System and method of traffic filtering upon detection of a DDoS attack

US 10,693,907 B2
Filed: 06/06/2017
Issued: 06/23/2020
Est. Priority Date: 04/28/2017
Status: Active Grant

First Claim

Patent Images

1. A method for filtering network traffic to protect a computing device from a distributed denial-of-service (DDoS) attack, wherein the method comprises:

responsive to detecting the computing device is subject to the DDoS attack, intercepting data from a network node to the computing device;

determining one or more data transmission parameters based on the intercepted data;

assigning an initial danger rating to the network node at least based on a network address of the network node comprising at least an IP address;

changing the danger rating of the network node based on an application of a filter and on the data transmission parameters;

responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device by limiting channel capacity between the network node and the computing device, wherein an amount by which the channel capacity is limited is determined based on a relationship between the changed danger rating and historical values of the danger rating; and

halting the application of the filter until the danger rating of the network node becomes less than the threshold value.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are a system, a method, and computer readable storage medium having instructions for filtering network traffic to protect a server from a distributed denial-of-service (DDoS) attack. The described technique includes intercepting data from a network node to the computing device responsive to detecting a computing device is subject to a DDoS attack. The technique further includes determining one or more data transmission parameters based on the intercepted data, assigning a danger rating to the network node, and changing the danger rating of the network node based on application of a filter and on the data transmission parameters. The described technique limits a transmittal of data from the network node to the computing device if the resultant danger rating of the network node exceeds a threshold value.

11 Citations

21 Claims

1. A method for filtering network traffic to protect a computing device from a distributed denial-of-service (DDoS) attack, wherein the method comprises:
- responsive to detecting the computing device is subject to the DDoS attack, intercepting data from a network node to the computing device;
  
  determining one or more data transmission parameters based on the intercepted data;
  
  assigning an initial danger rating to the network node at least based on a network address of the network node comprising at least an IP address;
  
  changing the danger rating of the network node based on an application of a filter and on the data transmission parameters;
  
  responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device by limiting channel capacity between the network node and the computing device, wherein an amount by which the channel capacity is limited is determined based on a relationship between the changed danger rating and historical values of the danger rating; and
  
  halting the application of the filter until the danger rating of the network node becomes less than the threshold value.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein the assigning the initial danger rating to the network node further comprises:
    - assigning the danger rating to the network node according to danger ratings of known network nodes stored in a database.
  - 3. The method of claim 2, further comprising:
    - updating a stored danger rating in the database based on a period of time in which the transmittal of data from the network node to the computing device was limited.
  - 4. The method of claim 1, further comprising:
    - reverting changes to the danger rating of the network node responsive to an expiration of the filter; and
      
      responsive to determining that the danger rating of the network node no longer exceeds the threshold value, canceling the limiting of the transmittal of data from the network node to the computing device.
  - 5. The method of claim 1, further comprising:
    - extending a lifetime of the filter responsive to detecting a repeat triggering of the filter based on the data transmission parameters.
  - 6. The method of claim 1, wherein changing the danger rating of the network node based on application of the filter and on the data transmission parameters further comprises:
    - increasing the danger rating of the network node based on a determination that criteria associated with the filter is met by the data transmission parameters.
  - 7. The method of claim 1, wherein the limiting of the channel capacity between the network node and the computing device is further based on a degree to which the danger rating of the network node exceeds the threshold value.

8. A system for filtering network traffic to protect a computing device from a distributed denial-of-service (DDoS) attack, wherein the system comprises:
- a memory device storing one or more filters; and
  
  a processor configured to;
  
  responsive to detecting the computing device is subject to the DDoS attack, intercept data from a network node to the computing device;
  
  determine one or more data transmission parameters based on the intercepted data;
  
  assign an initial danger rating to the network node at least based on a network address of the network node comprising at least an IP address;
  
  change the danger rating of the network node based on an application of a filter and on the data transmission parameters;
  
  responsive to determining that the danger rating of the network node exceeds a threshold value, limit a transmittal of data from the network node to the computing device by limiting channel capacity between the network node and the computing device, wherein an amount by which the channel capacity is limited is determined based on a relationship between the changed danger rating and historical values of the danger rating; and
  
