ISP blacklist feed

US 10,516,697 B2
Filed: 01/28/2019
Issued: 12/24/2019
Est. Priority Date: 01/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method of providing a notification containing an ISP from which DDoS attacks originate, the method comprising performing by a computing system:

receiving an indication that one or more network resources are being targeted as part of one or more DDoS attacks;

obtaining one or more malicious IP addresses corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks;

sending a request to a database system to determine an Internet Service Provider (ISP) associated with each of the one or more malicious IP addresses;

computing a metric associated with a first ISP involved in the one or more DDoS attacks, wherein the metric includes at least one of;

a first amount of malicious IP addresses of the first ISP and a second amount of malicious requests from the malicious IP addresses of the first ISP;

comparing the metric to a threshold; and

when the metric exceeds the threshold, sending, to a list of subscribers, an alert message indicating that the first ISP is involved in the one or more DDoS attacks.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are provided for an actionable blacklist of DDoS offenders and ISPs associated offenders. The system can collect real-time attack data and perform real-time analysis, which can be fed into a centralized database for intelligent analysis to identify offenders and report to interested subscribers. The system can receive an indication that network resources are being targeted as part of one or more DDoS attacks, and then obtain the malicious IP address of devices associated with those DDoS attacks. The system can determine the Internet Service Provider (ISP) associated with malicious IP addresses. A metric can be computed that is associated with an ISP involved in the one or more DDoS attacks. If the metric exceeds a threshold, then an alert message indicating that the first ISP is involved in the one or more DDoS attacks can be sent to a list of subscribers.

30 Citations

19 Claims

1. A method of providing a notification containing an ISP from which DDoS attacks originate, the method comprising performing by a computing system:
- receiving an indication that one or more network resources are being targeted as part of one or more DDoS attacks;
  
  obtaining one or more malicious IP addresses corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks;
  
  sending a request to a database system to determine an Internet Service Provider (ISP) associated with each of the one or more malicious IP addresses;
  
  computing a metric associated with a first ISP involved in the one or more DDoS attacks, wherein the metric includes at least one of;
  
  a first amount of malicious IP addresses of the first ISP and a second amount of malicious requests from the malicious IP addresses of the first ISP;
  
  comparing the metric to a threshold; and
  
  when the metric exceeds the threshold, sending, to a list of subscribers, an alert message indicating that the first ISP is involved in the one or more DDoS attacks.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the indication is received from one or more anomaly detection systems.
  - 3. The method of claim 1, wherein the indication is received from one or more network traffic analyzers.
  - 4. The method of claim 1, wherein the one or more malicious IP addresses are obtained from net flow analyzer equipment.
  - 5. The method of claim 1, wherein the one or more malicious IP addresses are obtained from the received indication.
  - 6. The method of claim 1, wherein the one or more malicious IP addresses are obtained from one or more net flow analyzer devices.
  - 7. The method of claim 1, wherein the computer system includes the database system.
  - 8. The method of claim 1, wherein the database system is separate from the computer system.
  - 9. The method of claim 1, wherein the metric includes an amount of malicious IP addresses of the first ISP.
  - 10. The method of claim 1, wherein the metric includes a quantity of malicious requests from the malicious IP addresses of the first ISP.
  - 11. The method of claim 1, wherein the metric includes a percentage of malicious IP addresses belonging to a prefix group.
  - 12. The method of claim 1, wherein the metric includes a percentage of malicious IP addresses belonging to the first ISP.
  - 13. The method of claim 1, wherein the metric includes a volume of requests belonging to the first ISP.
  - 14. The method of claim 1, wherein the metric includes a time range of requests.
  - 15. The method of claim 1, wherein malicious request data for computing the metric is collected based on a moving programmable time window.
  - 16. The method of claim 15, wherein the programmable time window is a moving time window.
  - 17. The method of claim 1, further comprising sending a message to one or more subscribers indicating that their machines have been compromised.
  - 18. The method of claim 1, further comprising sending a message to a subscriber ISP indicating that one or more of their machines have been compromised.

19. A system for providing a notification containing an ISP from which DDoS attacks originate, the system comprising:
- at least one processor communicably coupled to a memory, wherein the memory is operable to store instructions for execution by the at least one processor, the at least one processor operable to execute the instructions to perform the steps of;
  
  receiving an indication that one or more network resources are being targeted as part of one or more DDoS attacks;
  
  obtaining one or more malicious IP addresses corresponding to devices that transceive data with the one or more network resources as part of the one or more DDoS attacks;
  
  sending a request to a database system to determine an Internet Service Provider (ISP) associated with each of the one or more malicious IP addresses;
  
  computing a metric associated with a first ISP involved in the one or more DDoS attacks, wherein the metric includes at least one of;
  
  a first amount of malicious IP addresses of the first ISP and a second amount of malicious requests from the malicious IP addresses of the first ISP;
  
  comparing the metric to a threshold; and
  
  when the metric exceeds the threshold, sending, to a list of subscribers, an alert message indicating that the first ISP is involved in the one or more DDoS attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Level 3 Communications LLC (Lumen Technologies, Inc.)
Original Assignee
Level 3 Communications LLC (Lumen Technologies, Inc.)
Inventors
Smith, Robert, Marck, Shawn
Primary Examiner(s)
Naghdali, Khalil

Application Number

US16/259,173
Publication Number

US 20190158534A1
Time in Patent Office

330 Days
Field of Search

726 23
US Class Current
CPC Class Codes

H04L 63/101 Access control lists [ACL]

H04L 63/1458 Denial of Service

ISP blacklist feed

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

ISP blacklist feed

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links