Scalable inline behavioral DDoS attack mitigation

US 10,419,490 B2
Filed: 06/30/2017
Issued: 09/17/2019
Est. Priority Date: 07/16/2013
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, by a switch of a Distributed Denial of Service (DDoS) attack mitigation appliance, packets from an external network and destined for an internal network protected by the DDoS attack mitigation appliance;

remembering, by the switch, respective ports of the DDoS attack mitigation appliance on which the packets were received to facilitate forwarding of the packets on corresponding pair ports of the DDoS attack mitigation appliance after the packets are processed by a plurality of DDoS attack mitigation components of the DDoS attack mitigation appliance;

providing improved throughput over that which is achievable by a single, inline DDoS attack mitigation component, by distributing, by the switch, the packets among the plurality of DDoS attack mitigation components;

calculating, by each of the plurality of DDoS attack mitigation components, a plurality of granular rates for each of a plurality of Open System Interconnection (OSI) model network layers, including a plurality of layer 2, layer 3, layer 4 and layer 7 parameters, based on one or more of individual protocols with which the packets are associated and individual parameters or commands of the individual protocols;

obtaining, by a controlling host of the DDoS attack mitigation appliance, from each of the plurality of DDoS attack mitigation components, the plurality of granular rates;

continuously and adaptively adjusting, by the controlling host, a plurality of granular rate thresholds for each of the plurality of layer 2, layer 3, layer 4 and layer 7 parameters by aggregating corresponding granular rates of the plurality of granular rates and based on one or more of corresponding historical base rates, trends and seasonality;

causing, by the controlling host, the plurality of DDoS attack mitigation components to perform DDoS attack mitigation including enforcement of the plurality of granular rate thresholds by configuring the DDoS attack mitigation components with the plurality of granular rate thresholds; and

performing granular rate limiting of the packets to the plurality of granular rate thresholds for each of the plurality of layer 2, layer 3, layer 4 and layer 7 parameters by forwarding or dropping, by the plurality of DDoS attack mitigation components, the packets based on results of the DDoS attack mitigation.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack mitigation components. The system can be scaled up by stacking multiple DDoS attack mitigation components to provide protection against large scale DDoS attacks by distributing load across these stacked components.

Citations

20 Claims

1. A method comprising:
- receiving, by a switch of a Distributed Denial of Service (DDoS) attack mitigation appliance, packets from an external network and destined for an internal network protected by the DDoS attack mitigation appliance;
  
  remembering, by the switch, respective ports of the DDoS attack mitigation appliance on which the packets were received to facilitate forwarding of the packets on corresponding pair ports of the DDoS attack mitigation appliance after the packets are processed by a plurality of DDoS attack mitigation components of the DDoS attack mitigation appliance;
  
  providing improved throughput over that which is achievable by a single, inline DDoS attack mitigation component, by distributing, by the switch, the packets among the plurality of DDoS attack mitigation components;
  
  calculating, by each of the plurality of DDoS attack mitigation components, a plurality of granular rates for each of a plurality of Open System Interconnection (OSI) model network layers, including a plurality of layer 2, layer 3, layer 4 and layer 7 parameters, based on one or more of individual protocols with which the packets are associated and individual parameters or commands of the individual protocols;
  
  obtaining, by a controlling host of the DDoS attack mitigation appliance, from each of the plurality of DDoS attack mitigation components, the plurality of granular rates;
  
  continuously and adaptively adjusting, by the controlling host, a plurality of granular rate thresholds for each of the plurality of layer 2, layer 3, layer 4 and layer 7 parameters by aggregating corresponding granular rates of the plurality of granular rates and based on one or more of corresponding historical base rates, trends and seasonality;
  
  causing, by the controlling host, the plurality of DDoS attack mitigation components to perform DDoS attack mitigation including enforcement of the plurality of granular rate thresholds by configuring the DDoS attack mitigation components with the plurality of granular rate thresholds; and
  
  performing granular rate limiting of the packets to the plurality of granular rate thresholds for each of the plurality of layer 2, layer 3, layer 4 and layer 7 parameters by forwarding or dropping, by the plurality of DDoS attack mitigation components, the packets based on results of the DDoS attack mitigation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1, further comprising:
    - temporarily storing, by each of the plurality of DDoS attack mitigation components, the packets; and
      