  halt the application of the filter until the danger rating of the network node becomes less than the threshold value.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8, wherein the processor configured to assign the initial danger rating to the network node is further configured to:
    - assign the danger rating to the network node according to danger ratings of known network nodes stored in a database.
  - 10. The system of claim 9, wherein the processor is further configured to:
    - update a stored danger rating in the database based on a period of time in which the transmittal of data from the network node to the computing device was limited.
  - 11. The system of claim 8, wherein the processor is further configured to:
    - revert changes to the danger rating of the network node responsive to an expiration of the filter; and
      
      responsive to determining that the danger rating of the network node no longer exceeds the threshold value, cancel the limiting of the transmittal of data from the network node to the computing device.
  - 12. The system of claim 8, wherein the processor is further configured to:
    - extend a lifetime of the filter responsive to detecting a repeat triggering of the filter based on the data transmission parameters.
  - 13. The system of claim 8, wherein the processor configured to change the danger rating of the network node based on application of the filter and on the data transmission parameters is further configured to:
    - Increase the danger rating of the network node based on a determination that criteria associated with the filter is met by the data transmission parameters.
  - 14. The system of claim 8, wherein the processor configured to limit the transmittal of data from the network node to the computing device is further configured to:
    - limit the channel capacity between the network node and the computing device further based on a degree to which the danger rating of the network node exceeds the threshold value.

15. A non-transitory computer readable medium comprising computer executable instructions for filtering network traffic to protect a computing device from a distributed denial-of-service (DDoS) attack, including instructions for:
- responsive to detecting the computing device is subject to the DDoS attack, intercepting data from a network node to the computing device;
  
  determining one or more data transmission parameters based on the intercepted data;
  
  assigning an initial danger rating to the network node at least based on a network address of the network node comprising at least an IP address;
  
  changing the danger rating of the network node based on an application of a filter and on the data transmission parameters;
  
  responsive to determining that the danger rating of the network node exceeds a threshold value, limiting a transmittal of data from the network node to the computing device by limiting channel capacity between the network node and the computing device, wherein an amount by which the channel capacity is limited is determined based on a relationship between the changed danger rating and historical values of the danger rating; and
  
  halting the application of the filter until the danger rating of the network node becomes less than the threshold value.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The non-transitory computer readable medium of claim 15, wherein the instructions for assigning the initial danger rating to the network node further comprises instructions for:
    - assigning the danger rating to the network node according to danger ratings of known network nodes stored in a database.
  - 17. The non-transitory computer readable medium of claim 16, further comprising instructions for:
    - updating a stored danger rating in the database based on a period of time in which the transmittal of data from the network node to the computing device was limited.
  - 18. The non-transitory computer readable medium of claim 15, further comprising instructions for:
    - reverting changes to the danger rating of the network node responsive to an expiration of the filter; and
      
      responsive to determining that the danger rating of the network node no longer exceeds the threshold value, canceling the limiting of the transmittal of data from the network node to the computing device.
  - 19. The non-transitory computer readable medium of claim 15, further comprising instructions for:
    - extending a lifetime of the filter responsive to detecting a repeat triggering of the filter based on the data transmission parameters.
  - 20. The non-transitory computer readable medium of claim 15, wherein instructions for changing the danger rating of the network node based on application of the filter and on the data transmission parameters further comprises instructions for:
    - increasing the danger rating of the network node based on a determination that criteria associated with the filter is met by the data transmission parameters.
  - 21. The non-transitory computer readable medium of claim 15, wherein instructions for limiting the transmittal of data from the network node to the computing device further comprises instructions for:
    - limiting the channel capacity between the network node and the computing device further based on a degree to which the danger rating of the network node exceeds the threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Lab A.O. Kaspersky
Inventors
Gudov, Nikolay V., Khalimonenko, Alexander A., Koreshkov, Denis E.
Primary Examiner(s)
Abedin, Shanto
Assistant Examiner(s)
Stoica, Adrian

Application Number

US15/614,713
Publication Number

US 20180316714A1
Time in Patent Office

1,113 Days
Field of Search
US Class Current
CPC Class Codes

H04L 63/1425 Traffic logging, e.g. anoma...

H04L 63/1458 Denial of Service

System and method of traffic filtering upon detection of a DDoS attack

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

11 Citations

21 Claims

Specification

Use Cases

Quick Links

Others

System and method of traffic filtering upon detection of a DDoS attack

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

21 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others