Scalable inline behavioral DDoS attack mitigation
First Claim
Patent Images
1. A method comprising:
- receiving, by a switch of a Distributed Denial of Service (DDoS) attack mitigation appliance, packets from an external network and destined for an internal network protected by the DDoS attack mitigation appliance;
remembering, by the switch, respective ports of the DDoS attack mitigation appliance on which the packets were received to facilitate forwarding of the packets on corresponding pair ports of the DDoS attack mitigation appliance after the packets are processed by a plurality of DDoS attack mitigation components of the DDoS attack mitigation appliance;
providing improved throughput over that which is achievable by a single, inline DDoS attack mitigation component, by distributing, by the switch, the packets among the plurality of DDoS attack mitigation components;
calculating, by each of the plurality of DDoS attack mitigation components, a plurality of granular rates for each of a plurality of Open System Interconnection (OSI) model network layers, including a plurality of layer 2, layer 3, layer 4 and layer 7 parameters, based on one or more of individual protocols with which the packets are associated and individual parameters or commands of the individual protocols;
obtaining, by a controlling host of the DDoS attack mitigation appliance, from each of the plurality of DDoS attack mitigation components, the plurality of granular rates;
continuously and adaptively adjusting, by the controlling host, a plurality of granular rate thresholds for each of the plurality of layer 2, layer 3, layer 4 and layer 7 parameters by aggregating corresponding granular rates of the plurality of granular rates and based on one or more of corresponding historical base rates, trends and seasonality;
causing, by the controlling host, the plurality of DDoS attack mitigation components to perform DDoS attack mitigation including enforcement of the plurality of granular rate thresholds by configuring the DDoS attack mitigation components with the plurality of granular rate thresholds; and
performing granular rate limiting of the packets to the plurality of granular rate thresholds for each of the plurality of layer 2, layer 3, layer 4 and layer 7 parameters by forwarding or dropping, by the plurality of DDoS attack mitigation components, the packets based on results of the DDoS attack mitigation.
0 Assignments
0 Petitions
Accused Products
Abstract
Methods and systems for a scalable solution to behavioral Distributed Denial of Service (DDoS) attacks targeting a network are provided. According to one embodiment, a method to determine the scaling treatment is provided for various granular layer parameters of the Open System Interconnection (OSI) model for communication systems. A hardware-based apparatus helps identify packet rates and determine packet rate thresholds through continuous and adaptive learning with multiple DDoS attack mitigation components. The system can be scaled up by stacking multiple DDoS attack mitigation components to provide protection against large scale DDoS attacks by distributing load across these stacked components.
-
Citations
20 Claims
-
1. A method comprising:
-
receiving, by a switch of a Distributed Denial of Service (DDoS) attack mitigation appliance, packets from an external network and destined for an internal network protected by the DDoS attack mitigation appliance; remembering, by the switch, respective ports of the DDoS attack mitigation appliance on which the packets were received to facilitate forwarding of the packets on corresponding pair ports of the DDoS attack mitigation appliance after the packets are processed by a plurality of DDoS attack mitigation components of the DDoS attack mitigation appliance; providing improved throughput over that which is achievable by a single, inline DDoS attack mitigation component, by distributing, by the switch, the packets among the plurality of DDoS attack mitigation components; calculating, by each of the plurality of DDoS attack mitigation components, a plurality of granular rates for each of a plurality of Open System Interconnection (OSI) model network layers, including a plurality of layer 2, layer 3, layer 4 and layer 7 parameters, based on one or more of individual protocols with which the packets are associated and individual parameters or commands of the individual protocols; obtaining, by a controlling host of the DDoS attack mitigation appliance, from each of the plurality of DDoS attack mitigation components, the plurality of granular rates; continuously and adaptively adjusting, by the controlling host, a plurality of granular rate thresholds for each of the plurality of layer 2, layer 3, layer 4 and layer 7 parameters by aggregating corresponding granular rates of the plurality of granular rates and based on one or more of corresponding historical base rates, trends and seasonality; causing, by the controlling host, the plurality of DDoS attack mitigation components to perform DDoS attack mitigation including enforcement of the plurality of granular rate thresholds by configuring the DDoS attack mitigation components with the plurality of granular rate thresholds; and performing granular rate limiting of the packets to the plurality of granular rate thresholds for each of the plurality of layer 2, layer 3, layer 4 and layer 7 parameters by forwarding or dropping, by the plurality of DDoS attack mitigation components, the packets based on results of the DDoS attack mitigation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
Specification