Apparatus and method for using a network processor to guard against a "denial-of-service" attack on a server or server cluster

US 20030023733A1
Filed: 07/26/2001
Published: 01/30/2003
Est. Priority Date: 07/26/2001
Status: Active Grant

First Claim

Patent Images

1. Apparatus comprising:

a network resource server having at least one computer system comprising a central processing unit and server memory; and

a network processor coupled to said network resource server comprising;

a plurality of interface processors;

instruction memory for storing instructions accessibly to said interface processors;

data memory for storing data passing through said network processor to and from said network resource server accessibly to said interface processors; and

a plurality of input/output ports;

one of said input/output ports adapted for exchanging data passing through said network processor with an external network under the direction of said interface processors;

at least one other of said input/output ports adapted for exchanging data passing through said network processor with said network resource server;

said network processor and said network resource server cooperating in directing the exchange of data between said input/output ports and the flow of data through said data memory to and from said network resource server in response to execution by said interface processors of instructions loaded into said instruction memory;

said network processor further comprising at least one rate monitor for monitoring the rate of data flow addressed to said network resource server, at least one of said interface processors comprising a component for computing a derivative of data flow rate over time to determine the rate of change of data flow, and at least one modifier for modifying the instructions loaded into said instruction memory in response to the determined rate of change.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system comprising a network resource server or a server farm formed by a plurality of computer systems and a network processor which transfers data exchanged with an external network supported by the server farm at a data rate substantially the same as the data flow rate of the network and related method. The network processor protects the network resource server against attacks such as a denial of service attack by monitoring data flow, computing a derivative of the data flow over time to determine the rate of change of data flow, and modifying instructions for the discarding of packets in response to rates of change which are outside predetermined boundaries.

Citations

36 Claims

1. Apparatus comprising:
- a network resource server having at least one computer system comprising a central processing unit and server memory; and
  
  a network processor coupled to said network resource server comprising;
  
  a plurality of interface processors;
  
  instruction memory for storing instructions accessibly to said interface processors;
  
  data memory for storing data passing through said network processor to and from said network resource server accessibly to said interface processors; and
  
  a plurality of input/output ports;
  
  one of said input/output ports adapted for exchanging data passing through said network processor with an external network under the direction of said interface processors;
  
  at least one other of said input/output ports adapted for exchanging data passing through said network processor with said network resource server;
  
  said network processor and said network resource server cooperating in directing the exchange of data between said input/output ports and the flow of data through said data memory to and from said network resource server in response to execution by said interface processors of instructions loaded into said instruction memory;
  
  said network processor further comprising at least one rate monitor for monitoring the rate of data flow addressed to said network resource server, at least one of said interface processors comprising a component for computing a derivative of data flow rate over time to determine the rate of change of data flow, and at least one modifier for modifying the instructions loaded into said instruction memory in response to the determined rate of change.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. Apparatus according to claim 1 wherein said at least one interface processor further comprises means for comparing said determined rate of change to at least one predetermined boundary and wherein said modifier modifies the instruction when the rate of change has a prespecified relationship to said at least one predetermined boundary.
  - 3. Apparatus according to claim 1 wherein said network processor comprises a semiconductor substrate and further wherein said interface processors, said instruction memory, said data memory and said input/output ports are formed on said semiconductor substrate.
  - 4. Apparatus according to claim 1 wherein said network processor is adapted to process communication protocols and to exchange application data to be processed by said computer system with said network resource server.
  - 5. Apparatus according to claim 4 wherein said network resource server has a plurality of computer systems serving diverse purposes and said network processor directs application data to an appropriate one of said computer systems for exercising the data in accordance with the appropriate purpose therefor.
  - 6. Apparatus according to claim 4 wherein said network resource server has a plurality of computer systems serving a common purpose and said network processor directs application data to varying ones of said computer systems for exercising the data in a predetermined flow among said computer systems.
  - 7. Apparatus according to claim 1 wherein the number of said interface processors exceeds four.
  - 8. Apparatus according to claim 2 wherein said at least one rate monitor of said network processor monitors data flow inbound toward said network resource server and said at least one modifier increases the discard of inbound data upon the rate of change of inbound data exceeding a predetermined boundary.
  - 9. Apparatus according to claim 2 wherein said at least one modifier of said network processor decreases the discard rate of inbound data upon the rate of change of inbound data falling below a second predetermined boundary.

