Processing network traffic to defend against attacks

US 10,587,637 B2
Filed: 07/07/2017
Issued: 03/10/2020
Est. Priority Date: 07/15/2016
Status: Active Grant

First Claim

Patent Images

1. A network traffic processing method, comprising:

determining that one or more packets of first network traffic associated with a first public network address have been dropped, the first public network address being associated with a target host;

assigning a second public network address to second network traffic and generating a forwarding path corresponding to the second public network address, wherein the second network traffic arrives from a filtering device and is intended for the target host, the second public network address is configured to receive network traffic directed to the target host, and the forwarding path is configured to forward the second network traffic received at the second public network address to the target host; and

separating legitimate network traffic and malicious network traffic directed to the target host corresponding to the first public network address and the second public network address, the separating comprising;

notifying the filtering device to transmit the second network traffic to the second public network address and cause the second network traffic to be forwarded to the target host according to the forwarding path; and

black-hole routing the first network traffic directed to the first public network address that arrives from a device other than the filtering device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Network traffic processing includes: determining whether one or more packets of network traffic associated with a first public network address have been dropped, the first public network address being associated with a target host; in response to the determination that the one or more packets associated with the first public network address have been dropped, assigning a second public network address to the network traffic and generating a forwarding path corresponding to the second public network address, wherein the second public network address is configured to receive the network traffic, and wherein the forwarding path is configured to forward the network traffic received at the second public network address to the target host; and notifying a filtering device to transmit the network traffic to the second public network address and cause the network traffic to be forwarded to the target host according to the forwarding path.

Citations

19 Claims

1. A network traffic processing method, comprising:
- determining that one or more packets of first network traffic associated with a first public network address have been dropped, the first public network address being associated with a target host;
  
  assigning a second public network address to second network traffic and generating a forwarding path corresponding to the second public network address, wherein the second network traffic arrives from a filtering device and is intended for the target host, the second public network address is configured to receive network traffic directed to the target host, and the forwarding path is configured to forward the second network traffic received at the second public network address to the target host; and
  
  separating legitimate network traffic and malicious network traffic directed to the target host corresponding to the first public network address and the second public network address, the separating comprising;
  
  notifying the filtering device to transmit the second network traffic to the second public network address and cause the second network traffic to be forwarded to the target host according to the forwarding path; and
  
  black-hole routing the first network traffic directed to the first public network address that arrives from a device other than the filtering device.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the determining, assigning, generating and notifying are performed on a software defined network (SDN).
  - 3. The method of claim 1, wherein the determining of whether the one or more packets of the first network traffic associated with the first public network address have been dropped comprises:
    - receiving a notification message from a controller, wherein the notification message is transmitted when an amount of the first network traffic sent to the first public network address is determined to exceed a pre-determined threshold, and the notification message indicates that a routing device is to drop first network traffic sent to the first public network address.
  - 4. The method of claim 1, wherein the forwarding path is a path to forward the second network traffic from the second public network address to a private address of the target host.
  - 5. The method of claim 1, wherein the notifying of the filtering device comprises:
    - transmitting a notification message to the filtering device, wherein the notification message notifies the filtering device to update a destination address of network traffic corresponding to the first public network address to the second public network address.
  - 6. The method of claim 1, further comprises:
    - sending information pertaining to the forwarding path to a routing device; and
      
      instructing the routing device to forward the second network traffic to the target host according to the forwarding path.

7. A system for processing network traffic, comprising:
- one or more processors configured to;
  
  determine that one or more packets of first network traffic associated with a first public network address have been dropped, the first public network address being associated with a target host;
  
  assign a second public network address to second network traffic and generate a forwarding path corresponding to the second public network address, wherein the second network traffic arrives from a filtering device and is intended for the target host, the second public network address is configured to receive network traffic directed to the target host, and the forwarding path is configured to forward the second network traffic received at the second public network address to the target host; and
  
  separate legitimate network traffic and malicious network traffic directed to the target host corresponding to the first public network address and the second public network address, to separate legitimate network traffic and malicious network traffic comprising;
  
  notify the filtering device to transmit the second network traffic arriving from an inbound filter to the second public network address and cause the second network traffic to be forwarded to the target host according to the forwarding path; and
  
  black-hole route the first network traffic directed to the first public network address that arrives from a device other than the filtering device; and
  
