Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks

US 20040054924A1
Filed: 09/03/2002
Published: 03/18/2004
Est. Priority Date: 09/03/2002
Status: Active Grant

First Claim

Patent Images

1. A device for detecting and filtering excessive Internet Protocol (IP) packets comprising:

an examining section adapted to count input strings from IP packets traveling from at least one IP source outside a security perimeter to at least one network device within the security perimeter; and

a system control section adapted to record indicators of the amount of counted input strings, by different classifications, in a uniformly random manner.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides systems and methods for providing distributed, adaptive IP filtering techniques used in detecting and blocking IP packets involved in DDOS attacks through the use of Bloom Filters and leaky-bucket concepts to identify “attack” flows. In an exemplary embodiment of the present invention, a device tracks certain criteria of all IP packets traveling from IP sources outside a security perimeter to network devices within the security perimeter. The present invention examines the criteria and places them in different classifications in a uniformly random manner, estimates the amount of criteria normally received and then determines when a group of stored classifications is too excessive to be considered normal for a given period of time. After the device determines the criteria that excessive IP packets have in common, the device then determines rules to identify the packets that meet such criteria and filters or blocks so identified packets.

149 Citations

30 Claims

1. A device for detecting and filtering excessive Internet Protocol (IP) packets comprising:
- an examining section adapted to count input strings from IP packets traveling from at least one IP source outside a security perimeter to at least one network device within the security perimeter; and
  
  a system control section adapted to record indicators of the amount of counted input strings, by different classifications, in a uniformly random manner.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The device of claim 1, wherein at least one of the said classifications is based on the destination IP address.
  - 3. The device of claim 1, wherein the device comprises two or more devices, said devices situated in concentric rings so as to define security zones;
    - and said devices adapted to exchange information regarding said security zones.
  - 4. The device of claim 1, wherein the device is a network processor.
  - 5. The device of claim 1, further comprising:
    - an estimation section adapted to estimate an amount of indicators expected to be recorded in particular classifications during a set period of time; and
      
      a monitoring section adapted to determine when an amount of stored indicators in a particular classification is greater than an amount of estimated indicators during the set period of time for a particular classification, thereby creating an overflow of stored indicators in said classification.
  - 6. The device of claim 5, further comprising a determination section adapted to determine rules to identify the input strings that generated the stored indicators in said overflow classification;
    - an identifying section adapted to identify overflow input strings and excessive IP packets associated with such overflow input strings using said rules; and
      
      a filtering section adapted to filter said excessive IP packets.
  - 7. The device of claim 6, further comprising an identifying section adapted to identify specific destination IP addresses for which excessive IP packets are destined.
  - 8. The device of claim 6, further comprising a restriction section adapted to restrict resources utilized by excessive IP packets.

9. A method for detecting and filtering excessive Internet Protocol (IP) packets said method comprising the steps of:
- examining input strings from IP packets traveling from at least one IP source outside a security perimeter to at least one network device within the security perimeter; and
  
  recording indicators of the amount of input strings, by different classifications, in a uniformly random manner.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 10. The method of claim 9, wherein at least one of the said classifications is based on the destination IP address.
  - 11. The method of claim 9, wherein the amount of indicators expected to be collected and recorded is based on past traffic history.
  - 12. The method of claim 9, further comprising the step of applying statistical sampling to IP packets before they are examined.
  - 13. The method of claim 9, further comprising the steps of providing two or more devices in concentric rings so as to define security zones;
    - and exchanging information regarding said security zones between said devices.
  - 14. The method of claim 9, further comprising the steps of:
    - estimating the amount of indicators expected to be recorded in particular classifications during a set period of time; and
      
      determining when an amount of recorded indicators in a particular classification is greater than an amount of estimated indicators during the set period of time for a particular classification, thereby creating an overflow of recorded indicators in said classification.
  - 15. The method of claim 14, wherein the set period of time is based on past traffic history.
  - 16. The method of claim 14, wherein the amount of indicators expected to be recorded is modified based on traffic parameters.
  - 17. The method of claim 14, further comprising the step of smoothing out randomness in traffic parameters.
  - 18. The method of claim 14, further comprising the steps of monitoring the total number of overflowing classifications;
    - and altering the classification recordation manner based on the number of overflowing classifications.
  - 19. The method of claim 14, further comprising the steps of estimating a ratio of an expected number of indicators for input strings associated with different source IP addresses compared to an expected number of indicators for input strings associated with different destination IP addresses;
    - determining when the ratio of an actual number of indicators for input strings associated with different source IP addresses compared to the actual number of indicators for input strings associated with different destination IP addresses is sufficiently different than the estimated ratio; and
      
      indicating an overflow classification when said actual ratio sufficiently differs from said estimated ratio.
  - 20. The method of claim 14, further comprising the steps of monitoring the rate at which the IP packets arrive;
    - estimating an expected rate of IP packet arrivals; and
      
      determining when said rate of IP packet arrivals in a particular classification is greater than the estimated rate of IP packet arrivals during a set period of time thereby creating an overflow of stored indicators in said classification.
  - 21. The method of claim 14, further comprising the steps of:
    - determining rules to identify the input strings that generated the recorded indicators in said overflow classification;
      
      identifying overflow input strings and excessive IP packets associated with such overflow input strings using said rules; and
      
      filtering said excessive IP packets.
  - 22. The method of claim 21, further comprising the step of identifying specific destination IP addresses for which excessive IP packets are destined.
  - 23. The method of claim 21, further comprising the step of restricting resources utilized by excessive IP packets.
  - 24. The method of claim 23, further comprising the step of activating alternative scheduling of IP packets at routers.
  - 25. The method of claim 23, further comprising the steps of activating alternative buffer management and routing schemes of the IP packets.
  - 26. The method of claim 21, wherein said rules are determined based on monitoring of User Data Protocol (UDP) traffic, packet size and the number of times a particular destination port number is used.
  - 27. The method of claim 21, wherein said rules are determined based on monitoring percentage shares of Transmission Control Protocol (TCP), User Data Protocol (UDP) and Internet Control Message Protocol (ICMP) packets.
  - 28. The method of claim 21, wherein said rules are determined based on monitoring packet size distributions.
  - 29. The method of claim 21, wherein said rules are determined based on destination port numbers.
  - 30. The method of claim 23, wherein said rules are determined based on the distribution of Time-To-Live values.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent SA (Nokia Corporation)
Original Assignee
Alcatel-Lucent SA (Nokia Corporation)
Inventors
Chuah, Mooi Choo, Yue, On-Ching, Lau, Wing Cheong

Granted Patent

US 8,201,252 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 47/10   Flow control; Congestion co...

H04L 47/11   Identifying congestion

H04L 47/2441   relying on flow classificat...

H04L 47/286   Time to live

H04L 47/32   by discarding or delaying d...

H04L 63/0236   Filtering by address, proto...

H04L 63/1458   Denial of Service

Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

149 Citations

30 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

149 Citations

30 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links