10. Apparatus comprising:
- a network resource server comprising at least one computer system which has a central processing unit and server memory; and
  
  a network processor coupled to said network resource server and comprising;
  
  a plurality of interface processors;
  
  instruction memory for storing instructions accessibly to said interface processors;
  
  data memory for storing data passing through said network processor to and from said network resource server accessibly to said interface processors; and
  
  a plurality of input/output ports;
  
  one of said input/output ports adapted for exchanging data passing through said network processor with an external network under the direction of said interface processors;
  
  at least one other of said input/output ports adapted for exchanging data passing through said network processor with said network resource server;
  
  said network processor cooperating with said network resource server in directing the exchange of data between said input/output ports and the flow of data through said data memory to and from said network resource server in response to execution by said interface processors of instructions loaded into said instruction memory;
  
  said network processor further comprising at least one rate monitor for monitoring the rate of data flow inbound toward said network resource server, at least one of said interface processors comprising a component for computing a derivative of data flow rate over time to determine the rate of change of data flow, and at least one modifier for modifying the instructions loaded into said instruction memory in response to the determined rate of change.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. Apparatus according to claim 10 wherein said at least one interface processor further comprises means for comparing said determined rate of change to at least one predetermined boundary and wherein said modifier modifies the instruction when the rate of change has a prespecified relationship to said at least one predetermined boundary.
  - 12. Apparatus according to claim 10 wherein said network processor comprises a semiconductor substrate and further wherein said interface processors, said instruction memory, said data memory and said input/output ports are formed on said semiconductor substrate.
  - 13. Apparatus according to claim 10 wherein said network processor is adapted to process communication protocols and exchanges with said network resource server application data to be processed by said server.
  - 14. Apparatus according to claim 12 wherein said network resource server comprises a plurality of computer systems serving diverse purposes and said network processor directs application data to the appropriate one of said systems for exercising the data in accordance with the appropriate purpose therefor.
  - 15. Apparatus according to claim 12 wherein said network resource server comprises a plurality of computer systems serving a common purpose and said network processor directs application data to varying ones of said computer systems for exercising the data in a predetermined flow in said computer systems.
  - 16. Apparatus according to claim 10 wherein the number of said interface processors exceeds four.
  - 17. Apparatus according to claim 11 wherein said at least one rate monitor of said network processor monitors data flow inbound to said network resource server and said modifier decreases the discard of inbound data upon the rate of change of inbound data rising above a predetermined boundary.
  - 18. Apparatus according to claim 11 wherein said modifier of said network processor decreases the discard rate of inbound data upon the rate of change of inbound data falling below above a second predetermined boundary.

19. Apparatus comprising:
- a network resource server having at least one computer system comprising at least a central processing unit and server memory; and
  
  a network processor coupled to said network resource server comprising;
  
  a plurality of interface processors;
  
  instruction memory for storing instructions accessible to said interface processors;
  
  data memory for storing data passing through said network processor to and from said network resource server accessibly to said interface processors; and
  
  a plurality of input/output ports;
  
  one of said input/output ports adapted for exchanging data passing through said network processor with an external network under the direction of said interface processors;
  
  at least one other of said input/output ports adapted for exchanging data passing through said network processor with said network resource server;
  
  said network processor cooperating with said network resource server in directing the exchange of data between said input/output ports and the flow of data through said data memory to and from said network resource server in response to execution by said interface processors of instructions loaded into said instruction memory;
  
