Methods and apparatus for protecting against overload conditions on nodes of a distributed network
First Claim
1. A method of responding to an overload condition at a network element (“
- victim”
) in a set of one or more potential victims on a network, the method comprising the steps of A. with a first set of one or more network elements external to the set of one or more potential victims, diverting to a second set of one or more network elements external to the set of one or more potential victims traffic otherwise destined for the victim, B. the element(s) of the second set filtering traffic diverted in step A (“
diverted traffic”
) and selectively passing a portion thereof to the victim.
4 Assignments
0 Petitions
Accused Products
Abstract
Methods and apparatus for protecting against and/or responding to an overload condition at a node (“victim”) in a distributed network divert traffic otherwise destined for the victim to one or more other nodes, which can filter the diverted traffic, passing a portion of it to the victim, and/or effect processing of one or more of the diverted packets on behalf of the victim. Diversion can be performed by one or more nodes (collectively, a “first set” of nodes) external to the victim. Filtering and/or effecting traffic processing can be performed by one or more nodes (collectively, a “second set” of nodes) also external to the victim. Those first and second sets can have zero, one or more nodes in common—or, put another way, they may wholly, partially or not overlap. The methods and apparatus have application in protecting nodes in a distributed network, such as the Internet, against distributed denial of service (DDoS) attacks.
-
Citations
52 Claims
-
1. A method of responding to an overload condition at a network element (“
- victim”
) in a set of one or more potential victims on a network, the method comprising the steps ofA. with a first set of one or more network elements external to the set of one or more potential victims, diverting to a second set of one or more network elements external to the set of one or more potential victims traffic otherwise destined for the victim, B. the element(s) of the second set filtering traffic diverted in step A (“
diverted traffic”
) and selectively passing a portion thereof to the victim. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 18, 19, 20)
- victim”
-
17. A method of responding to an overload condition at a network element (“
- victim”
) in a set of one or more potential victims, the method comprising the steps ofA. with a first set of one or more elements external to the set of one or more potential victims, diverting to a second set of one or more elements external to the set of one or more potential victims traffic otherwise destined for the victim, B. the element(s) of the second set filtering traffic diverted in step A (“
diverted traffic”
) and selectively passing a portion thereof to the victim,C. the filtering step including detecting packets with spoofed source addresses by at least partially processing diverted traffic before selectively passing it, if at all, to the victim.
- victim”
-
21. A method of responding to an overload condition at a network element (“
- victim”
) in a set of one or more potential victims, the method comprising the steps ofA. with a first set of one or more elements external to the set of one or more potential victims, diverting to a second set of one or more elements external to the set of one or more potential victims traffic otherwise destined for the victim, B. the element(s) of the second set filtering traffic diverted in step A (“
diverted traffic”
) and selectively passing a portion thereof to the victim,C. the filtering step including at least partially processing diverted traffic before selectively passing it, if at all, to the victim. - View Dependent Claims (22, 23, 24, 26, 28, 29, 30, 31)
- victim”
-
25. A method of responding to an overload condition at a network element (“
- victim”
) in a set of one or more potential victims, the method comprising the steps ofA. with a first set of one or more elements external to the set of one or more potential victims, diverting to a second set of one or more elements external to the set of one or more potential victims traffic otherwise destined for the victim, B. the element(s) of the second set filtering traffic diverted in step A (“
diverted traffic”
) and selectively passing a portion thereof to the victim,C. the filtering step including discarding traffic of selected type.
- victim”
-
27. A method of responding to an overload condition at a network element (“
- victim”
) in a set of one or more potential victims, the method comprising the steps ofA. with a first set of one or more elements external to the set of one or more potential victims, performing a first filtering of traffic destined for the victim and diverting to a second set of one or more elements external to the set of one or more potential victims at least a portion of that traffic, B. the element(s) of the second set performing a second filtering of traffic diverted in step A (“
diverted traffic”
) and selectively passing a portion thereof to the victim
- victim”
-
32. A method of responding to an overload condition at a network element (“
- victim”
) in a set of one or more potential victims, the method comprising the steps ofA. with a first set of one or more elements external to the set of one or more potential victims, diverting to a second set of one or more elements external to the set of one or more potential victims traffic otherwise destined for the victim, B. the element(s) of the second set filtering traffic diverted in step A (“
diverted traffic”
) and selectively passing a portion thereof to the victim,C. the filtering step including identifying any of a source and a type of the overload condition. - View Dependent Claims (33, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 47, 48, 50, 51, 52)
- victim”
-
34. A method of responding to an overload condition at a network element (“
- victim”
) in a set of one or more potential victims, the method comprising the steps ofA. with a first set of one or more elements external to the set of one or more potential victims, diverting to a second set of one or more elements external to the set of one or more potential victims traffic otherwise destined for the victim, B. the element(s) of the second set filtering traffic diverted in step A (“
diverted traffic”
) and selectively passing a portion thereof to the victim,C. the filtering step including detecting any of (i) a traffic pattern that differs from an expected pattern and (ii) traffic volume that differ from expected volume.
- victim”
-
46. A network element for use in protecting against an overload condition on a network, the network element comprising:
-
an input for receiving traffic from the network, an filter coupled to the input, the filter selectively blocking traffic originating from a source suspected as potentially causing the overload condition, a statistics module that is coupled to the filter and that identifies traffic statistically indicative of having originated from source potentially causing the overload condition, and an output coupled to the input for selectively passing on to further elements in the network traffic not blocked by the filter.
-
-
49. A system for use in protecting against an overload condition on a network, the network element comprising:
-
one or more network elements (“
guards”
) disposed on the network, each network element havingan input for receiving traffic from the network, an filter coupled to the input, the filter selectively blocking traffic originating from a source suspected as potentially causing the overload condition, a statistics module that is coupled to the filter and that identifies traffic statistically indicative of having originated from a source suspected as potentially causing the overload condition, and an output coupled to the input for selectively passing on to further elements in the network traffic not blocked by the filter, one or more further network elements (“
diverters”
) disposed on the network and in communication with the guards, the further network elements selectively (i) diverting to one or more guards traffic otherwise destined for a still further network element (“
victim”
) in a set of one or more potential victims on the network.
-
Specification