Statistics collection for network traffic
First Claim
1. A method of monitoring traffic flow in a monitor device disposed to receive network traffic packets comprises:
- producing statistics corresponding to a parameter of traffic flow to trace the source of an attack, with producing further comprising;
mapping the traffic flow into a plurality of buckets by applying a hash function “
f(h)”
to the parameter of the traffic flow to output an integer corresponding to one of the buckets;
accumulating statistics from the packets; and
comparing the number of buckets to a threshold;
and determining whether the number of buckets should be divided into more buckets or combined into fewer buckets based on comparing the number of buckets to the threshold.
21 Assignments
0 Petitions
Accused Products
Abstract
A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.
-
Citations
49 Claims
-
1. A method of monitoring traffic flow in a monitor device disposed to receive network traffic packets comprises:
-
producing statistics corresponding to a parameter of traffic flow to trace the source of an attack, with producing further comprising;
mapping the traffic flow into a plurality of buckets by applying a hash function “
f(h)”
to the parameter of the traffic flow to output an integer corresponding to one of the buckets;
accumulating statistics from the packets; and
comparing the number of buckets to a threshold;
and determining whether the number of buckets should be divided into more buckets or combined into fewer buckets based on comparing the number of buckets to the threshold. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 15, 16, 17, 18, 19, 20)
-
-
14. A computer program product residing on a computer readable for monitoring network traffic flow in a network comprises instructions for causing a computer to:
-
map traffic flow into a plurality of buckets by applying a hash function “
f(h)”
to a parameter of the traffic flow to output an integer corresponding to one of the buckets;
accumulate statistics from the packets; and
compare the accumulated statistic values from the buckets to configured threshold values corresponding to the number of buckets to determine that an event is of significance; and
adjust the number of buckets as the number of buckets approaches a second threshold.
-
-
21. A data collector to collect statistical information about network flows comprises:
-
a computer readable medium;
a computing device that executes a computer program product stored on the computer readable medium comprising instructions to cause the computing device to;
map traffic flow into a plurality of buckets by applying a hash function “
f(h)”
to the parameter of the traffic flow to output an integer corresponding to one of the buckets;
accumulate statistics from the packets; and
compare the accumulated statistic values from the buckets to configured threshold values corresponding to the number of buckets to determine that an event is of significance; and
adjust the number of buckets as the number of buckets approaches a second threshold; and
a port to link the data collector to a central control center.
-
-
22. A method of detecting a denial of service attack on a victim site, the method comprising:
-
monitoring network traffic sent to the victim site;
determining a ratio of incoming to outgoing TCP packets destined and sourced from systems at the site;
comparing the ratio to a threshold value; and
raising an alarm when the ratio exceeds the threshold value. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31)
-
-
32. A monitor device to collect statistical information about network flows comprises:
-
a computer readable medium;
a computing device that executes a computer program product stored on the computer readable medium comprising instructions to cause the computing device to;
monitor network traffic sent to the victim site;
determine a ratio of incoming to outgoing TCP packets destined and sourced from systems at the site;
compare the ratio to a threshold value; and
raise an alarm when the ratio exceeds the threshold value. - View Dependent Claims (33, 34, 36, 37, 38, 39, 40, 41, 42, 43, 44, 46, 47, 48, 49)
-
-
35. A method of detecting a denial of service attack on a victim site, the method comprising:
-
monitoring network traffic sent to the victim site;
determining a ratio of incoming to outgoing TCP packets destined and sourced from systems at the site;
comparing the ratio to a threshold value; and
raising an alarm when the ratio exceeds the threshold value.
-
-
45. A method of detecting a denial of service attack on a victim site, the method comprising:
-
monitoring network traffic sent to the victim site and identify packets generated from repressor traffic;
analyzing message header information from identified packets; and
generating logs of contents of the message headers guard against attackes.
-
Specification