      forwarding or dropping, by each of the plurality of DDoS attack mitigation components, the packets based on a decision by a continuous and adaptive granular rate anomaly engine.
  - 3. The method of claim 1, further comprising determining, by a continuous and adaptive granular rate anomaly engine of each of the plurality of DDoS attack mitigation components, the plurality of granular rates based on packet meta information of the packets.
  - 4. The method of claim 3, further comprising sending, by the continuous and adaptive granular rate anomaly engine of each of the plurality of DDoS attack mitigation components, granular network layer drop statistics to the controlling host over a host interface.
  - 5. The method of claim 3, further comprising setting, by the continuous and adaptive granular rate anomaly engine of each of the plurality of DDoS attack mitigation components, the plurality of granular rate thresholds based on commands received from the controlling host over a host interface.
  - 6. The method of claim 1, further comprising combining, by the controlling host, the corresponding granular rates from the plurality of DDoS attack mitigation components by using a plurality of corresponding scaling treatments to arrive at an effective rate to be used for adaptive threshold calculation.
  - 7. The method of claim 1, wherein a layer 2 granular rate of the plurality of granular rates for layer 2 parameters comprises an observed rate of Address Resolution Protocol (ARP) packets or Reverse ARP (RARP) packets within the packets.
  - 8. The method of claim 1, wherein a layer 2 granular rate of the plurality of granular rates for layer 2 parameters comprises an observed rate of broadcast packets, non-Internet Protocol (IP) packets or Virtual Local Area Network (VLAN)-tagged packets within the packets.
  - 9. The method of claim 1, wherein a layer 3 granular rate of the plurality of granular rates for layer 3 parameters comprises an observed packet rate of a particular protocol, a particular Internet Protocol (IP) option or fragmented packets within the packets.
  - 10. The method of claim 1, wherein a layer 3 granular rate of the plurality of granular rates for layer 3 parameters comprises an observed packet rate for a most active source from which the packets are originated within the external network.
  - 11. The method of claim 1, wherein a layer 3 granular rate of the plurality of granular rates for layer 3 parameters comprises an observed packet rate for a most active destination to which the packets are directed within the internal network.
  - 12. The method of claim 1, wherein a layer 3 granular rate of the plurality of granular rates for layer 3 parameters comprises a count of unique sources specified by the packets.
  - 13. The method of claim 1, wherein a layer 4 granular rate of the plurality of granular rates for layer 4 parameters comprises an observed packet rate of SYN, ACK, FIN, PUSH or RST packets within the packets.
  - 14. The method of claim 1, wherein a layer 4 granular rate of the plurality of granular rates for layer 4 parameters comprises an observed packet rate of SYN, ACK, FIN, PUSH or RST packets within the packets that are received from a particular source.
  - 15. The method of claim 1, wherein a layer 4 granular rate of the plurality of granular rates for layer 4 parameters comprises an observed packet rate of SYN, ACK, FIN, PUSH or RST packets within the packets that are directed to a particular destination.
  - 16. The method of claim 1, wherein a layer 4 granular rate of the plurality of granular rates for layer 4 parameters comprises an observed total number of established connections to a particular destination.
  - 17. The method of claim 1, wherein a layer 4 granular rate of the plurality of granular rates for layer 4 parameters comprises an observed number of concurrent connections to a particular destination or from a particular source.
  - 18. The method of claim 1, wherein a layer 7 granular rate of the plurality of granular rates for layer 7 parameters comprises an observed rate of a particular Hypertext Transfer Protocol (HTTP) method, a particular HTTP Uniform Resource Locator (URL), a particular HTTP user-agent or a particular HTTP URL from a particular source within the packets.
  - 19. The method of claim 1, wherein a layer 7 granular rate of the plurality of granular rates for layer 7 parameters comprises an observed rate of a particular Session Initiation Protocol (SIP) method, a particular SIP URL or a particular SIP user-agent within the packets.
  - 20. The method of claim 1, wherein a layer 7 granular rate of the plurality of granular rates for layer 7 parameters comprises an observed rate of Domain Name System (DNS) queries or DNS responses within the packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
Jain, Hemant Kumar
Primary Examiner(s)
Pwu, Jeffrey C
Assistant Examiner(s)
Tran, Baotram

Application Number

US15/640,233
Publication Number

US 20170302698A1
Time in Patent Office

809 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

Scalable inline behavioral DDoS attack mitigation

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Scalable inline behavioral DDoS attack mitigation

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links