Statistics collection for network traffic

US 20020035628A1
Filed: 08/16/2001
Published: 03/21/2002
Est. Priority Date: 09/07/2000
Status: Active Grant

First Claim

Patent Images

1. A method of monitoring traffic flow in a monitor device disposed to receive network traffic packets comprises:

producing statistics corresponding to a parameter of traffic flow to trace the source of an attack, with producing further comprising;

mapping the traffic flow into a plurality of buckets by applying a hash function “

f(h)”

to the parameter of the traffic flow to output an integer corresponding to one of the buckets;

accumulating statistics from the packets; and

comparing the number of buckets to a threshold;

and determining whether the number of buckets should be divided into more buckets or combined into fewer buckets based on comparing the number of buckets to the threshold.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.

Citations

49 Claims

1. A method of monitoring traffic flow in a monitor device disposed to receive network traffic packets comprises:
- producing statistics corresponding to a parameter of traffic flow to trace the source of an attack, with producing further comprising;
  
  mapping the traffic flow into a plurality of buckets by applying a hash function “
  
  f(h)”
  
  to the parameter of the traffic flow to output an integer corresponding to one of the buckets;
  
  accumulating statistics from the packets; and
  
  comparing the number of buckets to a threshold;
  
  and determining whether the number of buckets should be divided into more buckets or combined into fewer buckets based on comparing the number of buckets to the threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 wherein the buckets are storage areas in a memory space of the monitor device.
  - 3. The method of claim 1 wherein as the number of buckets changes, the buckets have values derived from the buckets prior to the change.
  - 4. The method of claim 1 wherein the hash function adapts to map to the new number of buckets, as the new number of buckets changes.
  - 5. The method of claim 1 wherein comparing statistic values comprises:
    - comparing the value accumulated in the bucket to a threshold that depends on the number of buckets.
  - 6. The method of claim 1 wherein the parameter is the count of how many packets a data collector or gateway examines.
  - 7. The method of claim 1 wherein as a value of a parameter for one bucket approaches a threshold, the monitoring device raises an alarm.
  - 8. The method of claim 1 wherein the hash function changes periodically in a randomly secret manner so that packets are reassigned to different buckets.
  - 9. The method of claim 1 wherein the variable number of buckets dynamically adjusts the amount of traffic and number of flows monitored, so that the monitoring device is not vulnerable to a denial of service attack against its own resources.
  - 10. The method of claim 1 wherein the variable number of buckets efficiently identifies the source or sources of attack by breaking down traffic into different buckets and examining statistics accumulated for a parameter and a corresponding threshold in each bucket.
  - 11. The method of claim 1 wherein the traffic is monitored at multiple levels of granularity, from aggregate to individual flows.
  - 12. The method of claim 1 wherein the traffic is applied to monitoring of TCP packet ratios and repressor traffic.
  - 13. The method of claim 1 wherein the threshold is a first threshold and the method further comprises:
    - comparing accumulated statistic values from the buckets to second threshold values to determine that an event is of significance.
  - 15. The computer program product of claim 14 wherein based on the second threshold, the buckets are divided into more buckets or combined into fewer buckets
  - 16. The computer program product of claim 14 wherein instructions to monitor further comprise instructions to divide the bucket into a different number of new buckets containing values derived from the original bucket.
  - 17. The computer program product of claim 14 wherein the hash function adapts to map to the new number of buckets as the new number of buckets changes.
  - 18. The computer program product of claim 14 wherein the parameter is the count of how many packets a data collector or gateway examines.
  - 19. The computer program product of claim 14 wherein the buckets are storage areas in the memory space of the monitor device.
  - 20. The computer program product of claim 14 wherein the hash function changes periodically in a randomly secret manner so that packets are reassigned to different buckets.

14. A computer program product residing on a computer readable for monitoring network traffic flow in a network comprises instructions for causing a computer to:
- map traffic flow into a plurality of buckets by applying a hash function “
  
  f(h)”
  
  to a parameter of the traffic flow to output an integer corresponding to one of the buckets;
  
  accumulate statistics from the packets; and
  
  compare the accumulated statistic values from the buckets to configured threshold values corresponding to the number of buckets to determine that an event is of significance; and
  
  adjust the number of buckets as the number of buckets approaches a second threshold.

21. A data collector to collect statistical information about network flows comprises:
- a computer readable medium;
  
  a computing device that executes a computer program product stored on the computer readable medium comprising instructions to cause the computing device to;
  
  map traffic flow into a plurality of buckets by applying a hash function “
  
  f(h)”
  
  to the parameter of the traffic flow to output an integer corresponding to one of the buckets;
  
  accumulate statistics from the packets; and
  
  compare the accumulated statistic values from the buckets to configured threshold values corresponding to the number of buckets to determine that an event is of significance; and
  
  adjust the number of buckets as the number of buckets approaches a second threshold; and
  
  a port to link the data collector to a central control center.

