ISP corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks;
comparing the metric to a threshold; and
sending, to a list of subscribers, an alert message indicating that the first ISP is involved in the one or more DDoS attacks when the metric exceeds the threshold.
1 Assignment
0 Petitions
Accused Products
Abstract
Embodiments are provided for an actionable blacklist of DDoS offenders and ISPs associated offenders. The system can collect real-time attack data and perform real-time analysis, which can be fed into a centralized database for intelligent analysis to identify offenders and report to interested subscribers. The system can receive an indication that network resources are being targeted as part of one or more DDoS attacks, and then obtain the malicious IP address of devices associated with those DDoS attacks. The system can determine the Internet Service Provider (ISP) associated with malicious IP addresses. A metric can be computed that is associated with an ISP involved in the one or more DDoS attacks. If the metric exceeds a threshold, then an alert message indicating that the first ISP is involved in the one or more DDoS attacks can be sent to a list of subscribers.
-
Citations
19 Claims
-
1. A method of providing a notification containing an ISP from which DDoS attacks originate, the method comprising performing by a computing system:
-
receiving an indication that one or more network resources are being targeted as part of one or more DDoS attacks; obtaining one or more malicious IP addresses corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks; sending a request to a database system to determine an Internet Service Provider (ISP) associated with each of the one or more malicious IP addresses; computing a metric associated with a first ISP involved in the one or more DDoS attacks, wherein the metric includes at least one of;
a quantity of malicious IP addresses of the first ISP corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks and a quantity of malicious requests from the malicious IP addresses of the first ISP corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks;comparing the metric to a threshold; and sending, to a list of subscribers, an alert message indicating that the first ISP is involved in the one or more DDoS attacks when the metric exceeds the threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A system for providing a notification containing an ISP from which DDoS attacks originate, the system comprising:
-
at least one processor communicably coupled to a memory, wherein the memory is operable to store instructions for execution by the at least one processor, the at least one processor operable to execute the instructions to perform the steps of; receiving an indication that one or more network resources are being targeted as part of one or more DDoS attacks; obtaining one or more malicious IP addresses corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks; sending a request to a database system to determine an Internet Service Provider (ISP) associated with each of the one or more malicious IP addresses; computing a metric associated with a first ISP involved in the one or more DDoS attacks, wherein the metric includes at least one of;
a quantity of malicious IP addresses of the first ISP corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks and a quantity of malicious requests from the malicious IP addresses of the first ISP corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks;comparing the metric to a threshold; and sending, to a list of subscribers, an alert message indicating that the first ISP is involved in the one or more DDoS attacks when the metric exceeds the threshold.
-
Specification