Mitigating denial of service attacks

US 20040148520A1
Filed: 01/29/2003
Published: 07/29/2004
Est. Priority Date: 01/29/2003
Status: Abandoned Application

First Claim

Patent Images

1. A system for mitigating service attacks against an edge network that is connected to an Internet service provider (ISP) network, wherein the ISP network comprises a plurality of border routers and a filter router, said system comprising:

an analysis engine in the ISP network, which analysis engine is notified when a service attack against the edge network is detected, and a plurality of traffic filters provisioned on the filter router, wherein the analysis engine, upon being notified of a service attack, configures the filter router to advertise new routing information to one or more of the border routers, the advertised new routing information instructing the border routers to redirect service attack and non-service attack traffic intended for the edge network to the filter router, and wherein the traffic filters remove the redirected service attack traffic from the ISP network and allow the redirected non-service attack traffic to proceed.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Service attacks, such as denial of service and distributed denial of service attacks, of a customer network are detected and subsequently mitigated by the Internet Service Provider (ISP) that services the customer network. A sensor examines the traffic entering the customer network for attack traffic. When an attack is detected, the sensor notifies an analysis engine within the ISP network to mitigate the attack. The analysis engine configures a filter router to advertise new routing information to the border and edge routers of the ISP network. The new routing information instructs the border and edge routers to reroute attack traffic and non-attack traffic destined for the customer network to the filter router. At the filter router, the attack traffic and non-attack traffic are automatically filtered to remove the attack traffic. The non-attack traffic is passed back onto the ISP network for routing towards the customer network.

452 Citations

28 Claims

1. A system for mitigating service attacks against an edge network that is connected to an Internet service provider (ISP) network, wherein the ISP network comprises a plurality of border routers and a filter router, said system comprising:
- an analysis engine in the ISP network, which analysis engine is notified when a service attack against the edge network is detected, and a plurality of traffic filters provisioned on the filter router, wherein the analysis engine, upon being notified of a service attack, configures the filter router to advertise new routing information to one or more of the border routers, the advertised new routing information instructing the border routers to redirect service attack and non-service attack traffic intended for the edge network to the filter router, and wherein the traffic filters remove the redirected service attack traffic from the ISP network and allow the redirected non-service attack traffic to proceed.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The system of claim 1 further comprising a plurality of sensor filters, which filters have access to traffic entering the edge network and analyze the accessed traffic to detect the service attacks against the edge network.
  - 3. The system of claim 2 wherein the service attacks include denial of service and distributed denial of service attacks (collectively DDoS) and wherein the sensor and traffic filters comprise DDoS signature-based filters that perform signature-based detection and removal, respectively, of DDoS flood traffic.
  - 4. The system of claim 3 wherein the sensor filters further comprise DDoS signature-based filters that perform signature-based detection of DDoS control traffic to determine whether the edge network is originating a DDoS attack.
  - 5. The system of claim 2 wherein the sensor and traffic filters comprise packet header-based filters that perform detection and removal, respectively, of service attack traffic based on whether headers of packets comprising the traffic have field values beyond defined ranges.
  - 6. The system of claim 2 wherein the sensor filters comprise volume-based filters that perform volume-based detection of service attack flood traffic.
  - 7. The system of claim 1 wherein the traffic filters comprise filters that remove a given packet if the packet enters the ISP network through a given border router and has an originating IP address that does not match a block of IP addresses that are expected to enter the network through the given border router.
  - 8. The system of claim 2 wherein the analysis engine prior to a service attack is capable of pre-provisioning the sensor filters and the traffic filters.
  - 9. The system of claim 8 wherein the analysis engine is capable of disabling one or more provisioned traffic filters and sensor filters in order to modulate the detection severity of the system.
  - 10. The system of claim 1 further comprising packet-drop-counters at the filter router that count packets removed from the redirected service attack and non-service attack traffic, wherein the analysis engine is capable of polling the packet-drop-counters and using the counts to determine through which border router or border routers the attack is originating.
  - 11. The system of claim 1 further comprising a plurality of IP-in-IP tunnels, wherein each tunnel is provisioned between the filter router and a border router and wherein the redirected service attack and non-service attack traffic is routed from the border routers to the filter router through the IP-in-IP tunnels.
  - 12. The system of claim 11 wherein the plurality of traffic filters are provisioned at an ingress point of each IP-in-IP tunnel at the filter router.
  - 13. The system of claim 1 wherein the ISP network further comprises a plurality of edge routers, wherein the analysis engine, upon being notified of the service attack, configures the filter router to advertise the new routing information to one or more of the edge routers to redirect to the filter router service attack and non-service attack traffic intended for the edge network.

