Methods and devices for providing distributed, adaptive IP filtering against distributed denial of service attacks
First Claim
1. A device for detecting and filtering excessive Internet Protocol (IP) packets comprising:
- an examining section adapted to count input strings from IP packets traveling from at least one IP source outside a security perimeter to at least one network device within the security perimeter; and
a system control section adapted to record indicators of the amount of counted input strings, by different classifications, in a uniformly random manner.
5 Assignments
0 Petitions
Accused Products
Abstract
The present invention provides systems and methods for providing distributed, adaptive IP filtering techniques used in detecting and blocking IP packets involved in DDOS attacks through the use of Bloom Filters and leaky-bucket concepts to identify “attack” flows. In an exemplary embodiment of the present invention, a device tracks certain criteria of all IP packets traveling from IP sources outside a security perimeter to network devices within the security perimeter. The present invention examines the criteria and places them in different classifications in a uniformly random manner, estimates the amount of criteria normally received and then determines when a group of stored classifications is too excessive to be considered normal for a given period of time. After the device determines the criteria that excessive IP packets have in common, the device then determines rules to identify the packets that meet such criteria and filters or blocks so identified packets.
149 Citations
30 Claims
-
1. A device for detecting and filtering excessive Internet Protocol (IP) packets comprising:
-
an examining section adapted to count input strings from IP packets traveling from at least one IP source outside a security perimeter to at least one network device within the security perimeter; and
a system control section adapted to record indicators of the amount of counted input strings, by different classifications, in a uniformly random manner. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for detecting and filtering excessive Internet Protocol (IP) packets said method comprising the steps of:
-
examining input strings from IP packets traveling from at least one IP source outside a security perimeter to at least one network device within the security perimeter; and
recording indicators of the amount of input strings, by different classifications, in a uniformly random manner. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
Specification