System, method and program product to identify a distributed denial of service attack
First Claim
1. A method for detecting a denial of service attack on a plurality of destination computers, the method comprising the steps of:
- a management server obtaining from the destination computers records of respective requests previously received by the destination computers from a plurality of source computers, wherein each request is a message, wherein each request comprises a source IP address of one of the source computers and a destination address of one of the destination computers, wherein the obtaining the records comprises;
periodically requesting from the destination computers logged recordings of the requests received by the destination computers from the source computers, and in response, receiving the requested logged recordings from the destination computers, and wherein the obtained records comprise the received logged recordings;
the management server determining, from an analysis of the obtained records, that the total number of requests sent over a specified period of time by one source computer of the plurality of source computers to the destination computers exceeds a specified threshold, and in response, the management server configuring a firewall to block subsequent requests sent by the one source computer from being received by the destination computers; and
the management server determining that a total number of requests sent by the one source computer for a specific file or application exceeds a specified first threshold value.
2 Assignments
0 Petitions
Accused Products
Abstract
System, method and computer program product for detecting a denial of service attack on a plurality of computers. Records are made of source IP addresses of requests sent to each of the computers. The records of requests sent to the plurality of computers are totalled per source IP address and/or per range of source IP addresses. A determination is made if the total for a source IP address and/or range of source IP addresses exceeds a respective, predetermined threshold. If so, a denial of service attack is suspected or determined, and a firewall can be notified to block subsequent requests from the source IP address and/or range of source IP addresses, and an administrator can be notified to investigate the situation. Records can also be made of requests sent to each of the computers for a file or access to an application. These records of requests sent to the plurality of computers are totalled per file or application access. A determination is made if the total for a file or application access exceeds a predetermined threshold. If so, a denial of service attack is suspected or determined, and an administrator can be notified to investigate the situation.
-
Citations
20 Claims
-
1. A method for detecting a denial of service attack on a plurality of destination computers, the method comprising the steps of:
-
a management server obtaining from the destination computers records of respective requests previously received by the destination computers from a plurality of source computers, wherein each request is a message, wherein each request comprises a source IP address of one of the source computers and a destination address of one of the destination computers, wherein the obtaining the records comprises;
periodically requesting from the destination computers logged recordings of the requests received by the destination computers from the source computers, and in response, receiving the requested logged recordings from the destination computers, and wherein the obtained records comprise the received logged recordings;the management server determining, from an analysis of the obtained records, that the total number of requests sent over a specified period of time by one source computer of the plurality of source computers to the destination computers exceeds a specified threshold, and in response, the management server configuring a firewall to block subsequent requests sent by the one source computer from being received by the destination computers; and the management server determining that a total number of requests sent by the one source computer for a specific file or application exceeds a specified first threshold value. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A management system for detecting a denial of service attack on a plurality of destination computers, the management system comprising:
-
a CPU; a computer readable memory; a computer readable storage device; first program instructions to obtain from the destination computers records of respective requests previously received by the destination computers from a plurality of source computers, wherein each request is a message, wherein each request comprises a source IP address of one of the source computers and a destination address of one of the destination computers, wherein the first program instructions to obtain the records comprises;
program instructions to periodically request from the destination computers logged recordings of the requests received by the destination computers from the source computers, and in response, to receive from the destination computers the requested logged recordings, and wherein the obtained records comprises the received logged recordings;second program instructions to determine, from an analysis of the obtained records, that the total number of requests sent over a specified period of time by one source computer of the plurality of source computers to the destination computers exceeds a specified threshold, and in response, to configure a firewall to block subsequent requests sent by the one source computer from being received by the destination computers; and third program instructions to determine that a total number of requests sent by the one source computer for a specific file or application exceeds a specified first threshold value, wherein the first, second and second third program instructions are stored on the computer readable storage device for execution by the CPU via the computer readable memory. - View Dependent Claims (10, 11, 12)
-
-
13. A computer program product for execution in a management system to detect a denial of service attack on a plurality of destination computers, the computer program product comprising:
-