22. A method of detecting a denial of service attack on a victim site, the method comprising:
- monitoring network traffic sent to the victim site;
  
  determining a ratio of incoming to outgoing TCP packets destined and sourced from systems at the site;
  
  comparing the ratio to a threshold value; and
  
  raising an alarm when the ratio exceeds the threshold value.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 23. The method of claim 22 wherein monitoring further comprises:
    - storing the determined ratio over periods of time; and
      
      analyzing the ratio to determine over time how much and how the ratio exceeds a value to set a threshold.
  - 24. The method of claim 22 wherein monitoring further comprises:
    - establishing the ratio, and as the ratio exceeds that established threshold raising the alarm.
  - 25. The method of claim 22 wherein the ratio is about 2:
    - 1 for incoming to outgoing TCP packets.
  - 26. The method of claim 22 wherein as the ratio exceeds the threshold it is a indication that the victim is receiving bad TCP traffic that are not part of any established TCP connection.
  - 27. The method of claim 22 wherein as the ratio exceeds the threshold, exceeding the threshold raises an indication that the victim is overloaded to acknowledge the requests.
  - 28. The method of claim 22 wherein monitoring comprises:
    - producing statistics corresponding to the ratio by mapping the traffic flow into a plurality of buckets by applying a hash function “
      
      f(h)”
      
      to the parameter of the traffic flow to output an integer corresponding to one of the buckets.
  - 29. The method of claim 28 further comprises:
    - communicating the statistics collected to a control center.
  - 30. The method of claim 29 wherein communicating occurs over a dedicated link to the control center via a hardened network.
  - 31. The method of claim 30 executed on a gateway physically deployed in the network.

32. A monitor device to collect statistical information about network flows comprises:
- a computer readable medium;
  
  a computing device that executes a computer program product stored on the computer readable medium comprising instructions to cause the computing device to;
  
  monitor network traffic sent to the victim site;
  
  determine a ratio of incoming to outgoing TCP packets destined and sourced from systems at the site;
  
  compare the ratio to a threshold value; and
  
  raise an alarm when the ratio exceeds the threshold value.
- View Dependent Claims (33, 34, 36, 37, 38, 39, 40, 41, 42, 43, 44, 46, 47, 48, 49)
- - 33. The monitor device of claim 32 wherein the monitor is a gateway.
  - 34. The monitor device of claim 32 wherein wherein the ratio is about 2:
    - 1 for incoming to outgoing TCP packets.
  - 36. The method of claim 35 wherein monitoring further comprises:
    - storing the determined ratio over periods of time; and
      
      analyzing the ratio to determine over time how much and how the ratio exceeds a value to set a threshold.
  - 37. The method of claim 35 wherein monitoring further comprises:
    - establishing the ratio and as the ratio exceeds that threshold raising the alarm.
  - 38. The method of claim 35 wherein the ratio is about 2:
    - 1, for incoming to outgoing TCP packets.
  - 39. The method of claim 35 wherein the ratio is up to about 3:
    - 1, for incoming to outgoing TCP packets.
  - 40. The method of claim 35 wherein as the ratio exceeds the threshold it is a indication that the victim is receiving bad TCP traffic that are not part of any established TCP connection.
  - 41. The method of claim 35 wherein monitoring comprises:
    - producing statistics corresponding to the ratio by mapping the traffic flow into a plurality of buckets by applying a hash function “
      
      f(h)”
      
      to source addresses of the traffic flow to output an integer corresponding to one of the buckets.
  - 42. The method of claim 41 further comprises:
    - communicating the statistics collected to a control center.
  - 43. The method of claim 42 wherein communicating occurs over a dedicated link to the control center via a hardened network.
  - 44. The method of claim 43 executed on a gateway physically deployed in the network.
  - 46. The method of claim 45 wherein the logs are generated for forensic purposes or to selectively block future messages similar to the ones that caused the repressor traffic messages.
  - 47. The method of claim 45 wherein the repressor traffic is ICMP port unreachable messages that are generated by an end host when it receives a packet on a port that is not responding to requests.
  - 48. The method of claim 45 wherein repressor traffic is any network traffic that is indicative of problems or a potential attack in a main flow of traffic.
  - 49. The method of claim 45 wherein the method is executed on a gateway.

35. A method of detecting a denial of service attack on a victim site, the method comprising:
- monitoring network traffic sent to the victim site;
  
  determining a ratio of incoming to outgoing TCP packets destined and sourced from systems at the site;
  
  comparing the ratio to a threshold value; and
  
  raising an alarm when the ratio exceeds the threshold value.

45. A method of detecting a denial of service attack on a victim site, the method comprising:
- monitoring network traffic sent to the victim site and identify packets generated from repressor traffic;
  
  analyzing message header information from identified packets; and
  
  generating logs of contents of the message headers guard against attackes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Riverbed Technology Incorporated
Inventors
Gil, Thomer Michael, Kohler, Edward W. Jr., Poletto, Massimiliano Antonio

Granted Patent

US 7,702,806 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/224
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 43/00   Arrangements for monitoring...

H04L 43/026   using flow identification

H04L 43/106   using time related informat...

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Statistics collection for network traffic

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

Citations

49 Claims

Specification

Solutions

Use Cases

Quick Links

Statistics collection for network traffic

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

49 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links