14. A system for mitigating denial of service attacks and distributed denial of service attacks (collectively DDoS) against an edge network connected to an Internet service provider (ISP) network, said system comprising:
- an analysis engine within the ISP network, a plurality of border routers within the ISP network, and a filter router within the ISP network, wherein the analysis engine is notified when a DDoS attack is detected in the edge network and configures the filter router in response to the attack notification to advertise new routing information to one or more of the border routers instructing the border routers to redirect DDoS and non-DDoS traffic intended for the edge network to the filter router, and wherein the filter router removes the DDoS traffic and routes the non-DDoS traffic back onto the ISP network for routing to the edge network.
- View Dependent Claims (15, 16, 17, 19, 20)
- - 15. The system of claim 14 further comprising a plurality of sensor filters for determining whether network traffic entering the edge network includes a DDoS attack.
  - 16. The system of claim 14 further comprising a plurality of traffic filters within the filter router wherein the redirected DDoS and non-DDoS traffic is automatically passed through the traffic filters for removing the DDoS traffic and wherein the traffic filters comprise filters that remove a given packet if the packet enters the ISP network through a given border router and has an originating IP address that does not match a block of IP addresses that are expected to enter the ISP network through the given border router.
  - 17. The system of claim 15 wherein the sensor filters can be automatically updated in order to detect and mitigate new types of DDoS attacks.
  - 19. The system of claim 14 further comprising a plurality of IP-in-IP tunnels, wherein each tunnel is between the filter router and a border router and wherein the redirected DDoS and non-DDoS traffic is routed from the border routers to the filter router through the IP-in-IP tunnels.
  - 20. The system of claim 14 further comprising a plurality of packet-drop-counters incremented by the filter router as DDoS packets are dropped, wherein the packet-drop-counters are used to indicate through which border router or border routers the attack is originating.

18. The system of 16 wherein one or more of the traffic filters can be disabled in order to modulate the detection severity of the system.

21. A method for mitigating service attacks against an edge network connected to an Internet service provider (ISP) network, wherein the ISP network comprises a plurality of border routers and a filter router, said method comprising the steps of:
- detecting a service attack directed at the edge network, sending an attack notification to the ISP network, in response to the attack notification, advertising new routing information to the border routers wherein the routing information is to redirect service attack and non-service attack traffic destined for the edge network to the filter router, filtering by the filter router the redirected service attack and non-service attack traffic to remove the service attack traffic, and forwarding the non-service attack traffic to the edge network.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
- - 22. The method of claim 21 wherein the service attack and non-service attack traffic is redirected from the border routers to the filter router through IP-in-IP tunnels.
  - 23. The method of claim 21 wherein the filtering step is performed by a plurality of traffic filters.
  - 24. The method of claim 23 wherein the traffic filters comprise filters that remove a given packet if the packet enters the ISP network through a given border router and has an originating IP address that does not match a block of IP addresses that are expected to enter the network through the given border router.
  - 25. The method of claim 23 further comprising the step of disabling one or more of the traffic filters in order to modulate the detection severity.
  - 26. The method of claim 21 further comprising the steps of:
    - detecting service attack control traffic directed at the edge network, and sending a service attack control traffic notification to the ISP network.
  - 27. The method of claim 21 further comprising the steps of:
    - periodically polling a plurality of packet-drop-counters incremented by the filter router as service attack traffic is removed, and using the packet-drop-counters to determine through which border router or border routers the attack is originating.
  - 28. The method of claim 21 wherein the service attacks comprise denial of service and distributed denial of service attacks.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson)
Original Assignee
Telcordia Technologies Incorporated (Telefonaktiebolaget LM Ericsson)
Inventors
Wong, Larry, Mouchtaris, Petros, Madhani, Sunil, Talpade, Rajesh

Application Number

US10/353,527
Publication Number

US 20040148520A1
Time in Patent Office

Days
Field of Search
US Class Current

713/201
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/1458 Denial of Service

Mitigating denial of service attacks

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

452 Citations

28 Claims

Specification

Use Cases

Quick Links

Others

Mitigating denial of service attacks

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

452 Citations

28 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others