a computer readable storage device; first program instructions to obtain from the destination computers records of respective requests previously received by the destination computers from a plurality of source computers, wherein each request is a message, wherein each request comprises a source IP address of one of the source computers and a destination address of one of the destination computers, wherein the first program instructions to obtain the records comprises;
program instructions to periodically request from the destination computers logged recordings of the requests received by the destination computers from the source computers, and in response, to receive from the destination computers the requested logged recordings, and wherein the obtained records comprises the received logged recordings; andsecond program instructions to determine, from an analysis of the obtained records, that the total number of requests sent over a specified period of time by one source computer of the plurality of source computers to the destination computers exceeds a specified threshold, and in response, to configure a firewall to block subsequent requests sent by the one source computer from being received by the destination computers; and third program instructions to determine that a total number of requests sent by the one source computer for a specific file or application exceeds a specified first threshold value, wherein the first, second and third program instructions are stored on the computer readable storage device for execution by a CPU. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A method for detecting a denial of service attack on a plurality of destination computers, the method comprising the steps of:
-
a management server obtaining from the destination computers records of respective requests previously received by the destination computers from a plurality of source computers, wherein each request is a message, wherein each request comprises a source IP address of one of the source computers and a destination address of one of the destination computers, wherein the obtaining the records comprises;
periodically requesting from the destination computers logged recordings of the requests received by the destination computers from the source computers, and in response, receiving the requested logged recordings from the destination computers, and wherein the obtained records comprise the received logged recordings;the management server determining, from an analysis of the obtained records, that the total number of requests sent over a specified period of time by one source computer of the plurality of source computers to the destination computers exceeds a specified threshold, and in response, the management server configuring a firewall to block subsequent requests sent by the one source computer from being received by the destination computers; and the management server determining that a product or service promotion caused an increased need for the requests sent by the one source computer.
-
-
19. A management system for detecting a denial of service attack on a plurality of destination computers, the management system comprising:
-
a CPU; a computer readable memory; a computer readable storage device; first program instructions to obtain from the destination computers records of respective requests previously received by the destination computers from a plurality of source computers, wherein each request is a message, wherein each request comprises a source IP address of one of the source computers and a destination address of one of the destination computers, wherein the first program instructions to obtain the records comprises;
program instructions to periodically request from the destination computers logged recordings of the requests received by the destination computers from the source computers, and in response, to receive from the destination computers the requested logged recordings, and wherein the obtained records comprises the received logged recordings;second program instructions to determine, from an analysis of the obtained records, that the total number of requests sent over a specified period of time by one source computer of the plurality of source computers to the destination computers exceeds a specified threshold, and in response, to configure a firewall to block subsequent requests sent by the one source computer from being received by the destination computers; and third program instructions to determine that a product or service promotion caused an increased need for the requests sent by the one source computer, wherein the first, second and third program instructions are stored on the computer readable storage device for execution by the CPU via the computer readable memory.
-
-
20. A computer program product for execution in a management system to detect a denial of service attack on a plurality of destination computers, the computer program product comprising:
-
a computer readable storage device; first program instructions to obtain from the destination computers records of respective requests previously received by the destination computers from a plurality of source computers, wherein each request is a message, wherein each request comprises a source IP address of one of the source computers and a destination address of one of the destination computers, wherein the first program instructions to obtain the records comprises;
program instructions to periodically request from the destination computers logged recordings of the requests received by the destination computers from the source computers, and in response, to receive from the destination computers the requested logged recordings, and wherein the obtained records comprises the received logged recordings;second program instructions to determine, from an analysis of the obtained records, that the total number of requests sent over a specified period of time by one source computer of the plurality of source computers to the destination computers exceeds a specified threshold, and in response, to configure a firewall to block subsequent requests sent by the one source computer from being received by the destination computers; and third program instructions to determine that a product or service promotion caused an increased need for the requests sent by the one source computer, wherein the first, second and third program instructions are stored on the computer readable storage device for execution by a CPU.
-
Specification