Mitigating denial of service attacks
First Claim
1. A system for mitigating service attacks against an edge network that is connected to an Internet service provider (ISP) network, wherein the ISP network comprises a plurality of border routers and a filter router, said system comprising:
- an analysis engine in the ISP network, which analysis engine is notified when a service attack against the edge network is detected, and a plurality of traffic filters provisioned on the filter router, wherein the analysis engine, upon being notified of a service attack, configures the filter router to advertise new routing information to one or more of the border routers, the advertised new routing information instructing the border routers to redirect service attack and non-service attack traffic intended for the edge network to the filter router, and wherein the traffic filters remove the redirected service attack traffic from the ISP network and allow the redirected non-service attack traffic to proceed.
3 Assignments
0 Petitions
Accused Products
Abstract
Service attacks, such as denial of service and distributed denial of service attacks, of a customer network are detected and subsequently mitigated by the Internet Service Provider (ISP) that services the customer network. A sensor examines the traffic entering the customer network for attack traffic. When an attack is detected, the sensor notifies an analysis engine within the ISP network to mitigate the attack. The analysis engine configures a filter router to advertise new routing information to the border and edge routers of the ISP network. The new routing information instructs the border and edge routers to reroute attack traffic and non-attack traffic destined for the customer network to the filter router. At the filter router, the attack traffic and non-attack traffic are automatically filtered to remove the attack traffic. The non-attack traffic is passed back onto the ISP network for routing towards the customer network.
452 Citations
28 Claims
-
1. A system for mitigating service attacks against an edge network that is connected to an Internet service provider (ISP) network, wherein the ISP network comprises a plurality of border routers and a filter router, said system comprising:
-
an analysis engine in the ISP network, which analysis engine is notified when a service attack against the edge network is detected, and a plurality of traffic filters provisioned on the filter router, wherein the analysis engine, upon being notified of a service attack, configures the filter router to advertise new routing information to one or more of the border routers, the advertised new routing information instructing the border routers to redirect service attack and non-service attack traffic intended for the edge network to the filter router, and wherein the traffic filters remove the redirected service attack traffic from the ISP network and allow the redirected non-service attack traffic to proceed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A system for mitigating denial of service attacks and distributed denial of service attacks (collectively DDoS) against an edge network connected to an Internet service provider (ISP) network, said system comprising:
-
an analysis engine within the ISP network, a plurality of border routers within the ISP network, and a filter router within the ISP network, wherein the analysis engine is notified when a DDoS attack is detected in the edge network and configures the filter router in response to the attack notification to advertise new routing information to one or more of the border routers instructing the border routers to redirect DDoS and non-DDoS traffic intended for the edge network to the filter router, and wherein the filter router removes the DDoS traffic and routes the non-DDoS traffic back onto the ISP network for routing to the edge network. - View Dependent Claims (15, 16, 17, 19, 20)
-
-
18. The system of 16 wherein one or more of the traffic filters can be disabled in order to modulate the detection severity of the system.
-
21. A method for mitigating service attacks against an edge network connected to an Internet service provider (ISP) network, wherein the ISP network comprises a plurality of border routers and a filter router, said method comprising the steps of:
-
detecting a service attack directed at the edge network, sending an attack notification to the ISP network, in response to the attack notification, advertising new routing information to the border routers wherein the routing information is to redirect service attack and non-service attack traffic destined for the edge network to the filter router, filtering by the filter router the redirected service attack and non-service attack traffic to remove the service attack traffic, and forwarding the non-service attack traffic to the edge network. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28)
-
Specification