Architecture to thwart denial of service attacks

US 20020035683A1
Filed: 08/16/2001
Published: 03/21/2002
Est. Priority Date: 09/07/2000
Status: Active Grant

First Claim

Patent Images

1. A method of thwarting denial of service attacks on a victim data center coupled to a network comprises:

monitoring network traffic through monitors disposed at a plurality of points in the network; and

communicating data from the monitors, over a hardened, redundant network, to a central controller.

View all claims

21 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system architecture for thwarting denial of service attacks on a victim data center is described. The system includes a first plurality of monitors that monitor network traffic flow through the network. The first plurality of monitors is disposed at a second plurality of points in the network. The system includes a central controller that receives data from the plurality of monitors, over a hardened, redundant network. The central controller analyzes network traffic statistics to identify malicious network traffic. In some embodiments of the system, a gateway device is disposed to pass network packets between the network and the victim site. The gateway is disposed to protect the victim site, and is coupled to the control center by the redundant hardened network.

Citations

28 Claims

1. A method of thwarting denial of service attacks on a victim data center coupled to a network comprises:
- monitoring network traffic through monitors disposed at a plurality of points in the network; and
  
  communicating data from the monitors, over a hardened, redundant network, to a central controller.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 14, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 2. The method of claim 1 wherein the hardened redundant network is inaccessible to the attacker.
  - 3. The method of claim 1 further comprising:
    - monitoring network traffic through a gateway that passes network packets, the gateway being disposed at an edge of the network to protect the data center, with the gateway coupled to the control center by the redundant hardened network.
  - 4. The method of claim 1 further comprising:
    - analyzing network traffic statistics to identify malicious network traffic; and
      
      filtering the network traffic based on results of analyzing the network traffic to discard network traffic that is identified as malicious network traffic during analyzing of the network traffic.
  - 5. The method of claim 1 wherein the gateway is located at network entry points of victim data centers.
  - 6. The method of claim 1 further comprising:
    - performing intelligent traffic analysis and filtering to identify the malicious traffic and to eliminate the malicious traffic.
  - 7. The method of claim 3 wherein performing intelligent traffic analysis and filtering is performed by the gateways and the control center.
  - 8. The method of claim 3 wherein the gateways perform intelligent traffic analysis and filtering.
  - 9. The method of claim 1 wherein the monitors include data collectors that sample packet traffic, accumulate, and collect statistical information about network flows.
  - 10. The method of claim 9 wherein the data collectors are located at major peering points and network points of presence.
  - 11. The method of claim 1 wherein the control center aggregates traffic information and coordinates measures to track down and block the sources of an attack.
  - 13. The distributed system of claim 12 further comprising:
    - a control center coupled to the plurality of data collectors by a hardened redundant connection to communicate the data to the control center; and
      
      wherein the control centers performs the intelligent traffic analysis to identify the malicious traffic.
  - 14. The distributed system of claim 13 further comprising:
    - at least one gateway device that passes network packets between the network and the victim site, the gateway disposed to protect a victim site, and being coupled to the control center by the redundant hardened network.
  - 16. The system of claim 15 wherein the hardened redundant network is inaccessible to the attacker.
  - 17. The system of claim 15 further comprising:
    - at least one gateway that passes network packets between the network and the victim data center, the gateway disposed to protect potential victim data center and being coupled to the control center by the redundant hardened network.
  - 18. The system of claim 17 wherein the gateway is disposed at an edge of the network at victim data center.
  - 19. The system of claim 17 wherein the gateway analyzes network traffic statistics to identify malicious network traffic and filters the network traffic based on results of analyzing the network traffic to discard network traffic that is identified as malicious network traffic during analyzing of the network traffic.
  - 20. The system of claim 17 wherein the gateway is located at the edge of the network that is an entry point to the victim data center.
  - 21. The system of claim 17 wherein both the gateway and the control center perform intelligent traffic analysis and filtering to identify the malicious traffic and to eliminate the malicious traffic.
  - 22. The system of claim 15 wherein the data collectors sample packet traffic, and accumulate and collect statistical information about network flows.
  - 23. The system of claim 15 wherein the data collectors are located at major peering points and network points of presence.
  - 24. The system of claim 17 wherein the data collectors sample packet traffic, and accumulate and collect statistical information about network flows and are located at major peering points and network points of presence.
  - 25. The system of claim 17 wherein the control center aggregates traffic information and coordinates measures to track down and block the sources of an attack.
  - 26. The system of claim 17 wherein the gateway includes a process to communicate with the control center over the hardened network.
  - 27. The system of claim 17 wherein the gateway includes a process to allow an administrator to insert filters to discard packets that are deemed to be part of an attack, as determined by heuristics of the traffic flow.

12. A distributed system to thwarting denial of service attacks comprises:
- a plurality of monitors dispersed throughout a network, the monitors collecting statistical data for performance of intelligent traffic analysis and filtering to identify malicious traffic and to eliminate the malicious traffic to thwart the denial of service attack.

15. A system for thwarting denial of service attacks on a victim data center coupled to a network comprises:
- a first plurality of monitors that monitor network traffic flow through the network, the first plurality of monitors disposed at a second plurality of points in the network; and
  
  a central controller that receives data from the plurality of monitors, over a hardened, redundant network, the central controller analyzing network traffic statistics to identify malicious network traffic.

28. A distributed system to thwart denial of service attacks comprises:
- a plurality of gateways dispersed throughout a network, near data centers that might be sources of an attack, the gateways collecting statistical data for performance of intelligent traffic analysis and filtering identify malicious traffic at the source of an attack to eliminate the malicious traffic and thwart the denial of service attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Riverbed Technology, LLC (Riverbed Technology Incorporated)
Original Assignee
Mazu Networks, Inc. (Riverbed Technology Incorporated)
Inventors
Kohler, Edward W. Jr., Poletto, Massimiliano Antonio, Kaashoek, Marinus Frans

Granted Patent

US 7,043,759 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/154
CPC Class Codes

H04L 2463/102   applying security measure f...

H04L 43/00   Arrangements for monitoring...

H04L 43/022   by sampling

H04L 43/026   using flow identification

H04L 43/16   Threshold monitoring

H04L 63/1408   by monitoring network traff...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1458   Denial of Service

Architecture to thwart denial of service attacks

First Claim

21 Assignments

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Architecture to thwart denial of service attacks

First Claim

21 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links