  said network processor further comprising at least one rate monitor for monitoring the rate of data flow outbound from said network resource server, at least one of said interface processors comprising a component for computing a derivative of data flow rate over time to determine the rate of change of data flow, and at least one modifier for modifying the instructions loaded into said instruction memory in response to the determined rate of change.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26, 27)
- - 20. Apparatus according to claim 19 wherein said at least one interface processor further comprises means for comparing said determined rate of change to at least one predetermined boundary and wherein said modifier modifies the instruction when the rate of change has a prespecified relationship to said at least one predetermined boundary.
  - 21. Apparatus according to claim 19 wherein said network processor comprises a semiconductor substrate and further wherein said interface processors, said instruction memory, said data memory and said input/output ports are formed on said semiconductor substrate.
  - 22. Apparatus according to claim 19 wherein said network processor is adapted to process communication protocols and exchange application data to be processed by said network resource server with said network resource server.
  - 23. Apparatus according to claim 22 wherein said network resource server has a plurality of computer systems serving diverse purposes and wherein said network processor directs application data to the appropriate one of said computer systems for exercising the data in accordance with the appropriate purpose therefor.
  - 24. Apparatus according to claim 22 wherein said network resource server has a plurality of computer systems serving a common purpose and said network processor directs application data to varying ones of said computer systems for exercising the data in a predetermined flow among said computer systems.
  - 25. Apparatus according to claim 19 wherein the number of said interface processors exceeds four.
  - 26. Apparatus according to claim 20 wherein said at least one rate monitor monitors data flow outbound from said network resource server and wherein said at least one modifier increases the discard of inbound data upon the rate of change of outbound data falling below a predetermined boundary.
  - 27. Apparatus according to claim 20 wherein said at least one modifier of said network processor decreases the discard rate of inbound data upon the rate of change of outbound data rising above a second predetermined boundary.

28. A method comprising the steps of:
- passing bit streams of data exchanged between a network resource server and a data network through a network processor;
  
  monitoring the data flow rate of data passing through the network processor;
  
  computing a first derivative of the data flow rate to determine the rate of change of the data flow rate; and
  
  selectively discarding data flowing toward the network resource server based upon said rate of change of the data flow rate.
- View Dependent Claims (29, 30, 31, 32, 33, 34, 35)
- - 29. A method according to claim 28 further comprising comparing said rate of change of the data flow rate to at least one predetermined boundary and wherein said selective discarding is conducted when said rate of change has a prespecified relationship to at least one predetermined boundary.
  - 30. A method according to claim 28 wherein the step of monitoring comprises monitoring the rate of data flow inbound toward the network resource server.
  - 31. A method according to claim 29 wherein the step of selectively discarding data comprises increasing the discard of data flowing toward the network resource server upon a determination that the rate of change of inbound data flow has risen above a predetermined boundary.
  - 32. A method according to claim 29 wherein the step of selectively discarding data comprises decreasing the discard of data flowing toward the network resource server upon a determination that the rate of change of inbound data flow has fallen below a predetermined boundary.
  - 33. A method according to claim 28 wherein the step of monitoring comprises monitoring the rate of data flow outbound from the network resource server.
  - 34. A method according to claim 33 wherein the step of selectively discarding data comprises increasing the discard of data flowing toward the network resource server upon a determination that the rate of change of outbound data flow has fallen below a predetermined boundary.
  - 35. A method according to claim 33 wherein the step of selectively discarding data comprises decreasing the discard of data flowing toward the network resource server upon a determination that the rate of change of outbound data flow has risen above a predetermined boundary.

36. A network processor coupled to at least one network resource server and an external network comprising:
- a plurality of interface processors;
  
  instruction memory for storing instructions accessibly to said interface processors;
  
  data memory for storing data passing through said network processor to and from said network resource server accessibly to said interface processors; and
  
  a plurality of input/output ports;
  
  one of said input/output ports adapted for exchanging data passing through said network processor with an external network under the direction of said interface processors;
  
  at least one other of said input/output ports adapted for exchanging data passing through said network processor with said network resource server;
  
  said network processor and said network resource server cooperating in directing the exchange of data between said input/output ports and the flow of data through said data memory to and from said network resource server in response to execution by said interface processors of instructions loaded into said instruction memory;
  
  said network processor further comprising at least one rate monitor for monitoring the rate of data flow addressed to said network resource server, at least one of said interface processors comprising a component for computing a derivative of data flow rate over time to determine the rate of change of data flow, and at least one modifier for modifying the instructions loaded into said instruction memory in response to the determined rate of change.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Noel, Francis E. Jr., Sannipoli, Charles J., McConnell, Daniel Edward, Lingafelt, C. Steven

Granted Patent

US 7,047,303 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/229
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/11   Identifying congestion

H04L 47/32   by discarding or delaying d...

H04L 63/1458   Denial of Service

H04L 67/1001   for accessing one among a p...

Apparatus and method for using a network processor to guard against a "denial-of-service" attack on a server or server cluster

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Apparatus and method for using a network processor to guard against a "denial-of-service" attack on a server or server cluster

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links