  one or more memories coupled to the one or more processors and configured to provide the one or more processors with instructions.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The system of claim 7, wherein the system is a software defined network (SDN).
  - 9. The system of claim 7, wherein to determine whether the one or more packets of the first network traffic associated with the first public network address have been dropped comprises to:
    - receive a notification message from a controller, wherein the notification message is transmitted when an amount of the first network traffic sent to the first public network address is determined to exceed a pre-determined threshold, and the notification message indicates that a routing device is to drop network traffic sent to the first public network address.
  - 10. The system of claim 7, wherein the forwarding path is a path to forward the second network traffic from the second public network address to a private address of the target host.
  - 11. The system of claim 7, wherein to notify the filtering device comprises to:
    - transmit a notification message to the filtering device, wherein the notification message notifies the filtering device to update a destination address of network traffic corresponding to the first public network address to the second public network address.
  - 12. The system of claim 7, wherein the one or more processors are further configured to:
    - send information pertaining to the forwarding path to a routing device; and
      
      instruct the routing device to forward the second network traffic to the target host according to the forwarding path.

13. A computer program product for processing network traffic to counter Distributed Denial of Service (DDOS) attacks at a target host, the computer program product being embodied in a non-transitory tangible computer readable storage medium and comprising computer instructions for:
- determining that one or more packets of first network traffic associated with a first public network address have been dropped, the first public network address being associated with the target host;
  
  assigning a second public network address to second network traffic and generating a forwarding path corresponding to the second public network address, wherein the second network traffic arrives from a filtering device and is intended for the target host, the second public network address is configured to receive network traffic directed to the target host, and the forwarding path is configured to forward the second network traffic received at the second public network address to the target host; and
  
  separating legitimate network traffic and malicious network traffic directed to the target host corresponding to the first public network address and the second public network address, the separating comprising;
  
  notifying the filtering device to transmit the second network traffic to the second public network address and cause the second network traffic to be forwarded to the target host according to the forwarding path; and
  
  black-hole routing the first network traffic directed to the first public network address that arrives from a device other than the filtering device.

14. A network traffic processing method, comprising:
- filtering first network traffic associated with a first public network address and forwarding the filtered first network traffic to the first public network address;
  
  receiving a second public network address from a software defined network (SDN), the second public network address being associated with second network traffic arriving from an inbound filter that was initially associated with the first public network address; and
  
  separating legitimate network traffic and malicious network traffic directed to a target host corresponding to the first public network address and the second public network address, the separating comprising;
  
  forwarding the second network traffic arriving from the inbound filter and directed to the second public network address to a protected host; and
  
  black-hole routing the first network traffic directed to the first public network address.
- View Dependent Claims (15, 16)
- - 15. The method of claim 14, further comprising:
    - receiving the first public network address configured by a controller, the first public network address being a destination address associated with the first network traffic.
  - 16. The method of claim 14, further comprising:
    - updating a destination address associated with network traffic corresponding to the first public network address to the second public network address.

17. A system for processing network traffic, comprising:
- one or more processors configured to;
  
  filter first network traffic associated with a first public network address and forward the filtered first network traffic to the first public network address;
  
  receive a second public network address from a software defined network (SDN), the second public network address being associated with second network traffic that was initially associated with the first public network address; and
  
  separate legitimate network traffic and malicious network traffic directed to a target host corresponding to the first public network address and the second public network address, to separate the legitimate network traffic and the malicious network traffic comprising;
  
  forward the second network traffic arriving from an inbound filter and directed to the second public network address to a protected host; and
  
  black-hole route the first network traffic directed to the first public network address; and
  
  one or more memories coupled to the one or more processors and configured to provide the one or more processors with instructions.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein the one or more processors are further configured to:
    - receive the first public network address configured by a controller, the first public network address being a destination address associated with the first network traffic.
  - 19. The system of claim 17, wherein the one or more processors are further configured to:
    - update a destination address associated with network traffic corresponding to the first public network address to the second public network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alibaba Group Holding Ltd.
Original Assignee
Alibaba Group Holding Ltd.
Inventors
Hu, Min, Qiao, Huilai, Jia, Jiong, Chen, Yi
Primary Examiner(s)
Zee, Edward

Application Number

US15/643,948
Publication Number

US 20180020016A1
Time in Patent Office

977 Days
Field of Search
US Class Current
CPC Class Codes

H04L 43/028   by filtering

H04L 43/0835   One way packet loss

H04L 45/22   Alternate routing

H04L 45/24   Multipath

H04L 45/74   Address processing for routing

H04L 63/10   for controlling access to d...

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

H04L 63/20   for managing network securi...

Processing network traffic to defend against attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Processing network traffic to defend against attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links