Processing network traffic to defend against attacks
First Claim
1. A network traffic processing method, comprising:
- determining that one or more packets of first network traffic associated with a first public network address have been dropped, the first public network address being associated with a target host;
assigning a second public network address to second network traffic and generating a forwarding path corresponding to the second public network address, wherein the second network traffic arrives from a filtering device and is intended for the target host, the second public network address is configured to receive network traffic directed to the target host, and the forwarding path is configured to forward the second network traffic received at the second public network address to the target host; and
separating legitimate network traffic and malicious network traffic directed to the target host corresponding to the first public network address and the second public network address, the separating comprising;
notifying the filtering device to transmit the second network traffic to the second public network address and cause the second network traffic to be forwarded to the target host according to the forwarding path; and
black-hole routing the first network traffic directed to the first public network address that arrives from a device other than the filtering device.
1 Assignment
0 Petitions
Accused Products
Abstract
Network traffic processing includes: determining whether one or more packets of network traffic associated with a first public network address have been dropped, the first public network address being associated with a target host; in response to the determination that the one or more packets associated with the first public network address have been dropped, assigning a second public network address to the network traffic and generating a forwarding path corresponding to the second public network address, wherein the second public network address is configured to receive the network traffic, and wherein the forwarding path is configured to forward the network traffic received at the second public network address to the target host; and notifying a filtering device to transmit the network traffic to the second public network address and cause the network traffic to be forwarded to the target host according to the forwarding path.
-
Citations
19 Claims
-
1. A network traffic processing method, comprising:
-
determining that one or more packets of first network traffic associated with a first public network address have been dropped, the first public network address being associated with a target host; assigning a second public network address to second network traffic and generating a forwarding path corresponding to the second public network address, wherein the second network traffic arrives from a filtering device and is intended for the target host, the second public network address is configured to receive network traffic directed to the target host, and the forwarding path is configured to forward the second network traffic received at the second public network address to the target host; and separating legitimate network traffic and malicious network traffic directed to the target host corresponding to the first public network address and the second public network address, the separating comprising; notifying the filtering device to transmit the second network traffic to the second public network address and cause the second network traffic to be forwarded to the target host according to the forwarding path; and black-hole routing the first network traffic directed to the first public network address that arrives from a device other than the filtering device. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A system for processing network traffic, comprising:
-
one or more processors configured to; determine that one or more packets of first network traffic associated with a first public network address have been dropped, the first public network address being associated with a target host; assign a second public network address to second network traffic and generate a forwarding path corresponding to the second public network address, wherein the second network traffic arrives from a filtering device and is intended for the target host, the second public network address is configured to receive network traffic directed to the target host, and the forwarding path is configured to forward the second network traffic received at the second public network address to the target host; and separate legitimate network traffic and malicious network traffic directed to the target host corresponding to the first public network address and the second public network address, to separate legitimate network traffic and malicious network traffic comprising; notify the filtering device to transmit the second network traffic arriving from an inbound filter to the second public network address and cause the second network traffic to be forwarded to the target host according to the forwarding path; and black-hole route the first network traffic directed to the first public network address that arrives from a device other than the filtering device; and one or more memories coupled to the one or more processors and configured to provide the one or more processors with instructions. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A computer program product for processing network traffic to counter Distributed Denial of Service (DDOS) attacks at a target host, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
-
determining that one or more packets of first network traffic associated with a first public network address have been dropped, the first public network address being associated with the target host; assigning a second public network address to second network traffic and generating a forwarding path corresponding to the second public network address, wherein the second network traffic arrives from a filtering device and is intended for the target host, the second public network address is configured to receive network traffic directed to the target host, and the forwarding path is configured to forward the second network traffic received at the second public network address to the target host; and separating legitimate network traffic and malicious network traffic directed to the target host corresponding to the first public network address and the second public network address, the separating comprising; notifying the filtering device to transmit the second network traffic to the second public network address and cause the second network traffic to be forwarded to the target host according to the forwarding path; and black-hole routing the first network traffic directed to the first public network address that arrives from a device other than the filtering device.
-
-
14. A network traffic processing method, comprising:
-
filtering first network traffic associated with a first public network address and forwarding the filtered first network traffic to the first public network address; receiving a second public network address from a software defined network (SDN), the second public network address being associated with second network traffic arriving from an inbound filter that was initially associated with the first public network address; and separating legitimate network traffic and malicious network traffic directed to a target host corresponding to the first public network address and the second public network address, the separating comprising; forwarding the second network traffic arriving from the inbound filter and directed to the second public network address to a protected host; and black-hole routing the first network traffic directed to the first public network address. - View Dependent Claims (15, 16)
-
-
17. A system for processing network traffic, comprising:
-
one or more processors configured to; filter first network traffic associated with a first public network address and forward the filtered first network traffic to the first public network address; receive a second public network address from a software defined network (SDN), the second public network address being associated with second network traffic that was initially associated with the first public network address; and separate legitimate network traffic and malicious network traffic directed to a target host corresponding to the first public network address and the second public network address, to separate the legitimate network traffic and the malicious network traffic comprising; forward the second network traffic arriving from an inbound filter and directed to the second public network address to a protected host; and black-hole route the first network traffic directed to the first public network address; and one or more memories coupled to the one or more processors and configured to provide the one or more processors with instructions. - View Dependent Claims (18, 19)
-
Specification